Volltext-Downloads (blau) und Frontdoor-Views (grau)

Simplifying Vulnerability-Scan Results

  • This thesis emphasizes problems that reports generated by vulnerability scanners impose on the process of vulnerability management, which are a. an overwhelming amount of data and b. an insufficient prioritization of the scan results. To assist the process of developing means to counteract those problems and to allow for quantitative evaluation of their solutions, two metrics are proposed for their effectiveness and efficiency. These metrics imply a focus on higher severity vulnerabilities and can be applied to any simplification process of vulnerability scan results, given it relies on a severity score and time of remediation estimation for each vulnerability. A priority score is introduced which aims to improve the widely used Common Vulnerability Scoring System (CVSS) base score of each vulnerability dependent on a vulnerability’s ease of exploit, estimated probability of exploitation and probability of its existence. Patterns within the reports generated by the Open Vulnerability Assessment System (OpenVAS) vulnerability scanner between vulnerabilities are discovered which identify criteria by which they can be categorized from a remediation actor standpoint. These categories lay the groundwork of a final simplified report and consist of updates that need to be installed on a host, severe vulnerabilities, vulnerabilities that occur on multiple hosts and vulnerabilities that will take a lot of time for remediation. The highest potential time savings are found to exist within frequently occurring vulnerabilities, minor- and major suggested updates. Processing of the results provided by the vulnerability scanner and creation of the report is realized in the form of a python script. The resulting reports are short, straight to the point and provide a top down remediation process which should theoretically allow to minimize the institutions attack surface as fast as possible. Evaluation of the practicality must follow as the reports are yet to be introduced into the Information Security Management Lifecycle.

Download full text files

Export metadata

Additional Services

Search Google Scholar


Author:Tom Kosacki
Advisor:Hanno Langweg, Dirk Staehle
Document Type:Bachelor Thesis
Year of Publication:2023
Granting Institution:HTWG Konstanz,Informatik (IN)
Date of final exam:2023/07/11
Release Date:2023/10/24
Tag:Vulnerability Prioritization; Scoring Systems; Probability of Exploitation; Remediation Strategies; Information Security Management
Page Number:VII, 114 Seiten
Institutes:Fakultät Informatik
DDC functional group:000 Allgemeines, Informatik, Informationswissenschaft
Open Access?:Ja
Licence (German):License LogoCreative Commons - CC BY - Namensnennung 4.0 International