Skip to main content

BLUF

Open source vulnerability management can match enterprise capabilities at zero licensing cost. This guide covers building an integrated stack for 200+ assets achieving MTTD <24 hours and MTTR <7 days for critical vulnerabilities.

What you'll learn:

  • Complete toolchain (discovery, scanning, orchestration, visualization)
  • Scanner integration (OpenVAS, Trivy, OWASP ZAP, Nuclei)
  • Risk-based prioritization (CVSS, EPSS, CISA KEV)
  • Automation workflows (Apache Airflow DAGs, remediation tracking)
  • Operational metrics (MTTD, MTTR, coverage, SLA compliance)

Architecture components:

  • 24 integrated tools (Nmap, OpenVAS, Trivy, Grype, Wazuh)
  • Automated scanning across VMs, containers, bare metal, cloud
  • PostgreSQL + Elasticsearch backend (10,000+ vulnerability records[1])
  • Grafana dashboards with real-time status
  • Apache Airflow orchestration

Why this matters: Commercial platforms (Qualys, Rapid7, Tenable) cost $100K+ annually. Open source alternatives, when properly integrated, deliver equivalent capabilities.

Digital security concept with code and lock symbols Photo by Franck on Unsplash

Vulnerability Management Architecture

Modern vulnerability management requires defense-in-depth strategies. Learn more about implementing zero-trust architecture to complement vulnerability scanning with access controls.

flowchart TB
    subgraph datacollection["Data Collection"]
        NVD[NVD Database]
        CVE[CVE/MITRE]
        GitHub[GitHub Advisory]
        OSV[OSV Database]
    end
    subgraph processingpipeline["Processing Pipeline"]
        Collect[Data Collector]
        Parse[CVE Parser]
        Enrich[Data Enricher]
        Score[Risk Scorer]
    end
    subgraph storageanalysis["Storage & Analysis"]
        DB[(PostgreSQL)]
        Cache[(Redis Cache)]
        ML[ML Analysis]
    end
    subgraph output["Output"]
        API[REST API]
        Dashboard[Dashboard]
        Alerts[Alert System]
    end

    NVD --> Collect
    CVE --> Collect
    GitHub --> Collect
    OSV --> Collect

    Collect --> Parse
    Parse --> Enrich
    Enrich --> Score

    Score --> DB
    Score --> Cache
    DB --> ML

    ML --> API
    ML --> Dashboard
    ML --> Alerts

    classDef green fill:#4caf50,stroke:#2e7d32,stroke-width:2px
    classDef orange fill:#ff9800,stroke:#e65100,stroke-width:2px
    classDef red fill:#f44336,stroke:#c62828,stroke-width:2px
    class Collect green
    class Score orange
    class Alerts red

The architecture combines multiple open source tools into a cohesive system. Key insight: integration matters more than individual tool selection.

Tool Stack

Discovery:

  • Nmap (detailed host/service enumeration)
  • Masscan (high-speed network sweeps, 5M packets/sec)
  • Rumble (passive network discovery)

Vulnerability scanning:

  • OpenVAS/GVM[8] (90K+ vulnerability tests)
  • Nuclei (custom templates, web scanning)
  • Wazuh[11] (agent-based endpoint monitoring)

Container scanning:

  • Trivy[6] (50+ OS packages, SBOM generation)
  • Grype[7] (fast scanning, GitHub Advisories)
  • Clair (registry integration)

Web application:

  • OWASP ZAP (active scanning, OWASP Top 10[12])
  • Nikto (web server misconfigurations)
  • SQLMap (SQL injection detection)

Orchestration:

  • Apache Airflow[10] (workflow DAGs)
  • n8n (lightweight automation)

Data management:

  • PostgreSQL (structured vulnerability data)
  • Elasticsearch (full-text search, aggregations)

Visualization:

  • Grafana (real-time dashboards)
  • Kibana (log analysis)

Ticketing:

  • GLPI (asset management integration)
  • Request Tracker (workflow automation)

Building the Foundation

Asset Discovery and Inventory

Comprehensive asset visibility is the foundation:

Discovery methods:

  • Active scanning: Nmap (detailed enumeration), Masscan (5M packets/sec)
  • Passive monitoring: Traffic analysis, DHCP logs, DNS queries
  • Cloud API: AWS Config, Azure Resource Graph, GCP Asset Inventory
  • Agent-based: Wazuh agents for laptops and mobile devices

Asset classification:

  • Infrastructure: Servers, VMs, network devices
  • Cloud: EC2/VM instances, S3 buckets, Lambda, managed databases
  • Containers: Docker, Kubernetes pods (2-4 hour lifespan)
  • IoT/OT: SCADA, building automation, IP cameras

Challenges:

  • Shadow IT: Unauthorized SaaS apps, rogue cloud accounts
  • Cloud sprawl: Multi-account AWS, orphaned instances
  • Ephemeral infrastructure: Minute-lifespan containers
  • Multi-cloud: Unified inventory without vendor lock-in

Validation:

