SLA SLO OKR and SLI for vulnerability management are still effective?

SLA

How do you measure and facilitate the best way resolution of vulnerabilities without crashing the spirit and soul of the development team with the dreaded sentence, fix vulnerabilities in X number of days? 

Let’s start by clarifying development teams have the will and spirit of writing perfect code and solving vulnerabilities. Businesses need to ship features fast to increase revenue, augment the sales surface, winning more clients. 

Those two elements have always been conflicting, and the security requirements (often not at the start of the project) is lacking in the objective of application owners or business. 

From this challenge, developers often lack the time and objectives to resolve vulnerabilities and bug fixes sprint by sprint. 

So how can this be fixed? In several days, security mandates to fix problems (vulnerabilities, bug fixes, misconfiguration, libraries). The resolution times, often called SLA, are usually not agreed upon in collaboration with CTO and the development team. 

This mandate often causes friction and frustration among everyone. 

I have been having conversations with different professionals and experts in the field and had more or less argumentative discussions around SLA, SLO and OKr in Vulnerability management, Application and cloud security.

This article will cover the complexity of the landscape and the significant difference between various “updating” strategies and elements to consider when setting SLA, SLO or grouping them.

We will explore how those metrics with a feedback loop between security and development teams can facilitate a conversation and turn the tide in a usually frustrating exchange. 

Definitions

Let’s start with definitions of SLA, SLO and what they are:      

  • A service-level agreement is a commitment between a service provider and a client. Particular aspects of the service – In our specific case, SLA stands for the number of days a particular vulnerability must be fixed.
  • A service-level objective is a critical element of a service-level agreement between a service provider and a customer – Similar to SLA but is not an agreement but rather an objective. 
  • SLI – I will skip it for now
  • OKr  – Objectives to achieve (specifically in the DevOps team (something like the number of vulnerabilities per spring
SLISLOSLA
DefinitionA quantifiable measure of reliabilityA target reliability level objectiveA legal contract or agreement that, if breached, will have penalties
ExampleThe number of vulnerabilities should be < 10 for every releaseCritical Vulnerabilities will be resolved in 28 days 95% of the timePublic available products will have 0 critical vulnerability upon release critical vulnerability disclosed will be solved in 10 days 
Who Sets itSecurity teams in collaboration with Product OwnersProduct owner in partnership with security teamsBusiness Development, Legal team, IT and Devsecops 
Vulnerability and SLA/SLO/SLI Descriptions

Vulnerability Landscape

The vulnerability landscape in modern organisations is complex; we can categorise the vulnerability types or misconfiguration in several categories. Vulnerabilities in the various categories have quite different behaviour and require different levels of attention.

We can categorise assets in the following categories:

  • Application security – Vulnerabilities that concern codes, libraries or similar 
  • Infrastructure Cloud security-related – vulnerabilities that concern images or similar infrastructure systems running in the cloud
  • Cloud security – misconfiguration of cloud systems (Key manager, S3) 
  • Network security / Cloud security – vulnerability affecting network equipment like WAF, Firewall, routers
  • Infrastructure security – Categorized as everything that supports an application to run that is traditionally Server, Endpoints, and similar systems
  • Containers vulnerabilities (somewhere in between application container/cloud security with running containers, image stores and the system that composes containers

The approach to measure the security posture and the security health of different elements that compose our approach is quite comprehensive, the picture below gives a good idea.

The resolution time, hence SLAs, is fairly different between assets in the various categories.

Following is an example of the tooling that traditionally detects vulnerabilities in various containers illustrated above.

Vulnerability Landscape

Fixing landscape  

Applying patches and mandating SLA seems straightforward, but in reality, many factors influencing, fixing and resolving vulnerabilities can be a bit of a learning curve/journey. 

The reason for such a complex landscape is because the factors that influence fixing systems and resolving vulnerabilities are many:

  • System Complexity
  • Different Layer of patches 
  • Testing is required and several teams/clients involved in testing 
  • Number of groups involved in the fix
  • Exposure to clients and criticality of systems (Downtimes allowed)
  • Maintenance windows

Moreover, fixing vulnerabilities in the various system should not be delegated to just one team but rather have an objective and measurable target to discuss in the context of risk. 

