notes blog about

After locking down access control, probably the best investment to improve security.

There is overlap among vulnerability, patch and configuration management.

You should use cloud API for assets inventory to avoid missing new systems as they come online.

Cloud, CI/CD and microservice architectures have changed how vulnerability management is done:

  1. Automatically pull security updates (for libraries, OS components) as part of normal development.
  2. Test the updates as part of the normal application tests flow.
  3. Deploy new version, automatically creating new environment that includes security updates (or security configuration changes).
  4. Discover additional vulnerabilities in test or prod environments and add them as bugs in the development backlog.

Data access



Operating system


  1. patch and config mng of network components (routers, switches, firewalls)
  2. managing which communications are allowed

Virtualized and physical infrastructure

When finding and fixing vulns pick the most important area for your org, and get value from it before moving on to other areas. A common pitfall is having five different tools and processes none of which are actually providing a lot of value in finding and fixing vulns.

You want to plug tooling and findings leaks so you don’t have a lot of unknown risk:


The size of the pipes is determined by a number of the problems you (expect to) find in an area and how critical to the business those problems might be.

Network vulnerability scanners (Nexpose)

Agentless/agent-based scanners and config management (Nexpose)

Container scanners (Anchore, AF X-ray)

Dynamic application scanners (ZAP)

Static application scanners (SonarQube)

Software composition analysis scanners

Interactive application scanners

Runtime application self-protection scanners

Manual code reviews

Penetration tests

User reports

Risk mng process

Vulnerability mng metrics

A sample microservice application:


Source: Practical Cloud Security (2019)