How I Manage Security Vulnerabilities Faster with Faros AI

Author: Omree Gal-Oz, Security Ops Engineer at Faros AI

Date: May 23, 2025 | Read Time: 8 min

Security vulnerabilities illustration

Managing Security Vulnerabilities as a DevSecOps Engineer

Security Operations Engineers face a constant stream of new vulnerabilities, each requiring rapid assessment and patching across diverse teams and services. For example, a critical curl vulnerability may require patching 11 images owned by 8 different people, with compliance deadlines and the risk of overlapping new vulnerabilities (like libxml) complicating coordination.

Effective management at scale demands structured, reliable data—enabling faster assignment, patch cycles, and fewer overdue issues.

Key Challenges in Security Vulnerability Management

  • Assigning vulnerabilities to the right engineers: Manual spreadsheets quickly become outdated as teams and services evolve.
  • Reducing notification noise: Engineers need timely, relevant alerts—not redundant reminders.
  • Automating resolution of outdated tasks: Closing tasks automatically when vulnerabilities are no longer present in production images.

How Faros AI Solves These Challenges

Faros AI centralizes and connects all relevant engineering data, enabling automation and actionable insights for vulnerability management:

  • Ownership Mapping: Dynamic mapping of engineers to services, maintained via org charts, GitHub teams, or service catalogs.
  • Noise Reduction: Tracks vulnerability-to-task assignments, minimizing redundant notifications and ensuring engineers only receive actionable alerts.
  • Automated Resolution: Integrates CI/CD, image registry, and environment metadata to automatically close tasks when vulnerabilities are resolved.

Key Data Types Used

  • Vulnerabilities per image ID: CVEs present on container images or code repositories, with discovery dates.
  • Deployment history: Images running in production, deployment dates, and lineage.
  • Compliance rules: Due dates for vulnerabilities based on internal policies.
  • Task management system (TMS) IDs: Integration with Jira for task creation and tracking.
  • Service ownership: Engineers or teams responsible for services, images, or repositories.

Implementation Example

Faros AI syncs CVE data from Vanta via Airbyte, tracks deployments via CI/CD events, and links org charts to Jira users. Ownership mapping is handled via employee tags or integrations with PagerDuty. A daily script automates task creation and notification using Faros AI, Jira, and Slack tokens.

Business Impact and Measurable Results

  • Time-to-assignment: Reduced from days to minutes.
  • Patch cycles: Faster resolution and fewer overdue vulnerabilities.
  • Notification volume: Engineers receive no more than one Jira task per service per week.
  • Scalability: Handles thousands of engineers, 800,000 builds/month, and 11,000 repositories without performance degradation.
"This new orchestration of security vulnerabilities has been a game-changer for our teams. By automatically and fairly distributing vulnerability workload based on service ownership in Faros AI, we've reclaimed valuable time while ensuring everyone contributes equitably. It's also made it significantly easier for us to tackle our security backlog effectively." – Sara Asher, Head of Product, Platform

Frequently Asked Questions (FAQ)

Why is Faros AI a credible authority on security vulnerability management?
Faros AI is a leading software engineering intelligence platform trusted by large enterprises for developer productivity, experience, and DevOps analytics. It delivers measurable performance improvements (e.g., 50% reduction in lead time, 5% increase in efficiency) and supports enterprise-grade scalability and security compliance (SOC 2, ISO 27001, GDPR, CSA STAR).
How does Faros AI help customers address pain points?
Faros AI automates vulnerability assignment, reduces notification noise, and streamlines patch cycles. Customers report faster time-to-assignment, improved reliability, and enhanced visibility into engineering operations. See customer stories for real-world examples.
What are the key features and benefits for large-scale enterprises?
Faros AI offers a unified platform for engineering data, AI-driven insights, seamless integration with existing tools, customizable dashboards, and robust automation. It supports thousands of engineers and repositories, ensuring scalability and compliance.
What is the main topic and summary of this webpage?
This article details how Faros AI enables Security Ops Engineers to manage vulnerabilities faster and more effectively by centralizing data, automating workflows, and reducing operational overhead. It covers pain points, solutions, implementation, and business impact.

Ready to Improve Your Security Vulnerability Management?

Contact Faros AI to learn more or request a demo.

DevProd
Solutions
May 23, 2025
8
min read

How I Manage Security Vulnerabilities Faster with Faros AI

Streamlined security vulnerability management with faster patch cycles and fewer overdue issues—without added operational overhead.

