A First Look at the Usability of OpenVAS Vulnerability Scanner

Vulnerability scanning is a fundamental step for assuring system security. It is also an integral component of IT system risk assessment to manage the identified vulnerabilities in a timely and prioritized way. It is critical that the tools for vulnerability scanning are usable so that cybersecurity practitioners get the most out of them. In this work, we evaluate the usability of a commonly used open source vulnerability scanning tool − OpenVAS 9.0. For this purpose, we carry out expertbased and user-based testings. Expert-based testing is carried out by employing the heuristic analysis and cognitive walkthrough approaches. User-based testing is performed by selecting 10 cybersecurity experts as participants. As a result, we identify pitfalls that lead to insecurity or false sense of security and suggest improvements to overcome them. We also discuss the effectiveness of the methodologies employed for usability testing. Lastly, a set of heuristics compiled from the existing work and adapted to our case is provided to be reused in similar studies.