Some of those elements can be automated, but mostly not; every system has different contracts and requirements. Nonetheless, those can be fed as business requirements for SLA and determine the bucket or Categories of the system for SLA/SLO/OKr.

Usually, systems are categorised into

  • Critical system – uptime is vital, and windows for updating are tight
  • Medium criticality – uptime is essential, but windows for an update are more relaxed
  • Low criticality – downtime and update windows are very flexible.

Following several different elements to consider for patching and adjusting the time for SLA, SLO, and writing OKr. 

The following is to be taken as a guideline, not as an exhaustive list of topics.

Patching / Infrastructure 

  • SIMPLE – Patch (easy) upgrade with simple testing, maintained by only one team
  • SIMPLE/MEDIUM – Patching a system with some testing requirements maintained by one or two teams
  • COMPLEX – Complex system with multiple dependencies and configurations 
  • VERY COMPLEX – Complex system with various applications and multiple teams maintaining different parts and vast client surface 

Cloud

  • SIMPLE – updating a system rule in a register, settings in a cloud element (e.g. S3)
  • SIMPLE/MEDIUM – Changing the role, IAM rule, Permission rule
  • COMPLEX to VERY COMPLEX – Restructuring the architecture of a service, introducing controls, changing access methodologies, changing settings that involve user interaction

Containers

  • SIMPLE – library or dependency without significant impact
  • MEDIUM – changing a critical library or os that potentially breaks dependencies
  • COMPLEX – updating container image with multiple dependencies and different running containers utilising the image
  • VERY COMPLEX – updating a container’s image that is used widely across the organisation e.g. Linux, with the deprecation of a function utilized by one or multiple systems

Updating Libraries 

  • SIMPLE – updating a library without critical dependencies 
  • MEDIUM – changing a critical library that potentially breaks dependencies on one application
  • COMPLEX – Changing a library from minor to major version, with deprecated libraries that require swap of those functions in multiple parts of code
  • VERY COMPLEX – similar to complex, but when the number of teams is multiple and distributed 

Update Code/ Bug Fixing

  • SIMPLE – changing a simple variable, function with a minor regression testing
  • MEDIUM – changing a function or a section of code with medium impact in the individual file or limited number
  • COMPLEX- updating a major section of the code, changing inputs from one or multiple user perspectives that requires extensive testing

Security Timelines

Vulnerability Timeline
  • Discovery to Declaration to CVE – This timeline is usually the most dangerous and relates to the discovery of vulnerability – commonly in this timeline there is no patch available, and the systems are at risk for the so-called 0 days. 
  • Disclosure in the wild of vulnerability usually involves the vulnerability being disclosed widely on the web for various reasons, giving the vendor no chance to fix the vulnerability. The resolution time/mitigation time becomes critical. 
  • CVE Registration – The CVE register acknowledges the vulnerability, and the vulnerability does receive a specific code. 
  • PoC – Proof Of Concepts made available – usually, the PoC is a piece of code that exploits vulnerabilities in systems.
  • Vulnerability identified in network/container/code. 
  • The vulnerability being worked on by the team – Not all the time. A vulnerability/ patch is straightforward to fix. Sometimes, an update is quite straightforward and requires few updates; others require extensive testing and careful planning
  • The vulnerability is being remediated by the team.
  • Vulnerability remedy being confirmed (pentest, Security scanner).

Conclusion

Vulnerabilities are a complex matter and there is no one single answer that fits all.