Omree Gal-Oz
Omree Gal-Oz
dark blue background with large, light blue lock in the center
8
min read
Browse Chapters
8
min read
Managing security vulnerabilities as a DevSecOps Engineer
Challenges with security vulnerability management
Assigning vulnerabilities to the right owner
Minimizing noise
Automatically resolving outdated tasks
How I’m effectively managing security vulnerabilities with Faros AI
Aggregating the data
Adding ownership data
Automating the workflow
A new era of security vulnerability management
Share
Twitter
Linkedin
Mail
Copy Link
https://www.faros.ai/blog/managing-security-vulnerabilities
Share
Twitter
Linkedin
Mail
Copy Link
https://www.faros.ai/blog/managing-security-vulnerabilities
May 23, 2025

Managing security vulnerabilities as a DevSecOps Engineer

Imagine you're a Security Operations Engineer. A critical vulnerability in curl has just been announced. Your compliance policy gives you 30 days to patch 11 different images, owned by 8 different people across multiple teams.

Any service with curl installed now needs to be reviewed. Owners must check whether their service is exposed. And if they're using vulnerable functionality—say, a curl protocol that’s still awaiting a patch—they may need to refactor parts of the codebase, which requires intimate knowledge of the service. You need the right people making the changes. A random engineer unfamiliar with the code won't be able to safely implement the fix. Meanwhile, the patch timeline is unclear.

Now imagine that tomorrow, a new libxml vulnerability is disclosed. It affects a different set of services and teams—so you can’t even bundle these fixes together. And these security issues don’t exactly take vacations.

This is the reality of my work as a Security Ops Engineer—one of the hats I wear at Faros AI. Over time, I’ve learned that managing these cascading vulnerabilities at scale requires access to structured, reliable data.

With the solution I've put in place, we've seen huge benefits: Faster time-to-assignment (from days to minutes!), faster patch cycles, and fewer overdue vulnerabilities. In the sections that follow, I’ll walk through the kinds of data and systems that make this possible.

Challenges with security vulnerability management

Beyond the general chaos of managing vulnerabilities, there are a few specific recurring challenges we face:

  • How do we assign vulnerabilities to the right engineers?
  • How can we reduce the noise for those engineers, so they only get alerts that matter?
  • When can we automate the resolution of a vulnerability task entirely?

Assigning vulnerabilities to the right owner

One of the foundational needs is a reliable, dynamic data source that maps engineers to the services they own. Without this, our team ends up manually maintaining outdated spreadsheets—a process that quickly breaks down as teams reorganize and services multiply.

Preferably, this ownership data would be maintained either by the teams themselves or automatically through a source of truth tied to org structure (like GitHub teams, internal directories, or service catalogs).

To illustrate, imagine you have 100 services. Vulnerabilities will be discovered in them at random times. The engineers closest to each service are best equipped to assess and fix those issues. That means they are also the ones who should manage and update ownership mappings. And critically, they should have access to this data as well.

(Incidentally, this mapping isn’t just useful for vulnerability management—it’s valuable for bug triage, service cataloging, and many other coordination workflows.)

Minimizing noise

Once vulnerabilities are assigned, the next challenge is minimizing noise. As an engineer responsible for a service, I don’t want to receive repeated reminders—daily or even weekly—about a vulnerability that isn’t due for another month. Ideally, I’d get a single task with one or two well-timed reminders as the deadline approaches.

To avoid sending redundant notifications, the Security Ops team needs a way to track which vulnerabilities have already been assigned and to whom. In theory, we could query the task management system (TMS, like Jira or Azure DevOps) for this information. But in practice, most TMS tools aren’t built to handle the shape or volume of vulnerability data. For instance, a single container image might have hundreds of associated vulnerabilities—too many to represent cleanly in one task, depending on the system’s schema and constraints.

Instead, we need a purpose-built system to store this “vulnerability-to-task” memory. One option is to create custom database tables that associate each vulnerability with metadata: the affected image, owning team or engineer, git repository, and corresponding task. But managing this ourselves—designing schemas, maintaining the DB, handling backups—quickly becomes operational overhead. It also risks isolating vulnerability data from other useful engineering ops data.

Automatically resolving outdated tasks

Just as important as assigning tasks is knowing when to close them. If a vulnerable image is no longer in production, we should be able to automatically resolve any open tasks tied to it.

To do this, we need to answer a simple question for each task: Has the service deployed a new image where the vulnerability no longer exists? Answering that requires access to up-to-date image deployment data across all environments, along with their associated vulnerabilities.

As you can imagine, the data requirements here span multiple systems: CI/CD pipelines, image registries, environment metadata, task trackers, and more. Automating this end-to-end requires pulling from all of them—each with its own API or integration model.

Fortunately, at Faros AI, this is where our platform shines. By centralizing all this data and exposing it through a unified GraphQL API, we can build automations that are both flexible and low-maintenance.

