--- name: vulnerability-patching description: Manage vulnerability scanning and patch management including automated vulnerability detection, risk-based prioritization, patch testing, deployment scheduling, compliance verification, and patch reporting. Use when scanning for vulnerabilities, managing patch cycles, prioritizing security fixes, or verifying patch compliance. Triggers on phrases like "vulnerability scanning", "patch management", "CVE", "security patches", "patch deployment", "vulnerability assessment", "patch compliance", "risk-based patching", "staging test", "maintenance window", "rollback", "patch report". --- # Vulnerability Scanning & Patch Management Automatically detect, prioritize, test, and deploy security patches across all infrastructure with zero downtime. ## Automated Vulnerability Scanning ### Scan Configuration & Execution ``` VULNERABILITY SCANNING FRAMEWORK: ══════════════════════════════════ SCAN COVERAGE: ┌──────────────────────────┬──────────┬──────────┬───────────┐ │ Asset Type │ Count │ Scan Freq│ Scanner │ ├──────────────────────────┼──────────┼──────────┼───────────┤ │ Linux servers │ 120 │ Weekly │ Qualys │ │ Windows servers │ 45 │ Weekly │ Qualys │ │ Containers (K8s pods) │ 380 │ Daily │ Trivy │ │ Cloud instances (AWS) │ 85 │ Daily │ Inspector │ │ Cloud instances (Azure) │ 30 │ Daily │ Defender │ │ Web applications │ 18 │ Weekly │ Burp Suite│ │ Network devices │ 42 │ Monthly │ Tenable │ │ Endpoints (laptops) │ 450 │ Weekly │ CrowdStrike│ │ SaaS applications │ 25 │ Monthly │ Wiz │ │ ────────────────────── │ ────── │ ─────── │ ───────── │ │ TOTAL │ 1,195 │ │ │ └──────────────────────────┴──────────┴──────────┴───────────┘ SCAN CONFIGURATION: Vulnerability sources: - NVD (National Vulnerability Database) — primary - MITRE CVE — comprehensive coverage - CIS (Center for Internet Security) benchmarks - Cloud provider security advisories (AWS, Azure) - Vendor-specific advisories (OS, middleware, applications) - Internal vulnerability database (custom findings) Scan types: Authenticated scans: 85% (deeper coverage, accurate results) Unauthenticated scans: 15% (external-facing, internet-exposed) Agent-based: Endpoints + servers (real-time) Agentless: Cloud instances, containers (periodic) Scan schedules: Daily: Cloud instances, containers (low impact, high value) Weekly: Servers, endpoints, web applications Monthly: Network devices, SaaS applications On-demand: Post-incident, pre-audit, new asset onboarding Scan windows: Servers: 2:00 AM - 6:00 AM (off-peak) Containers: Continuous (minimal impact) Endpoints: 8:00 PM - 12:00 AM (after business hours) Cloud: 24/7 (no scheduling impact — agentless) VULNERABILITY RESULTS (January 2025): Total vulnerabilities found: 847 ┌─────────────────────────┬──────────┬──────────┬──────────┐ │ Severity │ Count │ % │ Target │ ├─────────────────────────┼──────────┼──────────┼──────────┤ │ Critical (CVSS 9.0-10.0)│ 12 │ 1.4% │ 0 │ │ High (CVSS 7.0-8.9) │ 48 │ 5.7% │ <10 │ │ Medium (CVSS 4.0-6.9) │ 285 │ 33.6% │ <100 │ │ Low (CVSS 0.1-3.9) │ 502 │ 59.3% │ N/A │ │ ───────────────────── │ ────── │ ────── │ ────── │ │ TOTAL │ 847 │ 100% │ │ └─────────────────────────┴──────────┴──────────┴──────────┘ Trend (6 months): Critical: 25 → 18 → 15 → 12 (declining) ✓ High: 85 → 68 → 55 → 48 (declining) ✓ Medium: 380 → 340 → 310 → 285 (declining) ✓ Overall: Improving — 30% reduction in 6 months TOP 10 VULNERABILITIES (by count): 1. CVE-2024-XXXX (OpenSSL): Medium — 45 instances 2. CVE-2024-XXXX (Log4j): Low — 38 instances 3. CVE-2024-XXXX (Linux kernel): High — 12 instances 4. CVE-2024-XXXX (Nginx): Medium — 35 instances 5. CVE-2024-XXXX (Python pip): Low — 62 instances 6. CVE-2024-XXXX (Docker): Medium — 28 instances 7. CVE-2024-XXXX (Apache): High — 8 instances 8. CVE-2024-XXXX (Node.js): Low — 95 instances 9. CVE-2024-XXXX (Ruby): Medium — 18 instances 10. CVE-2024-XXXX (PostgreSQL): High — 15 instances ``` ## Risk-Based Patch Prioritization ### Prioritization Framework ``` RISK-BASED PATCH PRIORITIZATION: ════════════════════════════════ RISK SCORING MODEL: Patch Priority Score = CVSS × Exposure × Asset Criticality × Exploitability Components: CVSS score: 0-10 (from NVD) Exposure factor: Internet-facing: 2.0 DMZ: 1.5 Internal (restricted): 1.0 Internal (general): 0.7 Asset criticality: Production (mission-critical): 2.0 Production (business-critical): 1.5 Staging/Development: 0.7 Test: 0.3 Exploitability: Active exploitation (in the wild): 2.0 Proof-of-concept available: 1.5 Theoretical (no exploit): 0.7 Vendor patch available: 1.0 PRIORITY TIER ASSIGNMENT: Tier 0 — EMERGENCY (Score > 25): - Patch within 24 hours - Bypass testing (if vendor-verified fix) - Approval: Security team lead (expedited) - Examples: Active RCE exploits, zero-days in production - Current: 0 items ✓ Tier 1 — CRITICAL (Score 15-25): - Patch within 72 hours - Quick staging validation (smoke tests) - Approval: Security + IT Operations lead - Examples: Critical/high CVEs on internet-facing systems - Current: 3 items (being addressed) Tier 2 — HIGH (Score 8-15): - Patch within 1 week - Full staging test cycle - Approval: Standard change process - Examples: High CVEs on internal systems, medium on internet-facing - Current: 15 items (scheduled for next patch cycle) Tier 3 — MEDIUM (Score 3-8): - Patch within 2 weeks - Standard testing - Approval: Standard change process - Examples: Medium CVEs on internal systems - Current: 85 items (included in monthly cycle) Tier 4 — LOW (Score < 3): - Patch within 30 days (next maintenance window) - Minimal testing (low-risk changes) - Approval: Automated (pre-approved change) - Examples: Low CVEs, non-production - Current: 320 items (batched into monthly cycle) COMPLIANCE DRIVEN PRIORITIZATION: Regulatory requirements: PCI DSS: Critical patches within 30 days SOC 2: All patches within 90 days HIPAA: Critical patches within 14 days ISO 27001: Patch policy compliance (risk-based) Compliance calendar: Next PCI DSS audit: March 2025 Next SOC 2 audit: June 2025 Next ISO 27001 surveillance: September 2025 Pre-audit scan: 2 weeks before each audit Remediation target: Zero critical/high findings before audit ``` ## Patch Testing & Deployment ### Safe Deployment Process ``` PATCH TESTING PROCESS: ══════════════════════ TEST ENVIRONMENT: Staging environment mirrors production (1:1 parity) Servers: 20 staging (representing 165 production) Containers: 50 staging pods (representing 380 production) Applications: All production apps (staging version) Database: Production snapshot (anonymized) Test categories: 1. Compatibility testing: - Application functionality (smoke tests) - API endpoints (contract testing) - Database connectivity - Integration points (third-party services) - User authentication (SSO, MFA) 2. Performance testing: - CPU/memory utilization (pre vs. post) - Response time (API latency) - Throughput (requests per second) - Resource limits (ulimit, cgroup) - Database query performance 3. Security testing: - Vulnerability re-scan (verify fix) - Configuration drift check - Access control validation - Encryption verification - Logging/monitoring intact 4. Regression testing: - Previous patches (no conflict) - Known issues (no re-emergence) - Feature functionality (no regression) - Error handling (no change) TEST RESULTS (January Patch Cycle): Patches tested: 234 ┌─────────────────────────┬──────────┬──────────┐ │ Result │ Count │ % │ ├─────────────────────────┼──────────┼──────────┤ │ Pass (no issues) │ 218 │ 93.2% │ │ Minor issues (accept) │ 12 │ 5.1% │ │ Major issues (block) │ 3 │ 1.3% │ │ Not tested (N/A) │ 1 │ 0.4% │ │ ───────────────────── │ ────── │ ────── │ │ TOTAL │ 234 │ 100% │ └─────────────────────────┴──────────┴──────────┘ Blocked patches (3): 1. Linux kernel 5.15.148 — memory leak in staging (vendor aware) Action: Defer to next cycle, monitor fix ETA 2. Nginx 1.25.4 — config file compatibility issue Action: Update config template, retest 3. Python 3.11.7 — dependency conflict (Django) Action: Update Django first, then Python PATCH DEPLOYMENT PROCESS: Maintenance windows: Sunday 2:00 AM - 6:00 AM (primary, monthly) Wednesday 3:00 AM - 5:00 AM (emergency, as needed) Saturday 10:00 PM - 2:00 AM (emergency, critical only) Deployment strategy: 1. Canary deployment (5% of servers) - Monitor for 30 minutes - Check health checks, error rates, performance - If issues: Rollback immediately 2. Staged rollout (25% → 50% → 75% → 100%) - Each stage: 30-minute monitoring - Auto-pause on error threshold (>0.5% error rate) - Manual approval between stages 3. Blue-green (critical systems) - Deploy to green (new) environment - Validate green environment - Switch traffic (instant) - Rollback: Switch back to blue (instant) Deployment tools: Ansible: Server patching (Linux + Windows) Kubernetes: Container image updates (rolling update) AWS Systems Manager: Cloud instance patching Azure Update Manager: Azure VM patching CrowdStrike: Endpoint patching DEPLOYMENT RESULTS (January Patch Cycle): Patches deployed: 215 (of 234 tested, 19 deferred) Deployment success rate: 99.5% (214/215) Failed deployments: 1 (auto-rollback, no impact) Total deployment time: 3.5 hours (target: <4 hours) ✓ Downtime: 0 minutes (zero downtime achieved) ✓ Rollbacks: 1 (contained, no user impact) POST-DEPLOYMENT VERIFICATION: Re-scan (post-patch): Critical vulnerabilities: 12 → 9 (-3) High vulnerabilities: 48 → 36 (-12) Medium vulnerabilities: 285 → 260 (-25) Verification rate: 96% (patches confirmed) Monitoring (24-hour post-deployment): Error rate: Stable (no increase) Performance: Stable (no degradation) Availability: 100% (no incidents) User impact: None reported Compliance update: PCI DSS patch compliance: 98.5% (target: >95%) ✓ SOC 2 patch compliance: 96.8% (target: >90%) ✓ ISO 27001 compliance: Verified ``` ## Output ### Vulnerability & Patch Dashboard ``` VULNERABILITY & PATCH DASHBOARD — Jan 2025 ═══════════════════════════════════════════ Scan Coverage: Total assets: 1,195 Scan compliance: 99.2% (12 assets deferred — decommissioning) Last full scan: Jan 25, 2025 Vulnerability Summary: Critical: 12 (target: 0 — 3 in progress) High: 48 (target: <10 — 15 in progress) Medium: 285 (target: <100 — 85 scheduled) Low: 502 (low priority, included in cycle) Trend: Improving (30% reduction in 6 months) Patch Management: Last cycle: Jan 26, 2025 Patches deployed: 215 Success rate: 99.5% Downtime: 0 minutes Next cycle: Feb 23, 2025 (monthly) Emergency patches (YTD): 0 Testing: Test pass rate: 93.2% (target: >90%) ✓ Blocked patches: 3 (vendor issues — deferred) Avg. test cycle: 1.5 days (target: <2 days) ✓ Compliance: PCI DSS: 98.5% (target: >95%) ✓ SOC 2: 96.8% (target: >90%) ✓ ISO 27001: Verified Next audit prep: March 2025 (PCI DSS — 2 weeks scan) Actions: 1. Critical patch deployment (3 — within 72 hours) 2. Pre-audit scan (Feb 10 — PCI DSS) 3. Monthly patch cycle (Feb 23) 4. Scan scope review (new assets added) 5. Scanner tool review (annual — Q2) ``` ## Integration Points - Vulnerability scanners (Qualys, Tenable, Rapid7): Scan execution, results - Cloud security tools (AWS Inspector, Azure Defender, Wiz): Cloud-specific scans - Container security (Trivy, Aqua, Snyk): Container image scanning - SIEM platforms (Splunk, Sentinel): Log correlation, threat detection - Configuration management (Ansible, Puppet, Chef): Patch deployment - Container orchestration (Kubernetes, ECS): Rolling updates, image management - ITSM platforms (ServiceNow, Jira): Change management, incident tracking - Compliance platforms (Vanta, Drata): Compliance evidence, reporting - Threat intelligence (MISP, AlienVault OTX): Exploit data, IOCs - CMDB (ServiceNow, NetBox): Asset inventory, configuration data ## Edge Cases - **Zero-day vulnerability**: Emergency patch outside normal cycle; vendor advisory monitoring; compensating controls - **Patch conflict**: Dependency analysis; conflict resolution; vendor escalation; workaround - **Production impact (post-patch)**: Immediate rollback; root cause; staging parity fix; enhanced testing - **Compliance deadline pressure**: Accelerated cycle; priority override; management notification; audit evidence - **Legacy system (EOL)**: Extended support; compensating controls; upgrade planning; risk acceptance - **Internet-facing system (immediate exposure)**: Emergency patch; WAF rule; IP blocking; monitoring increase - **Patch supply chain attack**: Vendor verification; hash validation; code signing; incident response - **Rolling deployment failure**: Auto-pause; rollback; traffic rerouting; investigation; retry - **Staging-prod parity gap**: Environment drift detection; infrastructure as code; periodic sync - **False positive vulnerability**: Manual verification; scanner tuning; vendor reporting; suppression rule