Vulnerability Management Lifecycle — DevSecOps Interactive Learning

The lifecycle

Loop continuously—each deploy and dependency change re-enters discovery. Tip: click a stage to highlight it.

Vulnerability databases

Source	Purpose
NVD	U.S. government repository of CVE analysis and CVSS
CVE List	Standard identifiers for publicly known vulnerabilities
GHSA	GitHub Security Advisories for open-source ecosystems

CVSS scoring (conceptual)

The Common Vulnerability Scoring System (CVSS) produces a 0–10 severity from metrics like attack vector, complexity, privileges required, user interaction, and impacts to confidentiality, integrity, and availability. v3.x uses Base, Temporal, and Environmental scores—teams often tune with environmental modifiers for their own exposure.

BaseIntrinsic severity of the flaw

TemporalExploit code maturity, report confidence

EnvironmentalAsset value, mitigations in your context

Note CVSS alone should not be the only prioritization input—combine with business impact and threat intelligence.

Secure coding techniques

Parameterized queries and ORM-safe patterns (stop injection at the source).
Output encoding contextual to HTML/JS/URL (XSS defense).
Server-side authorization on every object access (IDOR prevention).
Secrets only from vaults; short-lived credentials in CI/CD.
Least privilege IAM for workloads and pipelines.

Tools and automation

Category	Examples	Role in lifecycle
Aggregation	DefectDojo, Kenna, ASOC platforms	Deduplicate findings across scanners
Ticketing	Jira, Azure DevOps, GitHub Projects	SLAs, ownership, traceability to commits
Policy engines	OPA, cloud policy gates	Block deploy on critical unapproved risk
SBOM	CycloneDX, SPDX tools	Faster impact analysis when CVE drops

# Example: fail CI if critical CVEs in container scan (pseudo-policy)
# if critical_count > 0 and exception_id is null → exit 1