Creation Process for Network Vulnerability Tests (NVTs)

Note: The process described here is a proposal and not yet implemented. Please submit any comments or suggestions to the openvas-discuss mailing list.

Overview

This document describes the creation process for Network Vulnerability Tests (NVTs) for the network security scanner OpenVAS. NVTs are test routines that check for presence of a vulnerability on a target system. OpenVAS coordinates the execution of many of such tests to many target systems and collects the results.

The process starts with collecting upcoming security alerts and ends with the release of a newly developed NVT that checks for the reported vulnerability.

The most important phases of this process are: Initial prioritization (Evaluation), final prioritization (Decision), implementation, quality assurance and release/distribution.

These phases as well as supporting technologies are described in more detail below.

Short summary

Before the actual implementation of a NVT starts, a evaluation matrix is applied to find out about the initial priority of a security advisory. After that, the security advisory is added to the overall priority list. This step is performed by the evaluation team.

The sources for security advisories are carefully selected and connected with an automatic notification process. Thus, the initial prioritization is an ongoing process driven by such notifications.

At certain intervals, a decision team does a final prioritization to decide for which security advisories corresponding NVTs are to be developed.

The relevance and the level of complexity for the defined target systems is considered for both the initial and the final prioritization.

The whole process in five steps

• Evaluation: The evaluation team, alerted by a security advisory notification, applies the evaluation matrix and thus comes to the initial prioritization. This information is added to the general priority overview.
• Decision: The decision team selects those security alerts for which the implementation of a corresponding NVT is highly desired (final prioritization). This decision making takes place according to a defined schedule.
• Implementation: The development team actually implements a NVT. In case of problems (solution strategy unclear or effort very high) the issue is handed back to the decision team for reconsideration.
• Quality Assurance: The QA team executes the quality assurance for the results of the development team. If a NVT does not meet the quality standard, the issue is handed back to the development team.
• Release/Distribution: The release (transfer of new NVT into NVT distribution mechanism) is the last step to be done by the QA team in case the NVT passes quality tests.

Multiple roles as given with the various teams could be fulfilled by one person as long as it is ensured that he or she never does implementation and quality assurance for the same NVT.

It is a integral feature of this process that the experiences gained from daily practice will lead to changes or refinements of the process whenever regarded useful or required.