3.3. Types of Vulnerabilities
š” First Principle: A vulnerability is a weakness that can be exploited by a threat. Vulnerabilities exist at every layer ā application code, operating systems, hardware, cloud configurations, and even in cryptographic implementations. The key insight is that vulnerabilities are conditions, not attacks. They exist whether or not anyone exploits them. Risk management is about finding and fixing them before attackers do.
What does an unmanaged vulnerability landscape look like? Equifax's 2017 breach exposed 147 million records because a known Apache Struts vulnerability went unpatched for two months. The vulnerability was published, the patch was available, and the attack was entirely preventable. Vulnerability management isn't glamorous, but it's the difference between reading about breaches in the news and being in one.
Unlike threats (which you can't control) and threat actors (who you can't eliminate), vulnerabilities are the one element of risk you can directly reduce. That's why vulnerability management is a core security discipline ā it's the part of the risk equation most within your control.
