Survey Introduction
User Survey: Security Scanner Findings in Practice
Welcome to my study and thank you for participating. This survey is part of my master’s thesis and examines how security scanners and the findings generated from scanning own code are handled in practice.
Explanation of Key Security Terms
In the following survey the explained terms will be used:
- Vulnerability Scanner – A tool that automatically scans systems or networks to detect vulnerabilities and security weaknesses.
- Vulnerabilities – Weaknesses in a system, application, or network that can be exploited by attackers to compromise security.
- Security Findings – Potential issues or weaknesses identified by automated scanners during a security assessment.
Sample data record for a security finding
| Attribute |
Example Value |
| Title | SQL Injection in Login Form |
| Finding ID | FND-2026-001 |
| CWE ID | CWE-89 |
| Vulnerability Category | Injection |
| Severity | High |
| CVSS Score | 8.8 |
| Business Impact | Unauthorized access to customer data |
| Exploitability | High (no authentication required) |
| Confidence | High |
| Affected Assets | Web Application (Login Endpoint) |
| Attack Vector | Remote |
| Reproducibility | Always reproducible |
| File Path | /app/controllers/auth.py |
| Code Location | Lines 42–55 |
| Description | Improper input handling allows SQL injection attacks |
| Discovery Method | Manual code review and penetration testing |
| Report Date | 2026-03-23 |
| Time to Fix | 5 days |
| Editing Status | Not started |
