Further Reading: Vulnerability Management

Curated, annotated resources to deepen this chapter. Each entry notes which learning path it serves most (🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert) and its citation tier. Start with the suggested order below; you do not need to read everything before Chapter 24. The single most valuable habit you can build from this chapter is checking the CISA KEV catalog against your own environment — start there.

Suggested order

Bookmark and skim the CISA KEV catalog — see what is being actively exploited today. This is the chapter's single most actionable resource.
Read the FIRST EPSS documentation to understand the likelihood signal, then the FIRST CVSS specification to see exactly what severity does and does not capture.
Read NIST SP 800-40 for the program/lifecycle framing of patch and vulnerability management.
Keep the Security+ or CISSP material on vulnerability management nearby as exam reference.

Standards & primary documents (Tier 1)

CISA, Known Exploited Vulnerabilities (KEV) Catalog (continuously updated). 🛡️🏗️📋 The live list of vulnerabilities with evidence of active exploitation, with remediation due dates. The concrete antidote to treating all vulnerabilities as equal; cross-reference it against your assets and exceptions. The highest-signal free resource in this whole chapter.
FIRST, Common Vulnerability Scoring System (CVSS) specification. 🏗️📜 The authoritative definition of how severity is scored, including the base/temporal/environmental metric groups. Read it to understand precisely why CVSS is severity, not priority, and how the environmental metrics let you adjust for your own context.
FIRST, Exploit Prediction Scoring System (EPSS) model and documentation. 🛡️🏗️ The data-driven model that estimates probability of exploitation in the next 30 days. Read the FAQ/model description to see why combining EPSS with CVSS dramatically outperforms CVSS alone for prioritization.
NIST SP 800-40 (Rev. 4), Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology. 🏗️📋📜 The authoritative U.S. guidance on patch and vulnerability management as a program — risk response, maintenance planning, and metrics. Directly underpins §23.1 and §23.4.
NIST SP 800-30 (Rev. 1), Guide for Conducting Risk Assessments. 📋 The risk vocabulary (likelihood × impact) that risk-based prioritization rests on; first met in Chapter 1, central again here. Returns in Chapter 27.
CIS Controls v8 — Control 7 (Continuous Vulnerability Management). 🏗️📋📜 A concise, prescriptive set of safeguards for running the lifecycle (scan cadence, remediation timelines, authenticated scanning). An excellent checklist to benchmark a program against.
Verizon, Data Breach Investigations Report (DBIR) (annual). 🛡️📋 The evidence base for this chapter's central claim — that exploitation of known, unpatched vulnerabilities remains a leading breach pattern. Read the "ways in" / vulnerability-exploitation sections.
PCI-DSS v4.0 (Requirements 6 and 11). 📋📜 The regulatory floor for vulnerability scanning and patching that applies to Meridian's cardholder data environment — useful precisely as an example of a minimum bar your real SLAs should beat (Theme 5).

Books & longer references (Tier 1 / Tier 2)

Chapple, M., & Seidl, D., CompTIA Security+ Study Guide. 📜 Clear, exam-aligned coverage of CVE, CVSS, scanning types, and the vulnerability-management process; the fastest path to the testable facts.
Harris, S., & Maymí, F., CISSP All-in-One Exam Guide. 📜📋 Broader and deeper on security assessment & testing and risk acceptance; use the relevant domains alongside this chapter.
Anderson, R., Security Engineering (3rd ed.). 🏗️ For the deeper "why" — how known weaknesses persist in real systems and the economics of why organizations under-patch. Dip into the relevant chapters; a career-long reference. (Tier 1 as a book; specific claims should be checked.)

Free online & talks (Tier 1 / Tier 2)

The official Apache Log4j security advisory for CVE-2021-44228. 🛡️🏗️ The primary source for this chapter's anchor: the flaw, the affected versions, and the official mitigations (the JndiLookup-removal and config-flag approaches the Meridian case used). Read the vendor advisory, not third-hand summaries.
The MITRE / NVD CVE record for CVE-2021-44228. 🛡️📜 See a real CVE entry with its CVSS vector and references — the canonical example of the CVE/CVSS pairing this chapter dissects.
OWASP — Vulnerability Management Guide and dependency-related projects (e.g., Dependency-Check). 🏗️ Application-security-flavored vulnerability management; the bridge between Chapter 12's SCA/SBOM ideas and this chapter's lifecycle. Browse to connect the two.
CISA, Binding Operational Directive 22-01 (the directive behind KEV). 📋📜 Explains why KEV exists and how it sets mandatory remediation timelines for U.S. federal agencies — and why everyone else treats it as a strong signal. Short and clarifying.

Tools to explore (in your own lab only)

OpenVAS / Greenbone, or Nessus Essentials. 🛡️🏗️ Run an authenticated and an unauthenticated scan against a deliberately vulnerable VM you own and compare. The single best way to internalize §23.2's depth-vs-exposure distinction.
A KEV-checking habit / script. 🛡️ Periodically diff your asset/software inventory against the KEV catalog. This is, in miniature, the control whose absence breached Northgate in Case Study 2 — build the reflex now.
An SBOM generator (e.g., a CycloneDX or SPDX tool). 🏗️ Generate a software bill of materials for one of your own projects and search it for a specific library. This is the capability that would have made Meridian's Log4Shell discovery take minutes instead of hours (full treatment in Chapter 29).

⚖️ Authorization & Ethics reminder: Scanners and exploit-prediction data can be misused. Scan only systems you own or are explicitly authorized to test; an unauthorized scan can itself be a crime (Chapter 39). Study exploitation behavior — like Log4Shell's JNDI callback — to detect and defend against it, never to reproduce it against systems that are not yours.