TL;DR
A vulnerability is a weakness in your code, dependencies, or configuration that attackers can exploit. Common types include SQL injection, XSS, broken authentication, and outdated dependencies with known flaws. Find them with security scanners, code review, and penetration testing. Fix them by patching, updating dependencies, and following secure coding practices.
The Simple Explanation
Your app has a bug that lets attackers do something they should not. Maybe it is code you wrote, maybe it is a library you use, maybe it is a misconfiguration. A vulnerability is the hole. Attackers look for these holes to steal data, take over accounts, or break things.
Common Vulnerability Types
| Type | What It Is | Example |
|---|---|---|
| Injection | Malicious input becomes code | SQL injection, XSS |
| Broken Auth | Authentication flaws | Weak passwords, session issues |
| Exposure | Sensitive data leaked | API keys in code, unencrypted data |
| Misconfig | Insecure settings | Default passwords, debug mode |
| Dependencies | Vulnerable libraries | Outdated npm packages |
Vulnerability Lifecycle
- Introduction: Bug enters codebase
- Discovery: Someone finds it
- Disclosure: Reported to maintainers
- Patch: Fix is released
- Remediation: You apply the fix
Time matters. Once a vulnerability is publicly disclosed, attackers start scanning for unpatched systems. The window between disclosure and your patch is when you are most at risk.
Finding Vulnerabilities
- SAST: Static analysis scans code without running it
- DAST: Dynamic testing against running apps
- SCA: Dependency scanning for known vulnerabilities
- Pen testing: Manual security testing
- Bug bounty: Crowdsourced vulnerability discovery
What is the difference between a vulnerability and an exploit?
A vulnerability is a weakness or flaw. An exploit is the method or code used to take advantage of that weakness. Think of a vulnerability as an unlocked door and an exploit as someone walking through it. Not all vulnerabilities have known exploits.
How are vulnerabilities rated for severity?
The Common Vulnerability Scoring System (CVSS) rates vulnerabilities from 0 to 10. Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9). The score considers how easy it is to exploit, what access is needed, and potential impact on confidentiality, integrity, and availability.
How do I find vulnerabilities in my code?
Use static analysis tools (SAST) to scan your code, dependency scanners for third-party packages (npm audit, Snyk), dynamic testing (DAST) against running applications, and manual code review. Regular security testing and penetration testing help find vulnerabilities before attackers do.