User-Centered Design of Visualizations for Software Vulnerability Reports

Steven Lamarr Reynolds, Tobias Mertz, Steven Arzt, Jörn Kohlhammer

View presentation: 2021-10-27T17:40:00Z GMT-0600 Change your timezone on the schedule page
Exemplar figure, described by caption below
The Report Overview and Report Comparison visualizations displaying the vulnerabilities of an application. On the left, a matrix visualization is showing a single report and the distribution of vulnerabilities across relevant attributes such as severity and origin. The red saturation marks the matrix cells with the largest amount of vulnerabilities. On the right, a unit bar chart shows the differences in vulnerabilities present in two versions of an application. The red and blue colors of units correspond to the individual application versions while the grey color marks vulnerabilities that match between both versions.
Fast forward

Direct link to video on YouTube:


Fraunhofer IGD, Darmstadt


Today's software systems are created by software development processes that naturally include mistakes, some of which can be exploited by attackers and are therefore called vulnerabilities. Automatic software scanners enable developers to analyze their applications to detect vulnerabilities and alert them of their presence. But often these reports are hard to understand, include false positives or overwhelm users due to the sheer number of alerts, since a report may contain hundreds to thousands of vulnerabilities. Developers must undergo a process called vulnerability triage to find the relevant vulnerabilities to fix. This paper presents two interactive visualizations for developers and security experts to gain an overview of the security state of their application. Users can see the distribution of vulnerabilities, find the most relevant ones, and compare differences between application versions. Our visualization design is inspired by an initial preliminary study and has been evaluated by domain experts to investigate the usability and appropriateness.