A Taxonomy for Tsunami Security Scanner Plugins

Abstract

Vulnerability scanning tools are essential in detecting systems weaknesses caused by vulnerabilities in their components or wrong configurations. Corporations may use these tools to assess a system in advance and fix its vulnerabilities, thus preventing or mitigating the impact of real attacks. A set of these tools are organized by plugins, each intended to check a specific vulnerability, such as the case of the Tsunami Security Scanner tool released in 2020 by Google. Multiple plugins for this tool were proposed in a community-based approach and thus, it is important for the users and research community to have these plugins in a framework consistently categorized across multiple sources and types. This paper proposes a comprehensive taxonomy for all the 61 plugins available, hierarchically sorted into 2 main categories, 4 categories, 4 subcategories, and 7 types. An analysis and a discussion on statistics by categories and types over time are also provided. The analysis shows that, so far, there are 4 main contributors, being Google, Community, Facebook, and Govtech. The Google source is still the top contributor counting 39 out of 61 plugins and the highest number of plugins available are in the RCE subcategory. The plugins available are mainly focused on critical and high vulnerabilities.