What qualifies a risk as acceptable or not? When should confirmed vulns be fixed by? Perhaps most distressingly, how do we know when a vulnerability has actually been remediated? Vulnerability Management looks different from business to business, but some things are common musts:
- A workflow framework that security & dev agree on
- Live critical finding notifications
- Active remediation monitoring
- Visibility throughout ticket lifecycles "from soup to nuts"