concept#Security#Architecture#Governance#Software Engineering

Vulnerability

A vulnerability is an exploitable security weakness in systems, applications, or processes. It describes cause, attack vector and potential impact, and forms the basis for identification, prioritization and remediation.

A vulnerability is a weakness in systems, processes, or components that can be exploited by threat actors.

Maturity

Established

Cognitive loadMedium

Classification

ComplexityMedium
Impact areaTechnical
Decision typeArchitectural
Organizational maturityIntermediate

Technical context

Integrations

Vulnerability scanners (e.g. Nessus, OpenVAS)Ticketing and issue-tracking systemsCI/CD pipelines for automated testing and deployments

Principles & goals

Principles

Vulnerabilities must be systematically identified, assessed and prioritized by risk.Transparency about assets, dependencies and exposure is prerequisite for effective handling.Continuous review and monitoring reduce the window for exploitation.

Value stream stage

Run

Organizational level

Enterprise, Domain, Team

Use cases & scenarios

Use cases

Scenarios

Compromises

Risks

Undiscovered vulnerabilities enable privilege escalation or data exfiltration.
Misprioritization can cause wasted effort or ignore critical issues.
Patch deployments without testing can impact availability.

Best practices

Automated scans with regular frequency and alerting.
Context-based prioritization (impact + exploitability).
Integrate remediation into release and sprint plans.

I/O & resources

Inputs

Asset inventory, software dependencies, release plan
Vulnerability scan results, penetration tests
Threat model, threat intelligence

Outputs

Detected and prioritized vulnerability list
Remediation plan and responsibilities
Monitoring and detection rules

Resources

Description

A vulnerability is a weakness in systems, processes, or components that can be exploited by threat actors. It covers causes, attack vectors and potential impacts on confidentiality, integrity, or availability. The concept supports identification, assessment and prioritization of security gaps and appropriate mitigations.

✔Benefits

Early detection reduces attack surfaces and potential damage.
Prioritization optimizes resource allocation for remediation.
Systematic classification promotes repeatability and compliance.

✖Limitations

Not every vulnerability is immediately exploitable; contextual factors complicate assessment.
Growing dependency complexity may prevent complete inventorying.
Resource constraints may lead to delayed or incomplete remediation.

Trade-offs

Metrics

Mean Time to Remediate (MTTR)
Average time from discovery to verified remediation of a vulnerability.
Number of open vulnerabilities
Count of active, unremediated vulnerabilities segmented by severity.
Average CVSS score
Average severity of identified vulnerabilities according to CVSS.

Examples & implementations

Heartbleed (OpenSSL)

A memory-handling bug that exposed private keys and data, prompting global patching.

Log4Shell (Log4j)

A library vulnerability allowing remote code execution, triggering widespread incident response.

Unpatched third-party library

An outdated dependency not updated for a long time, providing an attack vector.

Implementation steps

Inventory all assets and dependencies.

Introduce regular automated scans and threat feeds.

Define risk criteria and prioritization rules.

Establish processes for validation, patching and rollout.

Continuous monitoring and lessons-learned sessions.

⚠️ Technical debt & bottlenecks

Technical debt

Legacy components without update paths increase long-term risk.
Lack of scanning automation hinders scalability.
Insufficient test infrastructure slows safe rollouts.

Known bottlenecks

Missing inventoryBottlenecked patch processLimited test environments

Misuse examples

Treating all vulnerabilities equally and not prioritizing.
Deploying patches to production immediately without staging tests.
Relying solely on external scanners and ignoring internal threats.

Typical traps

Focusing only on CVSS score without operational context.
Underestimating dependency chains and transitivity.
Failing to communicate risks and measures to stakeholders.

Required skills

Fundamentals of IT security and threat modellingExperience with scanning and forensic toolsFamiliarity with CVE/CWE and risk assessment methods

Architectural drivers

Confidentiality and integrity of sensitive dataAvailability of critical servicesDependency and supply-chain security

Constraints

• Operational and SLA constraints can limit patch windows.
• Regulatory requirements for disclosure and reporting.
• Technical legacy systems without update paths.