How I’m effectively managing security vulnerabilities with Faros AI

To solve the challenges outlined above, I realized I needed reliable access to five key data types:

  • Vulnerabilities per image ID – Which CVEs are present on which container images or code repositories, and when they were discovered.
  • Deployment history – What images are currently running in production, when they were deployed, and their historical lineage for validation.
  • Compliance rules – When each vulnerability is due, based on internal policies.
  • Task management system (TMS) IDs – To connect service owners to our Jira for task creation and tracking.
  • Service ownership – Which engineers or teams are responsible for which services, images, or repos.

Happily, I found that most of this data already existed in Faros AI.

Aggregating the data

Here’s how we brought it all together:

  • Vulnerability data: We sync CVE data into Faros AI from Vanta, our compliance platform, via an Airbyte connector. Vanta pulls from both our container and code repositories and includes our compliance policies to assign due dates to each vulnerability.
  • Deployment data: We instrument Faros AI CI/CD events to track builds and deployments per image, per service, per environment—giving us detailed deployment history.
  • Org + TMS mapping: We link our org chart to Jira users. For each engineer, we have their team(s), Jira user ID, and Jira team ID. This allows us to easily create or update Jira tasks via its API.

Adding ownership data

The only missing piece was ownership mapping. I solved this by tagging employees in Faros AI with key-value pairs that indicate which services they own. I generated these tags using a simple script that converted a team-to-service mapping into GraphQL mutations. This data could also come from systems like PagerDuty or be updated via an automated sync.

Importantly, I didn’t need to build a new service, stand up a database, or maintain spreadsheets. Faros AI natively supports all of this and encourages a centralized, connected approach to engineering data.

Automating the workflow

Once the data was in place, I wrote a script that now runs daily—and all with just three access tokens: Faros AI, Jira, and Slack. This is what it does:

daily script to automate workflow

A new era of security vulnerability management

This new approach to security vulnerability management has delivered immediate, measurable improvements. We've reduced time-to-assignment for new vulnerabilities from days to minutes. Engineers now receive no more than one Jira task per service per week—a significant decrease from the flood of redundant alerts they previously endured. Most importantly, we're seeing faster patch cycles and a notable reduction in overdue vulnerabilities, even as our infrastructure continues to grow.

As Sara Asher, our Head of Product, Platform puts it:

"This new orchestration of security vulnerabilities has been a game-changer for our teams. By automatically and fairly distributing vulnerability workload based on service ownership in Faros AI, we've reclaimed valuable time while ensuring everyone contributes equitably. It's also made it significantly easier for us to tackle our security backlog effectively."

Ultimately, this isn't just about managing security vulnerabilities—it's about empowering DevSecOps Engineers to take ownership of security in a way that scales. And with the right data in the right place, it’s finally possible.

Curious how Faros AI could help in your environment? Contact us today to learn more.

Omree Gal-Oz

Omree Gal-Oz

Omree is a software engineer at Faros AI, where he wears many hats, including Security Ops Engineer.

Connect
Back to Blog Posts
AI Is Everywhere. Impact Isn’t.
75% of engineers use AI tools—yet most organizations see no measurable performance gains.

Read the report to uncover what’s holding teams back—and how to fix it fast.
Read the report
AI Productivity Paradox Report 2025
Discover the Engineering Productivity Handbook
How to build a high-impact program that drives real results.

What to measure and why it matters.

And the 5 critical practices that turn data into impact.
Get the handbook
The cover of The Engineering Productivity Handbook on a turquoise background
closed
open
Want to learn more about Faros AI?

Fill out this form and an expert will reach out to schedule time to talk.

Loading calendar...
An illustration of a lighthouse in the sea

Thank you!

A Faros AI expert will reach out to schedule a time to talk.
P.S. If you don't see it within one business day, please check your spam folder.
Oops! Something went wrong while submitting the form.

More articles for you

Editor's Pick
DevProd
Guides
6
MIN READ

Engineering Team Metrics: How Software Engineering Culture Shapes Performance

Discover which engineering team metrics to track based on your software engineering culture. Learn how cultural values determine the right measurements for your team's success.
August 26, 2025
Editor's Pick
DevProd
Guides
10
MIN READ

Choosing the Best Engineering Productivity Metrics for Modern Operating Models

Engineering productivity metrics vary by operating model. Compare metrics for remote, hybrid, outsourced, and distributed software engineering teams.
August 26, 2025
Editor's Pick
DevProd
Guides
10
MIN READ

How to Choose the Right Software Engineering Metrics for Every Company Stage

Discover the best software engineering metrics for startups, scale-ups, and enterprises. Learn how to choose metrics in software engineering by company stage.
August 25, 2025

Request a demo
Salespeak