Understanding Vulnerability Scans and Management

A vulnerability that is detected but not exploitable

A vulnerability that is not detected by the scanner

A vulnerability that is incorrectly identified as present

A vulnerability that is correctly identified

Because it leads to unnecessary patching

Because it means a vulnerability is detected but not present

Because it increases the number of false alarms

Because it means a vulnerability is present but not detected

By their severity level

By the number of systems affected

By the type of system they affect

By the date they were discovered

To track the history of vulnerabilities

To categorize vulnerabilities by type

To list all known vulnerabilities

To provide a numerical score for vulnerabilities

cve.mitre.org

vuln.org

mvd.gov

nd.nist.gov

The cost of the scanner

The user interface

The speed of the scan

The database of known vulnerabilities

To increase scanning speed

To reduce false positives and negatives

To improve user experience

To lower the cost of scanning

The cost of patching a vulnerability

The number of systems affected by a vulnerability

The percentage of impact if a vulnerability is exploited

The likelihood of a vulnerability being exploited

The amount of risk an organization is willing to accept

The speed at which patches are applied

The cost of patching vulnerabilities

The number of patches applied at once

Due to limited network bandwidth

Due to hardware limitations

Because of varying risk levels and priorities

Because patches are not always available