Vulnerability Assessment tools aggregator implementation

While information technology is taking steps forward in every aspect of our lives, the necessity of protecting data and infrastructures is growing everyday bigger. For small and medium businesses, security have been a synonym of antivirus, firewalls and IDS. However, the current trend is to prefer proactive solutions instead of reactive. In this context, many automatic scanner tools that performs vulnerability assessment on customer infrastructures took place in the market. Due to the complexity of such tools, the integration among them is mostly not available in common solutions.This thesis aims to describe the functionalities as well as the development process of a cyber security vulnerability assessment tools aggregator application that offers a view on the overall exposed surface of customer infrastructures. The platform was developed by the author of this thesis together with the Shorr Kan IT s.r.l. staff from which the application takes its name (Shorr kan Vulnerability Assessments - Next Generation).We will begin by discussing some of the fundamentals of cyber security in the first chapter, starting with the concept of known vulnerabilities and how they are modelled and organized. Later on, we will define and discuss the features of Vulnerability Assessment and Penetration Testing processes in order to fully comprehend the scope of the SVA-ng application.Moving onto the second chapter, since the described application aim is to import and to interact with other applications, we will describe the inner workings of some open-source and proprietary existing tools. Once again we will make a division amongst instruments used during vulnerability assessment tasks and during penetration tests. The majority of the described tools are the ones that the SVA-ng application interacts with.The third chapter contains the design of the entire platform. At first, the analysis of the requirements is shown and discussed. On top of the latter, we will move from the physical architectural organization of devices to the structure of software modules and their behaviours. A brief introduction to the interaction amongst modules is also described due to the necessity of defining protocols from a high-level perspective.The developers manual in the fourth chapter has the aim of describing the implementation details of the platform. We will start from the configuration of the device hosting the main server moving to the design of the database structures and to the implementation choices of the various code sections. We will also briefly describe all of the open-source libraries used by SVA-ng. Moreover, since the application includes the possibility of using probes hosted on different machines, the implementation of the communication among them is described.The users manual, located in the fifth chapter, will then extensively describe the most common operations that a user might want to perform. Starting from the installation, every action is described with the aid of screenshots and most common error explanations.Finally, the sixth chapter contains the analysis of the product by defining and measuring some of the possible indexes that might be relevant to the end user. This chapter refers to the analysis of the requirements in order to verify the program compliance to the previously defined goals.