[Paper] Visualisation for the CIS benchmark scanning results

Source: arXiv - 2512.11316v1

Overview

The paper presents GraphSecure, a web‑based platform that automates the collection, validation, and visualisation of security‑scan results for Amazon Web Services (AWS) environments against the Center for Internet Security (CIS) Benchmarks. By turning raw compliance data into intuitive charts and alerts, the tool aims to make continuous security posture monitoring practical for developers, DevOps engineers, and security teams.

Key Contributions

• End‑to‑end scanning workflow – One‑click initiation of CIS‑benchmark scans directly from a user’s AWS account.
• Graph‑oriented data model – Security findings are stored as nodes and edges, preserving relationships between resources (e.g., EC2 instances, IAM roles, VPCs).
• Interactive visualisations – Dashboard widgets (heatmaps, bar charts, dependency graphs) that surface the most critical misconfigurations at a glance.
• Risk‑based alerting – Real‑time warnings that rank findings by severity and potential impact on the overall account health.
• Open‑source prototype – The implementation (frontend + backend) is released under an MIT license, encouraging community extensions.

Methodology

1. Credential onboarding – Users provide an AWS IAM role with read‑only permissions. GraphSecure assumes this role via AWS STS to fetch configuration data.
2. Data collection – The backend queries AWS APIs (Config, IAM, EC2, S3, etc.) and normalises the responses into a unified JSON schema.
3. Benchmark mapping – Each CIS control is expressed as a set of rule predicates (e.g., “S3 bucket must have server‑side encryption enabled”). The collected data are evaluated against these predicates using a rule engine written in Python.
4. Graph construction – Findings are inserted into a Neo4j graph database where resources become nodes and relationships (e.g., “instance → attached → security‑group”) become edges. This representation enables downstream queries such as “show all resources affected by a specific control”.
5. Visualization layer – A React/Redux front‑end consumes the graph via a GraphQL API and renders:
   • Statistical overviews (percentage of passed/failed controls).
   • Resource‑centric heatmaps (highlighting the most non‑compliant services).
   • Interactive dependency graphs (click‑through to drill down from a control to the exact misconfigured resource).
6. Alert generation – A lightweight scoring model aggregates severity, exploitability, and asset criticality to produce real‑time warnings displayed on the dashboard and optionally sent via email or Slack.

Results & Findings

• Speed – Scanning a typical medium‑size AWS account (≈ 150 resources) completed in under 2 minutes, a 4× improvement over manual CIS‑Benchmark scripts.
• Detection coverage – GraphSecure identified 98 % of the misconfigurations reported by the official CIS‑Benchmark tool, plus an additional 12 % of “cross‑resource” issues uncovered by the graph‑based dependency analysis.
• Usability – A small user study (n = 12) showed a 35 % reduction in time needed to locate the root cause of a failing control compared with raw JSON output.
• Alert effectiveness – Participants rated the risk‑based alerts as “highly actionable”, with 83 % indicating they would incorporate the dashboard into their daily workflow.

Practical Implications

• Continuous compliance – Teams can embed GraphSecure into CI/CD pipelines (e.g., trigger a scan on every Terraform apply) to catch drift before it reaches production.
• Rapid triage – Interactive graphs let engineers trace a misconfiguration through its dependency chain, dramatically cutting mean‑time‑to‑remediation (MTTR).
• Audit readiness – Exportable compliance reports and visual evidence simplify external audits and internal governance reviews.
• Cross‑team collaboration – By surfacing security posture in a shared, visual format, developers, ops, and security specialists can discuss remediation priorities without digging through logs.
• Extensibility – The open‑source stack (React, Neo4j, Python) makes it straightforward to add custom benchmarks (e.g., internal hardening guides) or support other cloud providers via additional data collectors.

Limitations & Future Work

• AWS‑only scope – The current prototype only supports AWS; extending to Azure, GCP, or hybrid environments will require additional data adapters.
• Static benchmark set – GraphSecure presently validates against the CIS Benchmarks; supporting user‑defined or industry‑specific controls is planned.
• Scalability – While the graph database handles medium‑size accounts comfortably, very large enterprises (thousands of resources) may need sharding or a more distributed storage backend.
• Automated remediation – The tool currently stops at detection and alerting; future releases aim to integrate with AWS Systems Manager or Terraform to offer “one‑click” fixes.

GraphSecure demonstrates how a graph‑centric view of cloud configuration can turn compliance data from a noisy dump into actionable insight—an approach that could become a staple in modern DevSecOps toolchains.

Authors

• Zhenshuo Zhao
• Maria Spichkova
• Duttkumari Champavat
• Juilee N. Kulkarni
• Sahil Singla
• Muhammad A. Zulkefli
• Pradhuman Khandelwal

Paper Information

• arXiv ID: 2512.11316v1
• Categories: cs.CR, cs.SE
• Published: December 12, 2025
• PDF: Download PDF