On 2025-08-31
by Pierre-Louis Gensou & Dennis Lay, Vulnerability Analysts
Cybersecurity

Airbus Protect explains: Vulnerability Management

Airbus Protect explains Vulnerability Management
Summary

What is vulnerability management?

Vulnerability management has become indispensable for large organisations. It’s not a one-off cybersecurity action, but rather a continuous cycle of prevention, detection, remediation, and monitoring that adapts a company’s defenses to evolving threats. Airbus Protect’s Threat Management Centre (TMC) team categorises vulnerability activities into two distinct areas: passive vulnerability management and active vulnerability management.

Passive Vulnerability Management

Passive vulnerability management enables us to identify and address vulnerabilities impacting the project components we monitor. When a security vulnerability is deemed relevant, our team drafts a security bulletin for clients, detailing affected components, necessary patches, and the severity level for the project. This is considered passive vulnerability management because it’s not a proactive monitoring approach, and we don’t scan assets ourselves.

Before issuing a security bulletin, our team waits for a vulnerability to be listed by a vendor (Microsoft, Cisco, Red Hat, etc.) or by authorities (e.g., CERT-FR, CISA, NIST).

 

Aggregating Collected Information

Our cross-functional working group, COBRA, comprises vulnerability and intelligence specialists who play a crucial role in centralising vulnerability information to identify emerging threats. COBRA retrieves technical data from specialised sources, vulnerability databases, and cyber intelligence feeds. Our toolset allows for automated monitoring of hundreds of information sources, including specialised blogs, security websites, and official publications. Finally, the passive vulnerability team supplements this with manual research and monitoring of non-automated channels.

All this data is then aggregated into a centralised platform, analysed, and correlated to filter relevant information, identify critical vulnerabilities, and provide contextualised alerts to security teams. This approach ensures a comprehensive, near real-time view of the threat landscape, while prioritising actions based on the risk level and criticality of the affected assets.

 

Creating and Updating Security Bulletins

When a security flaw is relevant, team members draft a security bulletin for clients, explaining in detail which components are impacted, which patches need to be installed, and the criticality level for the project. Bulletins are then regularly updated to reflect evolving knowledge: patch releases, new active exploits, changes in impact analysis, etc. This keeps security teams informed with the latest information, allowing them to prioritise their actions effectively.

CPE (Common Platform Enumeration) is a standardised identifier used to precisely describe software, operating systems, or hardware affected by a vulnerability. When creating or updating an ADSC bulletin, it’s essential to include the associated CPEs. This enables automated linking of vulnerabilities to assets within an organisation’s infrastructure via vulnerability management tools.

By integrating accurate and relevant CPEs, the ability to automatically detect vulnerable systems is significantly enhanced, which accelerates the identification of areas needing remediation and strengthens the relevance of generated alerts.

Vulnerability management

CPE Version 2.3 Fields and Their Meaning

This standard is a structured naming system, managed by MITRE, used to uniquely identify software and hardware platforms by assigning a standardised identifier to each specific product or version. We identify all vulnerabilities affecting this product version, then draft the security bulletin, which is sent to inform our clients of specific risks and mitigation steps.

After receiving a security bulletin, a contextual analysis is performed to evaluate the actual impact on the monitored projects. It aims to identify vulnerable components (software, OS, libraries, etc.) and then analyse their role within the project’s specific environment. This approach allows for a better understanding of risks and prioritisation of corrective measures.

 

Risk Qualification within Each Impacted Project

When we talk about a vulnerability, we’re actually referring to a specific entry in the “CVE” (Common Vulnerabilities and Exposures) glossary. This system provides a method for publicly sharing information about cybersecurity vulnerabilities and exposures. Each vulnerability has a unique identifier that differentiates it for monitoring purposes.

When analysts assess a vulnerability, they use a centralised methodology known as CVSS (Common Vulnerability Scoring System) to ensure consistency. CVSS scores each vulnerability from 0 to 10 to detail the impact, exploitation methods, and potential severity. This is calculated based on three metrics:

Vulnerability Management

Base Score : This score is calculated based on various sub-scores. For example, how can this vulnerability be exploited (via physical access, an adjacent local network, or the internet)? How complex is it? Does the attacker need to be authenticated? And what impact does it have on the three core principles of information security: confidentiality, integrity, and availability? Once calculated, a vulnerability’s base score remains constant.

Temporal Score : This score changes based on the timeliness of a vulnerability. For example, have patches been released? Have attackers developed new exploits?

