homepage
Open menu
Contact Sales
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Free Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defense Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
      • European Skills Framework
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • In-Person Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Live Online Events List
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
      • Free Training & Resources
    • Cyber Ranges
  • Enterprise Solutions
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Group Purchasing
    • Build Your Team
      • Assessments
      • Private Training
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
      • Leadership Courses
      • Executive Cybersecurity Exercises
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
      • Webinars
      • Live Streams
        • Wait Just An Infosec
        • Cybersecurity Leadership
        • SANS Threat Analysis Rundown (STAR)
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
        • Blueprint
        • Trust Me, I'm Certified
        • Cloud Ace
        • Wait Just an Infosec
      • Summit Presentations
      • Posters & Cheat Sheets
    • Internet Storm Center
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
      • Open-Source Intelligence (OSINT)
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • Australia
    • Brazil
    • France
    • India
    • Japan
    • Middle East & Africa
    • United Kingdom
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Vulnerability Management Resources
MGT_Triad_370x370_Headshot.jpg
SANS Cybersecurity Leadership

Vulnerability Management Resources

Stay current with free resources focused on vulnerability management.

May 2, 2022

Vulnerability, patch, and configuration management are not new security topics. In fact, they are some of the oldest security functions. Yet, we still struggle to manage these capabilities effectively. The quantity of outstanding vulnerabilities for most large organizations is overwhelming, and all organizations struggle to keep up with the never-ending onslaught of new vulnerabilities in their infrastructure and applications. When you add in the cloud and the increasing speed with which all organizations must deliver systems, applications, and features to both their internal and external customers, security may seem unachievable.

POSTER

Key Metrics: Cloud & Enterprise | Vulnerability Management Maturity Model

This new poster was developed by Jonathan Risto and AJ Yawn.

Key Metrics: Cloud and Enterprise delivers a set of essential metrics to generate, provide, and review with the Technical, Operational, and Executive partners of the organization. Providing both early-stage and advanced metrics, organizations can generate meaningful metrics across the Identify, Protect, Detect and Respond functions of their security programs.

The SANS Vulnerability Management Maturity Model helps you gauge the effectiveness of your Vulnerability Management program. The model details key activities performed within Vulnerability Management on a 5-point scale. Leveraging the model, you can categorize your program’s current capabilities to create a clear roadmap to improve your program.

Download your FREE copy here.

NEWS

  • Firms Push for CVE-Like Cloud Bug System
  • Microsoft Azure Vulnerability Exposes PostgreSQL Databases to Other Customers
  • Researcher Releases PoC for Recent Java Cryptographic Vulnerability
  • 2021 Top Routinely Exploited Vulnerabilities - A joint security bulletin coauthored by cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom lists the top 15 exploited vulnerabilities in 2021
  • Cisco Vulnerability CVE-2022-20695
  • VMWARE Remote Code Execution (RCE) vulnerability
  • ‘Groundbreaking’ CISA directive to overhaul cyber vulnerability management process
  • Can understanding flaws in malware help defenders prevent attacks?

WEBCASTS

Understand Vulnerability Management Maturity with a Self-Assessment Tool, May 2023






  • Securing Cloud Data: The Hidden Vulnerabilities of SaaS Platforms, July 2021
  • REKT Casino Hack Assessment Operational Series – Vulnerability Management Gone Wrong, March 2021
  • Reimagining Vulnerability Management in the Cloud, Aug 2020
  • Enterprise and Cloud | Threat & Vulnerability Assessment, June 2020
  • Domain Password Auditing with the Cloud, April 2020
  • Passwords are a Solvable Problem!, Feb 2020
  • How to Communicate about Security Vulnerabilities Jan 2020

SURVEYS

  • SANS 2022 Vulnerability Management Survey: Detecting and Combatting Cloud Environment & Supply Chain Vulnerabilities, Oct 2022
  • A SANS 2021 Survey: Vulnerability Management - Impacts on Cloud and the Remote Workforce, Nov 2021
  • A SANS 2021 Survey: Vulnerability Management - Impacts on Cloud and the Remote Workforce Panel Discussion, Nov 2021
  • SANS 2020 Vulnerability Management Survey, Nov 2020
  • SANS 2020 Vulnerability Management Survey: A Panel Discussion, Nov 2020Workforce Transformation & Risk: A SANS Survey, Dec 2019

LIVE STREAMS


Download notes from this live stream here.



