English | Deutsch
Home »

Creation Process for Network Vulnerability Tests (NVTs)

OpenVAS NVT creation process

Note: The process described here is a proposal and not yet implemented. Please submit any comments or suggestions to the openvas-discuss mailing list.


This document describes the creation process for Network Vulnerability Tests (NVTs) for the network security scanner OpenVAS. NVTs are test routines that check for presence of a vulnerability on a target system. OpenVAS coordinates the execution of many of such tests to many target systems and collects the results.

The process starts with collecting upcoming security alerts and ends with the release of a newly developed NVT that checks for the reported vulnerability.

The most important phases of this process are: Initial prioritization (Evaluation), final prioritization (Decision), implementation, quality assurance and release/distribution.

These phases as well as supporting technologies are described in more detail below.

Short summary

Before the actual implementation of a NVT starts, a evaluation matrix is applied to find out about the initial priority of a security advisory. After that, the security advisory is added to the overall priority list. This step is performed by the evaluation team.

The sources for security advisories are carefully selected and connected with an automatic notification process. Thus, the initial prioritization is an ongoing process driven by such notifications.

At certain intervals, a decision team does a final prioritization to decide for which security advisories corresponding NVTs are to be developed.

The relevance and the level of complexity for the defined target systems is considered for both the initial and the final prioritization.

The whole process in five steps

Multiple roles as given with the various teams could be fulfilled by one person as long as it is ensured that he or she never does implementation and quality assurance for the same NVT.

It is a integral feature of this process that the experiences gained from daily practice will lead to changes or refinements of the process whenever regarded useful or required.