  • CMDB reconciliation: Daily sync, 5-10% drift expected
  • Ownership: Auto-tagging by VPC/subnet, AD group, cost center
  • Decommission detection: Flag assets offline >30 days

Vulnerability Scanning Orchestration

No single scanner catches everything. Integrate multiple tools:

Scanner selection by asset type:

  • Network: OpenVAS/GVM[8] (90K+ tests), authenticated scanning
  • Containers: Trivy[6] (50+ OS packages), Grype[7] (SBOM), Clair (registry)
  • Web apps: OWASP ZAP (active), Nikto (misconfigs), Nuclei (custom)
  • IaC: Checkov (Terraform/CloudFormation), Terrascan (policy)

Scanning strategies:

  • Authentication: Credentialed scans find 3-4x more vulnerabilities
  • Frequency: Critical (daily), production (weekly), dev/test (monthly)
  • Bandwidth: Rate limit <10% capacity, maintenance windows
  • Scan windows: Production 2AM-6AM, coordinate with change freeze

False positive management:

  • Baseline: 20-40% initial false positives, drops to 5-10% after tuning
  • Triage: Auto-filter by CVSS, asset criticality, exploit availability
  • Suppression: Document exceptions (WAF-protected, compensating controls)
  • Exception tracking: Business owner approval, annual recertification

Orchestration:

  • Airflow DAGs: Discovery → scan → normalize → dedupe
  • For container-specific scanning, see my container security hardening guide
  • Scheduling: Stagger starts, retry logic for failures
  • Aggregation: Normalize SARIF, CycloneDX, Dependency-Check formats
  • Deduplication: Merge findings across scanners (single source of truth)

Remediation Tracking and Automation

Structured remediation requires prioritization, SLAs, automation, and tracking:

Prioritization:

  • CVSS base score[3] (severity foundation)
  • EPSS exploit probability[4] (active exploitation likelihood)
  • CISA KEV catalog[2] (known exploited vulnerabilities)
  • Asset criticality (business impact multiplier)

SLAs:

  • Critical: <7 days
  • High: <30 days
  • Medium: <90 days
  • Low: Next maintenance window

Automation:

  • Patch management: Ansible playbooks
  • Configuration remediation: Secure defaults, hardening
  • Temporary mitigations: WAF rules, network segmentation
  • Rollback: Procedures for failed patches

Tracking:

  • Auto-ticket creation: GLPI, Request Tracker
  • Assignment: Based on asset ownership
  • Aging alerts: SLA breach warnings
  • Velocity metrics: Remediation throughput
  • Exception workflows: Risk acceptance approval

Dashboards and Reporting

Different stakeholders need different views:

Executive KPIs:

  • Risk score trending
  • MTTD/MTTR by severity
  • Coverage percentage
  • SLA compliance by team

Security operations:

  • Vulnerability breakdown (Critical/High/Medium/Low)
  • Scan status (completion, failures, gaps)
  • False positive triage queue
  • Remediation backlog with aging

Compliance:

  • NIST 800-53[5] control coverage
  • PCI DSS mapping (quarterly scanning, critical patching)
  • Vulnerability age distribution
  • Patch compliance by system type

Alerting:

  • Critical detection (CVSS ≥9.0, CISA KEV)
  • SLA breach warnings (7/30/90 days)
  • Scan failures
  • New asset discovery

Integration and Automation

Automation is essential for scale:

⚠️ Warning: This automation workflow demonstrates vulnerability management concepts for educational purposes. Only deploy in authorized environments with proper security controls and approval processes.

# Simplified: Apache Airflow DAG for automated vulnerability management
from airflow import DAG
from airflow.operators.python_operator import PythonOperator
from airflow.operators.bash_operator import BashOperator
from datetime import datetime, timedelta

# Define workflow
asset_discovery >> vulnerability_scan >> create_remediations >> auto_remediate >> generate_reports

Lessons Learned

1. Start with asset management

Discovery is the foundation. Continuous scans, CMDB reconciliation, ownership attribution, and decommission detection prevent ghost assets.

Automation milestones:

  • 10 servers: Manual scanning, spreadsheets
  • 100 servers: Automated schedules, API ticketing
  • 1,000+ servers: Airflow orchestration, auto-remediation, ML prioritization

2. Context over severity

Critical vulnerability on dev server ≠ critical on production domain controller.

Prioritization factors:

  • Asset criticality (production > development > test)
  • Network exposure (internet-facing > DMZ > internal)
  • Compensating controls (WAF, segmentation, EDR)
  • Business impact (revenue systems prioritized)

3. Measure what matters

Operational metrics:

  • MTTD: <24 hours (critical assets)
  • MTTR: <7 days (critical), <30 days (high)
  • Coverage: >95% production assets
  • False positives: <10% after tuning
  • SLA compliance: By severity tier
  • Remediation velocity: Vulnerabilities/week trending

These align with SANS Vulnerability Management Maturity Model[13].

