Re: Reporting aspect of pen-testing

From: Stephen de Vries (stephen@twisteddelight.org)
Date: Mon Dec 01 2003 - 21:50:33 EST

• Next message: Keenen Milner: "RE: System Security Audits"
• Previous message: riptide@idle.curiosity.org: "Re: Reporting aspect of pen-testing"
• In reply to: TJ O'Grady: "Reporting aspect of pen-testing"
• Next in thread: Anders Thulin: "Re: Reporting aspect of pen-testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

TJ,

Depending on the organisation, you are probably going to have different
audiences for the pentesting report. It will be usefull for managers to
be able to quickly understand what the business impact of the pentest are
without getting into the details, while the sys admins and security staff
would be keen to see all the gory details. I'd suggest the following
layout:

*Introduction
*Objectives
*Scope
   - What did you do, which system did you test, what tests did you omit etc.
*Executive Summary
   - Summary of findings at a high level. Bare in mind that your reader
is a manager and wants to know what the real risks are, try and use
simple language (and mono-syllables ;-) )
   - Business impact of findings: what do these findings mean to the
business? How and where can they lose money?
   - Recommendation: again high level, focus more on processes than on
individual items. If their IIS server is full of holes, suggest a
regular process of patching etc.

*Methodology
   - Some more detail on the methodology you followed.
*Technical Findings
   - A tabular list of each finding. This could include a finding number,
vulnerability name, description, severity rating, references, fix
information. Try and organise this so that it is usefull for the
reader, e.g. Group according to business unit, or a long list according
to severity.

*Conclusion
   - What was the overall rating? How does this client compare to others
in the same industry? Is this is kind of security you'd expect for
their industry?

*Appendix
List relevant technical details like port scan results, screen shots that
prove vulnerabilities, vuln scan results etc.

Remember that the report is confidential information and distribution
should be treated with care.

cheers,
Stephen

> Hi folks,
>
> I am putting together a pen testing proposal as part of my final
> Master's project. If it's good enough, it will lead to a full pen test
> of a real network. This list has been very helpful with the technology
> background, but the part I am stuck on right now is the reporting
> piece. When a pen-test is complete, what do you include in the report?
> How do you structure the information for business contacts, I imagine
> raw data is often not helpful in many cases. Any hints or tips would
> be greatly appreciated.
>
> Thank you,
> TJ
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Keenen Milner: "RE: System Security Audits"
• Previous message: riptide@idle.curiosity.org: "Re: Reporting aspect of pen-testing"
• In reply to: TJ O'Grady: "Reporting aspect of pen-testing"
• Next in thread: Anders Thulin: "Re: Reporting aspect of pen-testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:43 EDT