An XML-based data model for vulnerability assessment reports

Periodic vulnerability assessment (VA), used to uncover and correct vulnerabilities, is a common intrusion prevention technique. Although the VA tools that perform those assessments, report similar information, there are tool specific differences. Unfortunately, trying to combine the output of these tools would require separate parsing tools to address the significant low-level differences. A new data model (Vulnerability Assessment Report Format VARF) is presented in this paper in order to define data formats for sharing information of interest to VA and to facilitate the interaction with the risk management process. As a proof of concept a set of XSLT transformations was built in order to transform the results of an open source VA tool to a VARF compliant report enabling further processing of the results.