4. Integration is essential

Critical integration points:

  • CMDB: Authoritative inventory, ownership, criticality
  • Ticketing: GLPI/Jira/ServiceNow automation
  • CI/CD: Container scanning, IaC policy, build breaks (see container security for runtime protection)
  • SIEM/SOAR: Threat correlation, automated response (integrate with threat intelligence)
  • Patch management: Verification, rollback
  • Configuration: Ansible Tower/AWX remediation
  • Cloud APIs: AWS Security Hub, Azure Security Center, GCP Command Center

Disconnected tools get abandoned.

Conclusion

Open source vulnerability management matches commercial capabilities with proper integration. Start with asset discovery and basic scanning, then add automation, integration, and advanced features incrementally.

For additional security monitoring, explore eBPF-based threat detection for kernel-level visibility, or implement writing secure code practices to reduce vulnerabilities at the source.

Vulnerability management is a program, not a project. Build for sustainability, scalability, and automation from day one.

References

  1. NIST National Vulnerability Database (NVD) - U.S. government repository maintaining 200,000+ CVE records with CVSS scores, Common Platform Enumeration (CPE) data, and remediation guidance. Serves as the authoritative source for vulnerability intelligence worldwide, providing the foundation for vulnerability correlation across scanning tools.

  2. CISA Known Exploited Vulnerabilities (KEV) Catalog - Cybersecurity and Infrastructure Security Agency's catalog of 1,100+ vulnerabilities with confirmed active exploitation in the wild. Provides binding operational directives for federal agencies and best-practice prioritization guidance for all organizations, updated continuously as new exploits emerge.

  3. FIRST.org CVSS v3.1 Specification - Industry standard severity scoring system maintained by the Forum of Incident Response and Security Teams (FIRST). Provides consistent vulnerability severity assessment across base score (inherent characteristics), temporal score (exploit availability), and environmental score (organizational impact).

  4. FIRST.org Exploit Prediction Scoring System (EPSS) - Probability-based framework estimating the likelihood of vulnerability exploitation within 30 days. Uses machine learning models analyzing 1,000+ features including exploit code availability, social media mentions, and threat intelligence feeds to prioritize remediation beyond CVSS severity alone.

  5. NIST Special Publication 800-53 Rev. 5 - Comprehensive security and privacy control catalog for federal information systems and organizations. Defines vulnerability scanning requirements (RA-5) including frequency, coverage scope, remediation tracking, and information sharing that form the compliance foundation for federal and many commercial vulnerability management programs.

  6. Trivy - Container Vulnerability Scanner - Aqua Security's open source vulnerability scanner supporting container images, filesystems, Git repositories, and infrastructure as code. Detects OS packages (Alpine, RHEL, Debian, Ubuntu, etc.) and language-specific dependencies (npm, pip, Maven, etc.) with comprehensive CVE database coverage and SBOM generation capabilities.

  7. Grype - Vulnerability Scanner for Container Images and Filesystems - Anchore's open source scanner providing fast vulnerability detection against multiple databases (NVD, GitHub Security Advisories, OS-specific feeds). Supports SBOM ingestion via Syft, making it ideal for CI/CD pipeline integration where build-time vulnerability blocking is required.

  8. Greenbone Vulnerability Management (GVM) / OpenVAS - Comprehensive open source vulnerability scanner maintaining 90,000+ network vulnerability tests (NVTs). Provides authenticated and unauthenticated scanning, compliance policy checks, and extensive CVE coverage rivaling commercial platforms. The community edition offers full scanning capabilities without licensing restrictions.

  9. OSV.dev - Open Source Vulnerabilities Database - Distributed vulnerability database aggregating data from GitHub Security Advisories, PyPI, RustSec, and other ecosystem-specific sources. Provides precise affected version ranges and standardized JSON format ideal for automated tooling integration, particularly strong for open source dependency vulnerabilities.

  10. Apache Airflow Documentation - Workflow orchestration platform enabling programmatic scheduling and monitoring of complex data pipelines. In vulnerability management contexts, Airflow DAGs coordinate multi-stage scanning workflows (discovery → scan → normalize → dedupe → ticket creation) with dependency management, retry logic, and detailed execution logging.

  11. Wazuh Open Source Security Platform - Unified XDR and SIEM platform providing intrusion detection, vulnerability detection, compliance monitoring, and threat intelligence integration. Deploys agents to endpoints for continuous monitoring and integrates with vulnerability scanners to correlate detected vulnerabilities with actual exploitation attempts in real-time.

  12. OWASP Top 10 Web Application Security Risks - Open Web Application Security Project's definitive awareness document identifying the most critical security risks to web applications. Updated every 3-4 years based on data from 40+ organizations spanning 400,000+ applications, providing the vulnerability categories that web application scanners prioritize in their detection rules.

  13. SANS Vulnerability Management Maturity Model - Framework for assessing and improving vulnerability management program maturity across five levels: initial (reactive, manual processes), developing (some automation, inconsistent coverage), defined (standardized processes, full asset coverage), managed (metrics-driven, SLA compliance), and optimized (continuous improvement, predictive analytics). Provides roadmap for organizations evolving from ad-hoc scanning to enterprise-scale vulnerability programs.

Questions about scaling vulnerability management? Want to share your open source security stack? Let's connect and improve our collective security posture!

Related Posts