Vulnerability Detection & CVE Monitoring
Scanning Program
Infrastructure Scanning
| Method | Tool Category | Interval | Scope |
|---|---|---|---|
| Network scan | Port scanner, service detection | Weekly | All reachable IP ranges |
| Vulnerability scan | Trivy, OpenVAS or equivalent | Weekly | Servers, containers, network devices |
| Compliance scan | Configuration audit | Monthly | Hardening guidelines, CIS Benchmarks |
Application Scanning
| Method | Tool Category | Interval | Scope |
|---|---|---|---|
| SAST (Static Analysis) | Code analysis in CI/CD | On every commit | In-house developments |
| Dependency scan | Dependabot, Trivy | Continuous (automated) | All software dependencies |
| Container scan | Trivy | On every build | Docker images |
CRA SYNERGY
Product-related vulnerability scanning (SBOM generation, multi-engine scanning with Trivy + Grype + OSV-Scanner) is documented in the CRA Compliance Documentation. NIS2 scanning focuses on infrastructure and operational systems.
CVE Monitoring
Sources
| Source | Type | Relevance |
|---|---|---|
| NVD (National Vulnerability Database) | CVE database | All deployed products |
| BSI advisories | Advisories, security notices | Infrastructure and standard software |
| Vendor advisories | Manufacturer notifications | Deployed products |
| GitHub Security Advisories | Dependency alerts | Open-source dependencies |
| CERT-Bund | Warning notices | Critical infrastructure |
Assessment Flowchart
CVE published
→ Relevance check: Is the affected product deployed in our environment?
→ Yes: CVSS score + contextual assessment
→ Critical/High: Immediate escalation to IT Ops
→ Medium: Include in patch cycle
→ Low: Next release cycle
→ No: ArchiveVulnerability Tracking
Each identified vulnerability is documented with the following fields:
| Field | Description |
|---|---|
| ID | CVE number or internal ID |
| Affected system | Hostname, application, component |
| CVSS score | Original assessment |
| Contextual assessment | Adjustment for our environment (reachable? exploitable?) |
| Status | Open / In Progress / Resolved / Accepted |
| Measure | Patch, workaround, configuration change |
| Deadline | Per patch management deadlines |
| Responsible | Assigned administrator or developer |