How a “low risk” turns into an incident

By Sanne Kuijpers, DevSecOps Specialist and Head of Growth at Cyberella

Vulnerability management is finally getting more attention within organizations. And soon, it will even become mandatory. From September 2026 onwards, organizations must be able to demonstrate that they have a process in place to manage vulnerabilities and that they comply with the applicable regulations for digital products (Cyber Resilience Act/CRA).

That’s a good thing. At the same time, it’s a bit unfortunate that these kinds of measures need to be enforced, instead of organizations recognizing their importance on their own. Because in the end, it’s not about having to do it, but about understanding why you would want to. In my view, that’s where it starts.

From my experience, good security begins with that understanding. If you know why something matters, you’ll do it better. Otherwise, it quickly turns into a checklist exercise, where boxes are ticked without really understanding what they mean. And that’s how risks remain.

Don’t get me wrong: enforcing compliance definitely has its advantages; it creates urgency and priority. But the real value lies in what comes after that.

What does good vulnerability management look like?

Vulnerability management basically means continuously looking for weak spots (vulnerabilities) in your software and fixing them as quickly as possible.
You can compare it to maintaining a house. You check for cracks, leaks, or anything else that needs attention. The condition of the roof, for example, or the lock on the door. When you find something, you assess how serious it is and prioritize it. If it’s urgent, you fix it before it gets worse or someone takes advantage of it.

After some time, you check again to see if your fix was effective and whether new issues have appeared. That’s how you keep your house in good condition and make sure it remains safe, both literally and figuratively.
In software it works in the same way. It’s not a one-time activity, but a continuous process of finding, assessing, fixing, and verifying.

How do you approach this in a structured way?

It helps to use a framework, such as OWASP SAMM. I use a checklist based on this model to ask structured questions and assess the maturity of systems and processes.

According to OWASP SAMM, vulnerability management is not a standalone activity, but part of your daily way of working. It falls under the Operations practices and focuses on setting up a structured process for handling vulnerabilities. From receiving reports, to assessing risks, to fixing and communicating about them.

SAMM mainly emphasizes:

• clear processes and responsibilities (who does what?)
• risk-based prioritization (not everything is equally urgent)
• learning from vulnerabilities to prevent recurrence

In other words: it’s not just about fixing findings, but about continuously improving both your software and your process.

Where things go wrong in practice

In practice, this is where things often go wrong. I once came across a vulnerability that was clearly there from a technical perspective, but no one really felt ownership of it. The risk was classified as “low,” and the issue got pushed to a next release, eventually even making its way toward production. Two weeks later, that exact vulnerability led to an incident.

It shows what vulnerability management is really about. Not just finding vulnerabilities, but especially: who takes ownership, how the risk is assessed, and when it actually needs to be fixed.

That’s also what OWASP SAMM emphasizes: the importance of clear processes and ownership. Without clear agreements on reporting, prioritization, and follow-up, vulnerabilities tend to linger and only get taken seriously when it’s already too late.
And that’s exactly where I see the value of the new regulations for digital products. It finally gets the urgency and attention it deserves.

Curious how your organization is doing when it comes to vulnerability management maturity? Feel free to reach out for an informal conversation or take a look at our checklist first.