Overview
Vulnerability Management is the process of identifying, assessing, prioritizing, and remediating security vulnerabilities in systems and applications. It supports SOC 2 CC7.1 by ensuring potential threats are detected and addressed in a timely and consistent manner.
Step-by-Step Process
Define vulnerability scope
The Security Lead defines the in-scope systems, applications, repositories, and environments for vulnerability scanning. This includes production infrastructure, cloud assets, and code repositories. The output is a documented scope list approved by security.
Role: Security Lead
Run automated vulnerability scans
The Security Lead or Security Analyst runs monthly vulnerability scans using approved tools. Scans must cover all in-scope assets and complete successfully. The output is a dated scan report generated by the tool.
Role: Security Analyst
Aggregate and review findings
The Security Lead reviews scan results to identify valid vulnerabilities and remove false positives. Vulnerabilities are categorized by severity using CVSS or tool-provided ratings. The output is a reviewed vulnerability list.
Role: Security Lead
Prioritize vulnerabilities
The Security Lead prioritizes vulnerabilities based on severity, exploitability, and asset criticality. High and critical vulnerabilities are flagged for immediate remediation. The output is a prioritized remediation backlog.
Role: Security Lead
Assign remediation tasks
The Security Lead assigns remediation tasks to engineering or IT owners through a ticketing system. Each ticket includes severity, remediation guidance, and due date. The output is assigned and tracked remediation tickets.
Role: Security Lead
Remediate vulnerabilities
Engineering or IT teams apply patches, update dependencies, or implement compensating controls. Remediation actions are documented in the ticket. The output is updated systems or code with vulnerabilities addressed.
Role: Engineering Manager
Verify remediation
The Security Analyst re-runs scans or validates fixes to confirm vulnerabilities are resolved. Evidence of successful remediation is captured. The output is a verification scan or validation record.
Role: Security Analyst
Report and retain evidence
The Security Lead prepares a monthly vulnerability management summary and stores all evidence in the compliance repository. Records are retained according to policy. The output is a dated report and stored artifacts.
Role: Security Lead
What You Need Before Starting
- Approved vulnerability management policy
- Access to vulnerability scanning tools (Qualys, Snyk, Dependabot)
- Inventory of in-scope systems and repositories
- Access to ticketing system (e.g., Jira, ServiceNow)
Evidence Your Auditor Expects
- Monthly vulnerability scan report with timestamp (e.g., Qualys scan dated 2026-02-28)
- Exported vulnerability list showing severity and status
- Remediation tickets with assignment and closure dates
- Verification scan or screenshot confirming vulnerability resolution
- Monthly vulnerability management summary report signed by Security Lead
How This Looks In Your Tools
Qualys
Log in to Qualys and navigate to Vulnerability Management > Scans > New Scan. Select the predefined asset group for in-scope systems, choose an authenticated scan profile, and launch the scan.
After completion, go to Vulnerability Management > Scans > Scan Results and export the report as PDF or CSV with the scan date visible. Use Vulnerability Management > Findings to filter by severity (High/Critical) and assign remediation tickets based on findings.
Snyk
Log in to Snyk and navigate to Projects. Verify all production repositories are imported and monitored. From the Projects view, select each project and review the Vulnerabilities tab.
Use the Filters menu to sort by severity and exploit maturity. Export vulnerability reports using the Export button, and create remediation tasks directly in the integrated ticketing system or by referencing fix guidance provided by Snyk.
Dependabot
In GitHub, navigate to the repository and go to Settings > Security & analysis. Ensure Dependabot alerts and security updates are enabled. Review alerts under the Security > Dependabot alerts tab.
For each alert, review the affected dependency, severity, and suggested fix. Merge approved Dependabot pull requests or document accepted risk with justification. Capture screenshots of alert status and merged PRs as evidence.
Common Audit Findings
- Scans not performed on a consistent schedule
- This occurs when scan execution is manual and not tracked. Prevent it by scheduling monthly scans and maintaining a scan calendar with documented completion dates.
- High-severity vulnerabilities not remediated timely
- Delays often result from unclear ownership or prioritization. Assign remediation tickets with due dates and track SLA compliance.
- Lack of remediation verification
- Auditors often see fixes claimed but not validated. Always perform and retain re-scan evidence after remediation.
- Incomplete asset coverage
- Missing systems or repositories lead to gaps in scanning. Maintain an up-to-date asset inventory and review scope quarterly.