#Vulnerability Management Process

#Overview

Vulnerability management is a continuous process for identifying, prioritizing, and remediating vulnerabilities. Alauda Security Service supports this process by combining scan results, contextual risk data, exception handling, and reporting workflows.

#Key Steps in Vulnerability Management

A successful vulnerability management program typically includes the following key tasks:

• Asset assessment
• Vulnerability prioritization
• Exposure assessment
• Taking action
• Continuous reassessment

Alauda Security Service enables organizations to continuously assess Kubernetes environments and provides the contextual information needed to prioritize and address vulnerabilities more effectively.

In the current UI, the main vulnerability workflows are organized under:

• Vulnerability Management > Results
• Vulnerability Management > Exception Management
• Vulnerability Management > Vulnerability Reporting

#Asset Assessment

To assess your organization's assets, follow these steps:

• Identify assets in your environment
• Scan these assets to detect known vulnerabilities
• Report vulnerabilities to relevant stakeholders

When you install Alauda Security Service on a cluster, it aggregates the assets running inside that cluster to help you identify them. This gives teams the context required to prioritize and remediate vulnerabilities more efficiently.

#Key Assets to Monitor

Key assets to monitor in your vulnerability management process using Alauda Security Service include:

• Components: Software packages used as part of an image or running on a node. Components are the lowest level where vulnerabilities exist. Organizations must upgrade, modify, or remove software components to remediate vulnerabilities.
• Images: Collections of software components and code that create an environment to run executable code. Images are where you upgrade components to fix vulnerabilities.
• Nodes: Servers used to manage and run applications using Alauda Container Platform or Kubernetes, including the components that make up the platform or service.

Alauda Security Service organizes these assets into the following structures:

• Deployment: A definition of an application in Kubernetes that may run pods with containers based on one or more images.
• Namespace: A grouping of resources, such as Deployments, that support and isolate an application.
• Cluster: A group of nodes used to run applications using Alauda Container Platform or Kubernetes.

#Vulnerability Scanning and Assessment

Alauda Security Service scans assets for known vulnerabilities and uses Common Vulnerabilities and Exposures (CVE) data to assess their impact.

For day-to-day triage, start with Results and choose the view that matches the asset type you are reviewing:

• User Workloads
• Platform
• Nodes
• More Views

#Prioritizing Vulnerabilities

To prioritize vulnerabilities for action and investigation, consider the following questions:

• How important is the affected asset to your organization?
• How severe must a vulnerability be to warrant investigation?
• Can the vulnerability be fixed by patching the affected software component?
• Does the vulnerability violate any of your organization's security policies?

The answers to these questions help security and development teams determine the exposure and necessary response to a vulnerability.

Alauda Security Service provides the data needed to prioritize vulnerabilities in your applications and components. For example, when reviewing vulnerability findings by CVE, consider the following signals:

• CVE severity: Number of images affected by the CVE and its severity rating (e.g., low, moderate, important, or critical).
• Top CVSS: The highest Common Vulnerability Scoring System (CVSS) score, from vendor sources, for this CVE across images.
• Top NVD CVSS: The highest CVSS score from the National Vulnerability Database for this CVE across images. Scanner V4 must be enabled to view this data.
• EPSS probability: The likelihood that the vulnerability will be exploited, according to the Exploit Prediction Scoring System (EPSS). This provides a percentage estimate of the probability that exploitation will be observed in the next 30 days. EPSS data should be used alongside other information, such as the age of the CVE, to help prioritize vulnerabilities.

#Exposure Assessment

To assess your exposure to a vulnerability, ask:

• Is your application impacted by the vulnerability?
• Is the vulnerability mitigated by other factors?
• Are there known threats that could lead to exploitation?
• Are you using the vulnerable software package?
• Is it worthwhile to spend time addressing this specific vulnerability and package?

#Taking Action

Based on your assessment, you may take the following actions:

• Mark the vulnerability as a false positive if there is no exposure or it does not apply in your environment.
• Decide whether to remediate, mitigate, or accept the risk if you are exposed.
• Remove or change the software package to reduce your attack surface.

Once you decide to act on a vulnerability, you can:

• Remediate the vulnerability
• Mitigate and accept the risk
• Accept the risk
• Mark the vulnerability as a false positive

In the current workflow, deferred and false-positive handling is managed through Exception Management, while scheduled or downloadable outputs are handled through Vulnerability Reporting.

#Remediation Methods

To remediate vulnerabilities, you can:

• Remove a software package
• Update a software package to a non-vulnerable version

#Continuous Reassessment

Vulnerability management is not a one-time review. As images change, new definitions are published, and risk posture evolves, revisit:

• Results for newly observed findings
• Exception Management for deferred or false-positive requests
• Vulnerability Reporting for recurring stakeholder-facing outputs