Vulnerability resolutions and considerations around the vulnerabilities complexity of teams needs to be a collaborative process between the security team and the product/development team

Vulnerability prioritization and contextualization become key to free up the security team from deciding what to fix and what not to fix. Security teams can then turn into a more consultative and collaborative approach with the development team helping them succeed in deciding how to fix specific problems vs what to fix or not

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Phoenix Security’s Application Security Posture Management (ASPM) introduces Reachability Analysis and Contextual Deduplication to revolutionize vulnerability management. These features help security teams prioritize risks by correlating vulnerabilities from code to runtime, focusing on what’s exploitable. With contextual deduplication, Phoenix reduces vulnerability noise by up to 95%, ensuring only real threats are addressed. Stay ahead with 4D Risk Quantification, combining business criticality, network, and runtime reachability for smarter, more effective security.- Associate assets with multiple Applications and Environments – Mapping of vulnerabilities to Installed Software – Find Assets/Vulns by Scanner – Detailed findings Location information Risk-based Posture Management – Risk and Risk Magnitude for Assets – Filter assets and vulnerabilities by source scanner Integrations – BurpSuite XML Import – Assessment Import API Other Improvements – Improved multi-selection in filters – New CVSS Score column in Vulnerabilities
Alfonso Eusebio
Enhance your vulnerability management with Application Security Posture Management (ASPM) and reachability analysis. Discover how ASPM helps prioritize exploitable vulnerabilities, reduce security noise, and improve risk management. Learn about advanced techniques like code and container reachability, contextual deduplication, and Phoenix Security’s cutting-edge solutions for smarter, more effective application security.
Francesco Cipollone
Our latest article explores how EPSS (Exploit Prediction Scoring System) and reachability analysis work together within Application Security Posture Management (ASPM) to optimize vulnerability prioritization. EPSS predicts exploit likelihood based on global threat data, while reachability analysis assesses if vulnerabilities are accessible in your specific environment. ASPM platforms like Phoenix Security integrate these insights, contextualizing vulnerabilities within the software stack to ensure that teams focus on actionable, relevant risks. By combining EPSS’s predictive power with reachability’s contextual focus, ASPM provides a holistic view, enabling security teams to prioritize vulnerabilities based on global trends, local relevance, and business impact. This approach is especially effective for high-risk vulnerabilities like Remote Code Execution (RCE), where EPSS highlights potential threats and reachability analysis confirms their presence in the application path. Phoenix Security’s 4D risk formula further refines prioritization, considering severity, reachability, threat intelligence, and deployment context. This dual-layered strategy empowers organizations to strengthen security posture, minimize noise, and act on the vulnerabilities that truly matter.- Mapping of vulnerabilities to Installed Software – Find Assets/Vulns by Scanner – Detailed findings Location information Risk-based Posture Management – Risk and Risk Magnitude for Assets – Filter assets and vulnerabilities by source scanner Integrations – BurpSuite XML Import – Assessment Import API Other Improvements – Improved multi-selection in filters – New CVSS Score column in Vulnerabilities
Francesco Cipollone
Phoenix Security ASPM Version 3.30.0 Release – Phoenix Security has partnered with Arnica to deliver expanded cloud and application security capabilities, enhancing the platform with Software Composition Analysis (SCA), credential scanning, secrets detection, and Static Application Security Testing (SAST). This powerful integration further strengthens Phoenix Security’s ASPM offering, enabling seamless risk-based prioritization and real-time vulnerability management across GCP, AWS, and Azure environments.
Alfonso Eusebio
Derek

Derek Fisher

Head of product security at a global fintech

Derek Fisher – Head of product security at a global fintech. Speaker, instructor, and author in application security.

Derek is an award winning author of a children’s book series in cybersecurity as well as the author of “The Application Security Handbook.” He is a university instructor at Temple University where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led teams, large and small, at organizations in the healthcare and financial industries. He has built and matured information security teams as well as implemented organizational information security strategies to reduce the organizations risk.

Derek got his start in the hardware engineering space where he learned about designing circuits and building assemblies for commercial and military applications. He later pursued a computer science degree in order to advance a career in software development. This is where Derek was introduced to cybersecurity and soon caught the bug. He found a mentor to help him grow in cybersecurity and then pursued a graduate degree in the subject.

Since then Derek has worked in the product security space as an architect and leader. He has led teams to deliver more secure software in organizations from multiple industries. His focus has been to raise the security awareness of the engineering organization while maintaining a practice of secure code development, delivery, and operations.

In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

Jeevan Singh

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

christophe

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris

Chris Romeo

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

jim

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

The IKIGAI concept
x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
ShieldPRO