Environmental Score : This is the most variable score. The impact of a CVE can vary depending on the specific company or project being monitored. For instance, if a network is isolated from the outside world by its configuration, then a vulnerability with a local attack vector will present minimal risk. These metrics differentiate the importance of each component or group of components within the system and are usually calculated upstream by our clients.

For each affected project, the potential impact of the vulnerability is assessed by considering factors such as system criticality, data handled, affected users, and potential access to sensitive resources. Based on this, risks are qualified and prioritised, by assigning a criticality score (e.g., using the CVSS system). This determines which vulnerabilities should be addressed first and how resources should be allocated to effectively respond to the threat.

The team also updates the scope of critical and vulnerable systems using dedicated tools and offers personalised technical support. Furthermore, they actively communicate with clients and partners, providing clear advice and explanations on security reports, new threats, and recommended practices, thereby fostering informed decisions to strengthen their security.

 

Active Vulnerability Management

Active vulnerability monitoring utilises completely different tools. In this case, we monitor our clients’ information systems using a detection tool that probes the perimeter for vulnerabilities. The goal is to identify them and inform clients that they need to apply patches as quickly as possible. We then help clients implement a comprehensive strategy to enhance their SI security. This means not only detecting and managing vulnerabilities but also reducing overall exposure to cyberattacks, whether from external sources (hackers, malware) or internal ones (human error, misconfiguration). To achieve this, we offer consulting, analysis, and vulnerability management services, while also helping our clients adopt proactive practices to secure their systems.

Each perimeter (network, web applications, cloud infrastructure, etc.) has its own vulnerabilities and challenges, so our approach is always customised. The Active Vulnerability team therefore provides technical support to resolve issues and optimise tools, supports Proof of Concept (POC) phases to demonstrate the suitability of a given solution, and actively participates in the deployment of new solutions, ensuring a smooth and personalised integration.

Vulnerability Management

For critical security flaws, rapid action is imperative. The goal is to block exploitation and ensure business continuity. To this end, asset prioritisation is essential. Focusing efforts on the most critical systems, applications, and data (financial information, personal data) optimises resource allocation and maximises risk reduction. The criteria include criticality, connectivity, and likelihood of attack.

Mitigation Strategies: Temporary Solutions to Limit Risks

While waiting for permanent patches, temporary mitigation measures are indispensable. Strengthening access controls, network segmentation, intrusion detection systems, and strict filtering all serve as barriers to reduce the attackers’ window of opportunity.

Conclusion: Proactivity, Collaboration, and Vigilance: Keys to Robust Cybersecurity

Proactive vulnerability management is essential for large organisations. Continuous identification, rigorous assessment, and rapid response are crucial to protect the organisation, preserve trust, and ensure compliance. Close collaboration between vulnerability management experts and the CSIRT (Computer Security Incident Response Team) and SOC (Security Operations Center) is fundamental for a coordinated and effective response to incidents, thereby strengthening the organisation’s defenses.

 

Interested in Airbus Protect’s services?

  • Share

More on Cybersecurity

Product Security Architecture Cybersecurity

Airbus Protect explains Product Security Architecture

When cybersecurity becomes integral to products, from aeroplanes to autonomous trains With the increasing digitisation of industrial systems, our cars, trains and even critical infrastructure depend on software and connections to function. This convergence of the physical and digital worlds makes the issue of protecting them from cyber threats more fundamental than ever. It is [...]

Read more
Cyber Threat Intelligence part 3: AI for intelligence collection Cybersecurity

Cyber Threat Intelligence Part 3: Artificial Intelligence for Intelligence Collection

Reminder: Cyber Threat Intelligence Cyber threats are continuously growing in complexity and frequency, therefore the ability to rapidly process and act upon Cyber Threat Intelligence (CTI) can mean the difference between a mitigated threat and a breach. In the first part of our CTI focused blog posts series, we introduced the Intelligence Production Cycle and [...]

Read more
Aviation Regulation & Safety Cybersecurity

Airbus Protect Explains Part-IS: an EASA regulation on Information Security for Civil Aviation Safety

The need for business and aviation resilience is imperative to manage external risks on highly interconnected systems. Part-IS is the latest mandatory regulation by The European Union Aviation Safety Agency (EASA). The Part-IS objective is to improve Information Security Management Systems (ISMS) by enabling the aviation ecosystem to mitigate and respond to cyber threats, collaboratively [...]

Read more