Towards Configurable Vulnerability Assessment in the Cloud

Security is considered as one of the top embedding factor for migrating SME services and applications in the cloud. However, various technological advancements in cloud security actually raise the security level with respect to traditional, on-premise deployment models. Nevertheless, SMEs, while being aware of these advancements, do not apply them as early as possible during the design of their cloud products and services. In other words, they neglect the main benefits that security-by-design offers. Further, SMEs actually employ one or more open-source security tools without properly configuring them to fit the current context. This creates three main issues: (a) a waste of resources can occur; (b) the protection level achieved can be unsuitable; (c) improper accuracy in vulnerability and security event detection could lead to taking wrong actions or to not reacting in critical security events. This paper proposes a security-by-design solution which focuses on vulnerability assessment and attempts to deal with the first and third from the aforementioned issues. These issues are addressed through: (a) the supply of a configuration meta-model enabling to properly configure the vulnerability assessment to have the right accuracy and performance level without impacting the precious resources available for the proper functioning of the SME's applications; (b) the orchestration of various kinds of vulnerability scanning tools which enable increasing the scanning accuracy.