Even Hackers Deserve Usability : An Expert Evaluation of Penetration Testing Tools

Penetration testing is a necessary task to prevent or mitigate network intrusion. System administrators often use various penetration testing tools to aid in testing their networks; systems administrators, however, often do not have significant security expertise. It is thus important that penetration testing tools be usable by non-security experts. Here we examine the extent to which two commonly used penetration testing tools, Nessus and Metasploit, are usable by non-experts using a heuristic walkthrough. We identify pitfalls in user interface design, software configuration, and user notification which may hamper a nonsecurity expert’s ability to use such tools effectively. We propose user interface improvements to address issues identified by our evaluation. We also report on the efficacy of the domain-specific heuristics we selected for penetration testing usability. Keywords—Usable Security; Expert Evaluation; Administrative Tools