BLOGS

  • Vulnerability Management Maturity Model - Self Assessment Tool (VMMM-SAT), May 2023
  • 5 Metrics to Start Measuring in Your Vulnerability Management Program
  • Vulnerability Management Maturity Model, Part I
  • Vulnerability Management Maturity Model, Part II
  • The Cyber Capability Development Centre (CCDC) Concept, May 2019

ADDITIONAL RESOURCES

CISA Know Exploited Vulnerabilities - CISA publishes a list of known exploited vulnerabilities that the federal government must remediate. If it is on this list you should ensure your organization has mitigated it

2021 Top Routinely Exploited Vulnerabilities - A joint security bulletin coauthored by cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom lists the top 15 exploited vulnerabilities in 2021

Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 22-01

SANS Vulnerability Management Courses

MGT516: Building and Leading Vulnerability Management Programs

Vulnerability, patch, and configuration management are not new enterprise security topics. In fact, they are some of the oldest security functions. Yet, we still struggle to manage security vulnerability capabilities effectively. The quantity of outstanding vulnerabilities for most enterprise organizations is overwhelming, and all organizations struggle to keep up with the never-ending onslaught of new security vulnerabilities in their infrastructure and applications. When you add in the cloud, and the increasing speed with which all organizations must deliver systems, applications, and features to both their internal and external customers, enterprise security may seem unachievable. This vulnerability management training course will show you the most effective ways to mature your vulnerability management program and move from identifying vulnerabilities to successfully treating them. 21 Cyber42 and 15 lab exercises

SEC460: Enterprise & Cloud: Threat Vulnerability Assessment

SEC460 will help you build your technical vulnerability assessment skills and techniques using time-tested, practical approaches to ensure true value across the enterprise. Throughout the course you will use real industry-standard security tools for vulnerability assessment,
management, and mitigation; learn a holistic vulnerability assessment methodology while focusing on challenges faced in a large enterprise; and practice on a full-scale enterprise range chock-full of target machines representative of an enterprise environment, leveraging
production-ready tools and a proven testing methodology. SEC460 takes you beyond the checklist and gives you a tour of attackers' perspectives that is crucial to discovering where they will strike.
Comparison of MGT516 vs SEC460
MGT516 - STRATEGY
SEC460 - SCABILITY

POSITIONING

Prepares you to strategically build and mature a vulnerability management program that is inline with overall business objectives, risks, and culture.

Teaches threat and vulnerability management assessment from the attackers' perspective.

WHO

Security Managers

Security Architects

CISOs

Team Leads

Operations Directors and Managers

Auditors

Vulnerability Assessors

Security Analysts

Sys Admins

Red Teamers

Pen Testers

WHAT

How we solve for a vulnerability management life-cycle, holistically from identification through remediation while considering the overall business strategy by utilizing the PIACT model (Prepare, Identify, Analyze, Communicate, Treat)

Understanding the environment & the threat landscape to identify vulnerabilities & determine the optimal, scalable solutions for the enterprise.

WHY

Overarching strategy to implement or improve vulnerability management while considering limited resources of time, money, and personnel.

Focuses on preparing security personnel to effectively & efficiently secure systems for mid-sized to large organizations.

SPECIFIC TASKS / SKILL SETS

Create, implement & mature Vulnerability Management program

Establish secure & defensible enterprise & cloud environment

Build accurate and useful inventory of IT assets

Identify existing vulnerabilities and how to meaningfully use this info

Make data more actionable

Prioritize vulnerabilities

Effectively report & communicate vulnerability data within the organization up to C-level

Understand treatment capabilities & better engage with treatment teams

Make Vulnerability Management more engaging

Learn how to conduct vulnerability assessments

Develop vulnerability discovery, management, and remediation plans

Threat intelligence gathering

Vulnerability assessment tool configuration and management

Conduct infrastructure vulnerability enumeration at scale across numerous network segments

Manage large vulnerability datasets and perform risk calculation

OSINT gathering

Active and Passive Reconnaissance

Web application scanning





Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • LDR516: Building and Leading Vulnerability Management Programs
  • MGT516: Building and Leading Vulnerability Management Programs
  • SEC580: Metasploit for Enterprise Penetration Testing

Tags:
  • Penetration Testing and Red Teaming
  • Security Management, Legal, and Audit

Related Content

Blog
csl-340x340-logo.jpg
Security Management, Legal, and Audit
May 22, 2023
What is Common Vulnerability Scoring System (CVSS)
CVSS stands for the Common Vulnerability Scoring System
Jonathan_Risto_370x370.png
Jonathan Risto
read more
Blog
SANS_-_Blog_-_The_Vulnerability_Assessment_Framework_-_340x340_Thumb.jpg
Penetration Testing and Red Teaming
May 5, 2023
The Vulnerability Assessment Framework: Stop Inefficient Patching Now and Transform Your Vulnerability Management
Vulnerabilities don’t matter! Patching is terrible! Prove me wrong!
370x370_Matthew-Toussain.jpg
Matthew Toussain
read more
Blog
CurriculumTile_340_x_340.png
Security Management, Legal, and Audit
May 4, 2023
Vulnerability Management Maturity Model – Self-Assessment Tool (VMMM-SAT)
A way to help determine your vulnerability management maturity level.
Jonathan_Risto_370x370.png
Jonathan Risto
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn