1 Executive Summary

All software contains vulnerabilities that can be exploited by adversaries to attack the IT systems and data that organizations depend upon. It is essential that organizations have a vulnerability management process as part of their overall IT risk management to identify and control these.

A software vulnerability may result from an error in the coding or other factors that can be exploited to provide unexpected and unwanted functionality. Examples of this include a failure to check user input that allows a malicious actor to extract data (SQL Injection) and weaknesses that allow remote execution of commands on the affected systems (as in the recent Log4shell exploit).

Since late 2020, software supply chain attacks have risen to the top of the agenda in cybersecurity. Two major incidents, affecting software vendors SolarWinds and Kaseya, resulted in their customers receiving malicious software on their customers. By tampering with COTS (commercial off the shelf) software, attackers managed to multiply their attacks and gain access to thousands of other organizations.

This leadership brief describes the vulnerability management process that an organization should implement to:

• Prevent the introduction of vulnerabilities.
• Identify existing vulnerabilities and monitor the discovery of new ones.
• Assess the impact of these on the business systems.
• Implement the appropriate response in a timely manner.