From: riptide@idle.curiosity.org
Date: Mon Dec 01 2003 - 02:37:32 EST
TJ,
I would recommend the following outline
a short executive summary listing the date of the pen-test
(assessment) and report summary. Including items such as the top
findings, and any reactive actions taken.
Executive Summary
Introduction
scope
methodology
overall assumptions
The strategic findings and recommendations
The tactical findings and recommendations
Its great to list all finding and list them in order from highest to
lowest risk of exploitation.
R - T
On Sun, 30 Nov 2003, TJ O'Grady wrote:
> Hi folks,
>
> I am putting together a pen testing proposal as part of my final
> Master's project. If it's good enough, it will lead to a full pen test
> of a real network. This list has been very helpful with the technology
> background, but the part I am stuck on right now is the reporting
> piece. When a pen-test is complete, what do you include in the report?
> How do you structure the information for business contacts, I imagine
> raw data is often not helpful in many cases. Any hints or tips would
> be greatly appreciated.
>
> Thank you,
> TJ
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:43 EDT