Vulnerability management is a fundamental component of any effective security program, yet it often turns into a tug-of-war between stakeholders with wildly different priorities. Researchers unearth vulnerabilities, developers aim to ship products on tight deadlines, operators are tasked with reducing risk, and security leaders have to oversee the entire chaotic process. It's no wonder friction arises!At the CVE/FIRST VulnCon 2025 & Annual CNA Summit, I had the opportunity to moderate a lively discussion titled “Who’s Vulnerability Is It Anyway? Harmonizing Stakeholder Roles in Vulnerability Management” featuring panelists Kayla Underkoffler (Zenity), Havaya Garti (Snyk), and James Berthoty (Latio Tech). This blog captures highlights from the session, sheds light on these challenges, and explores how improved collaboration across teams can drive better security outcomes. You can watch this session and the complete track from VulnCon 2025 on the FIRST YouTube channel. Setting the StageVulnerabilities are no longer just a security problem; they’ve become an issue that impacts engineering, legal, compliance, and even business continuity teams. With each stakeholder bringing their own perspective and priorities to the table, harmony is hard to achieve. Kayla set the tone for the discussion by highlighting how her past role as a vulnerability management practitioner involved “cat herding” just to maintain the foundational aspects of asset inventory and scanning: “If I wasn’t even set up for success, how could I expect developers to be set up for success in remediating issues?”I shared a similar experience around benchmarking vulnerability scanners: “I was blown away—not positively—by the discrepancies in results. Most teams don’t even know what their tools are missing, creating massive blind spots." Explaining the Core ChallengesConflicting PrioritiesEach practitioner has a unique vantage point when it comes to vulnerabilities:Researchers: Their aim is to uncover security issues to enhance software security, though external motivations like recognition or bounty rewards can sometimes influence their objectivity.Developers: To them, vulnerabilities in their backlog often appear as interruptions amidst the pressure to meet tight delivery timelines.Operators/Practitioners: They are buried under the sheer volume of findings while trying to ensure data accuracy and effective communication.Executives: Their role is to balance business goals and resource constraints with compliance, often trying to translate risk into business-relevant outcomes.These conflicting priorities often lead to friction in the vulnerability management process. For example, developers may feel overwhelmed with countless vulnerabilities marked as “high severity,” while operators wrestle with tools that don’t go deep enough to uncover critical gaps.False Positives and False NegativesFalse positives and negatives have long been the bane of vulnerability management:False Positives: Kayla shared how, as a vulnerability management operator, much of her time and energy was spent addressing false positives. From her perspective, she trusted her scanner, focusing on the results it provided. Whether or not a vulnerability was reachable or exploitable wasn’t something she considered, which often led to disputes with developers: “They’d often claim, ‘Nope, fake news, no issue there.’ These conversations ate into already scarce resources.” She added that eliminating false positives from a tooling and reporting standpoint was a complex challenge in itself.False Negatives: I shared my perspective that while false positives are always top of mind when discussing the quality of vulnerability scanner results. False negatives are equally, if not more, important as from a security perspective, as they represent blind spots in your organization's security posture. You can’t fix what you don’t know exists. For example, a 15-year-old vulnerability in Python XZ Utils may go unnoticed because older Common Platform Enumeration (CPE) formats aren’t compatible with modern tools. An additional challenge with false negatives is that you normally lack visibility into what your scanner misses unless you use multiple scanners and cross-validate findings.Remediation BottlenecksMost organizations struggle with bridging the enormous gap between identifying vulnerabilities and actually remediating them. As Havaya noted, developers are rarely incentivized or measured on security: “They’re measured on meeting deadlines. Fixing vulnerabilities is just another chore.”James summed it up with stark clarity: “If we think of vulnerability management only in terms of CVEs, we’ve already lost the plot. Risk isn’t just about identification—it’s about fundamentally improving patching mechanisms and addressing the root causes of vulnerabilities.” Bridging the Gaps: Key Takeaways1. Shift from Vulnerability Reduction to Risk ReductionHavaya highlighted the importance of moving beyond sheer numbers: “We should stop measuring success by how many vulnerabilities were found or fixed. Instead, focus on which vulnerabilities truly matter in the context of your application.”This context-driven approach involves understanding factors like:Business impact: What happens if this vulnerability is exploited?Exploitability: Is it actually reachable or merely theoretical?Remediation ease: How difficult is it to apply the fix?2. Stop Treating Developers as the EnemyKayla emphasized the importance of empathy. Developers are not security experts, nor do they need to be: “Build relationships. Show you can make their lives easier. If developers trust you, they’re more likely to collaborate on fixing issues.”3. Invest in Better Tooling—but WiselyThe panel emphasized the need to critically evaluate tools. James cautioned against being dazzled by flashy detection numbers: “Vendors play to our biases—they know we want big numbers. But really, what value does a new tool add if it can’t guide my team on remediation, or worse, bury us under noise?”Instead, organizations should aim for tools that:Provide actionable data (e.g., reachable vulnerabilities).Harmonize results from multiple scanning tools into a single, coherent view.Are designed for collaboration, bridging different stakeholders’ workflows.4. Create an Effective Asset Management ProgramAsset management was repeatedly identified as a cornerstone. Kayla emphasized: “You can’t monitor what you don’t know exists. Asset inventory and documentation are foundational to everything else in security.” She also advocated for better aggregation solutions to unify the fragmented results from various tools and systems. Looking Ahead: Recommendations for StakeholdersThe panel ended with actionable advice tailored to specific audiences:For Developers: “Document everything you build. The more context you provide, the easier it is for everyone to understand the potential risks.” (Kayla)For Security Teams: “Reduce noise. Focus on identifying the vulnerabilities that matter most to developers rather than handing them a mountain of findings.” (Havaya)For Executives: “Learn the fundamentals of your tech stack. If you understand Kubernetes or cloud architecture, you can better assess the risks and guide your teams more effectively.” (James)For Everyone: “If something doesn’t make sense, it’s probably the tool’s fault, not yours. Tools should work for you, not the other way around.” (James) Conclusion: Harmonizing Security for a Better TomorrowThe crux of vulnerability management lies in harmonizing the diverse perspectives of its key players. From reducing noise to focusing on risk over vulnerabilities, effective collaboration is the only path to meaningful security improvements.Along with my role in researching threat evolution here at Zscaler, I also get to help shape our solutions. It’s exciting to see how Zscaler’s exposure management platform meets a lot of the asks we outlined in our session. Our platform offers a modern approach to vulnerability management and asset exposure management (CAASM) by seamlessly integrating powerful zero-trust principles with contextual threat intelligence, comprehensive visibility across your environment, and automated risk mitigation. To learn more, check out this solution brief or request a personalized demo of our exposure management products.
↧