Scan analysis includes analysis of the scan output to ensure validated and accurate reporting of vulnerabilities. This includes removing false positives and false negatives.
A false positive is more commonly encountered; this term means vulnerabilities reported as active in the system do not exist in reality, which means it may be the result of incorrect vulnerability reporting.
A false positive can be removed by understanding an organization's environment, proof of concept, and validating using port scanning tools. As it is a time consuming activity, it can be done using target-critical vulnerabilities for a big scope engagement. Effort estimation for this activity should also be considered in advance.
Result analysis includes going through the Nessus scan output, covering all necessary details, such as synopsis, description, risk factor including the CVE score, which is a database of publicly-known security vulnerabilities and exposure. Each vulnerability is assigned a unique CVE number which is cross-referenced in the Nessus report for providing further details about the vulnerability.
Apart from removing the false positive, analysis will also involve severity analysis based on the criticality of the system with respect to the organization's business needs where a low or medium vulnerability, on a highly critical server, needs to be prioritized accordingly. The applicability of a particular reported vulnerability to an organization should also be cross-checked.
Based on the recommendation given in the report and considering other alternative controls available to mitigate the vulnerability, the closures should be worked upon.
Vulnerability exploitation (or penetration testing) is the next step after the identification of a vulnerability. Nessus gives an option to check if the exploit of an identified vulnerability is available in exploit frameworks such as Metasploit or Canvas. It also involves further learning and research to choose an appropriate payload in the case of few vulnerabilities such as cross-site scripting and SQL Injection.