Vulnerabilities: Weaknesses That Enable Attacks

Vulnerabilities are the specific weaknesses that attack vectors exploit to compromise assets. They exist at multiple levels within systems and processes, from coding errors to architectural flaws to human procedural failures. Effective threat modeling requires understanding different vulnerability types and their potential impact on your specific environment.

Software vulnerabilities stem from coding errors, design flaws, or implementation mistakes. These range from simple input validation failures to complex race conditions or cryptographic weaknesses. The Common Vulnerabilities and Exposures (CVE) database catalogs thousands of known vulnerabilities, but zero-day vulnerabilities—those unknown to vendors and security communities—pose particular challenges. Threat modeling must consider both known vulnerabilities requiring patching and the possibility of unknown vulnerabilities requiring compensating controls.

Configuration vulnerabilities arise from improperly configured systems, applications, or security controls. Default passwords, unnecessary services, overly permissive access controls, and missing encryption represent common configuration issues. Cloud environments introduce new configuration challenges with their complex permission models and shared responsibility frameworks. These vulnerabilities often provide easier attack paths than software exploits while being entirely preventable through proper configuration management.

Process vulnerabilities exist in organizational procedures and human activities. Weak password policies, inadequate access reviews, poor change management, or insufficient security awareness training create opportunities for attackers. These vulnerabilities might not appear in automated scans but can be even more critical than technical flaws. A robust password policy means little if employees routinely share credentials or write them on sticky notes.