Interview › Security & DevSecOps
What is vulnerability management as a lifecycle (discover, prioritise, remediate, verify)? [Intermediate]
Answer
Vulnerability management is a lifecycle: discover assets and findings, normalize/deduplicate them, prioritize by risk, assign ownership, remediate or mitigate, verify closure, and report trends. It is continuous because new vulnerabilities appear after software is already deployed.
Technical explanation
Discovery includes code dependencies, images, hosts, cloud resources, Kubernetes clusters, and SaaS assets.
Prioritization should combine severity, exploitability, exposure, asset criticality, and compliance obligations.
Verification is essential; closing a ticket is not enough unless a rescan or evidence proves the vulnerability is gone or controlled.
Hands-on example
Lifecycle example: scanner finds CVE -> platform deduplicates by image digest -> risk engine enriches with KEV/EPSS/exposure -> Jira ticket assigned -> owner patches dependency -> CI rebuilds -> deployment rolls out -> scanner verifies -> dashboard updates MTTR.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]