🔍 Vulnerability Management

1EPSS OVER CVSS ALONE — less than 5% of CVEs are ever exploited in the wild. Use EPSS (Exploit Prediction Scoring System) to identify which CVEs have high exploitation probability in the next 30 days. A CVSS 9.8 with EPSS 0.05% is lower priority than a CVSS 6.5 with EPSS 82%.

2CISA KEV WATCHLIST — treat every entry in CISA's Known Exploited Vulnerabilities catalog as Priority Zero with mandatory SLA regardless of CVSS score.

3EASM-FIRST — internet-facing assets carry 10x the risk of internal systems. Prioritize all CVEs on externally exposed assets before internal-only ones.

4COMPENSATING CONTROLS & RISK ACCEPTANCE — formally risk-accept low-EPSS, internal-only findings with documented owner and review date, and apply WAF rules or segmentation as compensating controls for medium CVEs on isolated systems. This approach reduces 40,000 CVEs to the ~200 that genuinely matter for your environment.

1CVSS base score for technical severity,

2EPSS for exploit probability,

3Asset criticality and business context,

4Exploit availability (Metasploit modules, PoC code, active exploitation),

5Exposure (internet-facing vs. internal),

6Compensating controls. A CVSS 7.0 vulnerability on an internet-facing payment server with a known exploit ranks higher than a CVSS 9.8 on an isolated test server.

1Mean Time to Remediate (MTTR) by severity,

2Vulnerability density per asset,

3Scan coverage percentage,

4SLA compliance rates for patching,

5Recurrence rate (vulnerabilities re-introduced),

6Risk reduction over time,

7Number of critical/high vulnerabilities open beyond SLA. Track trends monthly and report to leadership.

• Python is the go-to language for security scripting because of its rich library ecosystem
• Common use cases — writing API integrations to pull scan results from Veracode, Qualys, or Nessus and push them into Jira or ServiceNow automatically
• Building custom parsers to normalize vulnerability data from multiple scanners into a unified format (CSV, JSON, or database)
• Automating compliance evidence collection — scripting checks for CIS Benchmarks, SOC 2 controls, or PCI-DSS requirements and generating audit-ready reports
• Key libraries — requests (API calls), pandas (data analysis and reporting), paramiko (SSH automation), boto3 (AWS security audits), python-nmap (network scanning), BeautifulSoup (web scraping for OSINT)

• Java is used for building enterprise security tools, custom SAST rules, and integrations with Java-based platforms
• Common use cases — writing custom Veracode API wrappers to orchestrate policy scans across hundreds of applications in CI/CD
• Building custom static analysis rules using SpotBugs or Error Prone to detect organization-specific anti-patterns
• Creating security middleware and filters in Spring Boot applications — custom authentication filters, request validation, and audit logging
• Developing custom Burp Suite extensions in Java for automated testing of application-specific vulnerabilities

• Automate the full vulnerability lifecycle — scan scheduling, result ingestion, deduplication, severity enrichment (adding business context to CVSS scores), SLA tracking, and escalation notifications
• Build dashboards that aggregate data from SAST, SCA, DAST, and infrastructure scanners into a single pane of glass
• Script auto-ticketing — when a Critical finding is detected, automatically create a Jira ticket with CWE ID, affected component, remediation guidance, and assign to the right team
• Track metrics programmatically — MTTR, vulnerability density per application, recurrence rates, SLA compliance percentages

• Script compliance checks — verify encryption settings, access controls, logging configurations, and patch levels against policy baselines
• Generate automated compliance reports for auditors — map vulnerabilities to specific control frameworks (NIST 800-53, ISO 27001, PCI-DSS, HIPAA)
• Build drift detection scripts that alert when configurations deviate from approved baselines
• Automate evidence collection for SOC 2 Type II audits — pull access reviews, change management logs, and security scan results into structured reports

• Python script to query Veracode REST API, pull all High/Critical findings across the portfolio, calculate MTTR per team, and email a weekly executive summary
• Java utility to scan all Spring Boot applications for missing security annotations
• Python automation to check AWS S3 bucket policies, IAM configurations, and CloudTrail logging against CIS AWS Benchmark and flag non-compliant resources

1CWE (Common Weakness Enumeration) — maintained by MITRE, it's a catalog of software weakness TYPES. Think of it as the category. CWE-79 is XSS, CWE-89 is SQL Injection, CWE-787 is Out-of-bounds Write. It answers: what KIND of mistake was made?

2CVE (Common Vulnerabilities & Exposures) — maintained by MITRE/NVD, it's a unique ID for a SPECIFIC discovered vulnerability in a specific product. CVE-2021-44228 is Log4Shell. It answers: which EXACT bug in which software?

3CVSS (Common Vulnerability Scoring System) — maintained by FIRST.org, it scores CVEs on a 0-10 scale with three metric groups: Base (attack vector, complexity, impact), Temporal (exploit maturity, remediation level), and Environmental (your specific context). It answers: how BAD is this specific bug?

4CWSS (Common Weakness Scoring System) — maintained by MITRE, it scores CWE weakness TYPES on a 0-100 scale considering technical impact, attack surface, and environmental factors. It answers: how risky is this TYPE of weakness overall? THE RELATIONSHIP: A CWE (weakness type like SQL Injection) can lead to MANY CVEs (specific SQL injection bugs in specific products). Each CVE gets a CVSS score (0-10 severity). Each CWE gets a CWSS score (0-100 risk). CWE + CWSS help you prioritize fixing CLASSES of bugs through secure coding standards. CVE + CVSS help you prioritize patching SPECIFIC bugs in your environment. Real-world example: Developers find a SQLi bug in your app → it maps to CWE-89 → it gets assigned CVE-2024-XXXXX → NVD rates it CVSS 9.8 Critical → you prioritize immediate remediation based on CVSS + EPSS + business context.