A quantitative evaluation of vulnerability scanning

Hannes Holm (Royal Institute of Technology, Industrial Information and Control Systems, Stockholm, Sweden)
Teodor Sommestad (Royal Institute of Technology, Industrial Information and Control Systems, Stockholm, Sweden)
Jonas Almroth (Swedish Defence Research Agency, Linköping, Sweden)
Mats Persson (Swedish Defence Research Agency, Linköping, Sweden)

Information Management & Computer Security

ISSN: 0968-5227

Publication date: 11 October 2011

Abstract

Purpose

The purpose of this paper is to evaluate if automated vulnerability scanning accurately identifies vulnerabilities in computer networks and if this accuracy is contingent on the platforms used.

Design/methodology/approach

Both qualitative comparisons of functionality and quantitative comparisons of false positives and false negatives are made for seven different scanners. The quantitative assessment includes data from both authenticated and unauthenticated scans. Experiments were conducted on a computer network of 28 hosts with various operating systems, services and vulnerabilities. This network was set up by a team of security researchers and professionals.

Findings

The data collected in this study show that authenticated vulnerability scanning is usable. However, automated scanning is not able to accurately identify all vulnerabilities present in computer networks. Also, scans of hosts running Windows are more accurate than scans of hosts running Linux.

Research limitations/implications

This paper focuses on the direct output of automated scans with respect to the vulnerabilities they identify. Areas such as how to interpret the results assessed by each scanner (e.g. regarding remediation guidelines) or aggregating information about individual vulnerabilities into risk measures are out of scope.

Practical implications

This paper describes how well automated vulnerability scanners perform when it comes to identifying security issues in a network. The findings suggest that a vulnerability scanner is a useable tool to have in your security toolbox given that user credentials are available for the hosts in your network. Manual effort is however needed to complement automated scanning in order to get satisfactory accuracy regarding network security problems.

Originality/value

Previous studies have focused on the qualitative aspects on vulnerability assessment. This study presents a quantitative evaluation of seven of the most popular vulnerability scanners available on the market.

Keywords

Citation

Holm, H., Sommestad, T., Almroth, J. and Persson, M. (2011), "A quantitative evaluation of vulnerability scanning", Information Management & Computer Security, Vol. 19 No. 4, pp. 231-247. https://doi.org/10.1108/09685221111173058

Download as .RIS

Publisher

:

Emerald Group Publishing Limited

Copyright © 2011, Emerald Group Publishing Limited

Please note you might not have access to this content

You may be able to access this content by login via Shibboleth, Open Athens or with your Emerald account.
If you would like to contact us about accessing this content, click the button and fill out the form.
To rent this content from Deepdyve, please click the button.