From: Ivan Arce (ivan.arce@corest.com)
Date: Tue Dec 02 2003 - 14:31:31 EST
Hello
On the subject of reporting as many have pointed out, a good report should
be a lot more than just listing the vulnerabilities found.
The report cited below has NO RELATION WHATSOEVER with the services
provided by Core Security Technologies (www.coresecurity.com), the company I
work for and which has being doing penetration testing since 1996.
But unto the topic... a penetration test final report should include at
least the following:
1) An executive summary
A brief description of the work done. Goal, scope, timeline, budget,
results and high level recommendations for upper management or C-level
executives written in terms easily understandable for business and processes
oriented readers. This should explin why and how was the money spent and
what is the outcome of that expenditure
2) A detailed report that includes
2.1 Definition and scope of the penetration test
2.2 Goals of the penetration test.
2.3 Methodology used
2.4 Workplan (chronology/timeline of the test)
2.5 Conclusions
Explanation of the results with a high level view of the organization
and a clear desciption of the problems found and how they relate to the
organization's business processes
2.6 General recommendations
Suggestions on how to improve the security posture at a macro level,
things like further segmentation of networks, deploying auditing
and ID systems, strong password enformecent, security training,
workstation hardening, implementing crypto in certain processes or
components, changing authentication systems, etc belong here
2.7 A list of annexes with specific information and pointer to solutions
It should have a least one annex:
2.7.1 Detailed findings
List of all findings with at least the following qualifiers
. Finding name or vulnerability ID
. Risk level (this is arbitrary by nature but should be quantified in
terms of risk implied to the specific organization that the pentest
what conducted for)
. Vulnerability classification
Exploitation of the vulnerability lead to problems in system
availability (DoS), ssystem integrity, data exposure, data
integrity, etc. choose your own classification but stick to it
across the entire pentest and across all pentests
. Impact
A brief desciption of the impact of exploitation
. Systems vulnerable (not only applies to network systems but also to
software components or business processes
. Resources
Resources need to exploit the vulnerability, this will help the
reader qualify the potential attacker.
. Description
Obviously an in-depth description of the problem and how to repro it
. Fix/workaround
Description on how to fix the problem in the short term, workarounds
and pointers to proper patches and alternative solutions.
. References
Pointer to related descriptions (CVEs, Bugtraq, etc) and related
problems
-ivan
PS: Core Security Technologies (www.coresecurity.com) has no relation with
"core-sec" or with any of their employees including an alleged "gera"
apparently named after Core Security Technologies' employee Gerardo Richarte
(gera) author of InlineEgg, the Insecure Programming exercises, CORE IMPACT
exploits and speaker at several industry conferences.
--- Perscriptio in manibus tabellariorum est Noli me vocare, ego te vocabo Ivan Arce CTO CORE SECURITY TECHNOLOGIES 46 Farnsworth Street Boston, MA 02210 Ph: 617-399-6980 Fax: 617-399-6987 ivan.arce@coresecurity.com www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A Carlos Eduardo Pinheiro wrote: > Hi guy, > > You can find useful information at http://www.isecom.org/, they developed > some guidelines covering how to proceed a security audit ( including the > reporting part ) I hope it helps. > You can also take a look at an example report from core security ( > http://www.core-sec.com/examples/core_example_1.pdf ) > > Regards, > > Carlos Eduardo Pinheiro - cabeca@gmx.net > ICQ: 134439332 > > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:43 EDT