How to write effective Penetration Testing Reports
Today we are going to learn how to write a professional penetration testing report. I know this is nobody's favourite subject but the thing is if you really want to work professionally then you're not just selling security bugs you're selling security bugs dressed up in nice reports. So because of that, i wanted to give you a few tips. First of all the report is the only outcome of your assessment so this is the only thing that makes your customer come back with a new project. So basically if your report is bad then you or your work was bad. That's it! With that said let's see a few things which you might want to put in your report.
So first you should put data about the customer and you like contact data, responsibilities, who is the document owner etc. And next an Executive Summary which is basically summarizing the results of the project for people who are not going to read the whole report there will be quite a few of them. This should give a general idea of the overall security and mentioned the most critical problems and the impact.
The third is the scope of the assessment, the scope had to be laid down at the very beginning of the planning phase so here you just write down what you decided then like what you were going to test and what you were not going to test and that's really important because that's how a user knows what was out of scope and what was in the scope of this project.
Next, you should probably have a disclaimer as you would want to cover yourself legally in your report since security is always a really sensitive topic. So you have to make sure that you always cover yourself and the disclaimer is exactly for that so here you can tell anything that you want to the customer which will protect you.
Then there could be various other chapters like Methodology which means how you were going to do the test or what's your testing process etc.. And maybe about Clean up etc..
And the sixth is the most important, The Findings. In this chapter, you should describe all the findings which you found during your assessment. So let's talk about the findings, there are a few things that every finding should have for instance obviously a name this is just to differentiate between the various findings. Then the risk this can be critical, high, medium or low and maybe information. The risk is basically a combination of the exploitability of the finding and the severity of the finding.
The next one is the Summary. As I said there will be many people who are not going to read the whole report, they're just going to read the executive summary and maybe the summaries of each finding. The summary should summarize this finding in a few sentences and it should tell what the root cause of the problem is and what the impact of the vulnerability is.
And then comes the Finding Description. This is basically where you give every information about the vulnerability you can. So this should tell why the problem happens, what is really the vulnerability, a proof of concept attack with screenshots, a clear guide on how to reproduce the problem so that the developers can test it themselves and basically anything that you find important to describe this exact vulnerability. Then it can have an exploitability which basically explains in a few sentences how difficult it is to exploit this vulnerability and what the attacker would need regarding the skill set or technology or access rights or whatever to exploit the problem. And the last one is Severity. This basically explains the impact of the problem like what can an attacker do when he exploits this problem, Can he just read data or can he also write data or change the application or whatever. So here this is the scenario what another attacker would do when he exploits this problem thus some companies have different fields or even more but I think these are the most important. Also, your readers might be technically skilled people but probably not security wise skilled thus you might not have to explain what an HTTP request is but when it comes to security stuff then you have to clarify everything and you have to be really clear in your descriptions.
Writing the Penetration Testing Report
So first you should put data about the customer and you like contact data, responsibilities, who is the document owner etc. And next an Executive Summary which is basically summarizing the results of the project for people who are not going to read the whole report there will be quite a few of them. This should give a general idea of the overall security and mentioned the most critical problems and the impact.
The third is the scope of the assessment, the scope had to be laid down at the very beginning of the planning phase so here you just write down what you decided then like what you were going to test and what you were not going to test and that's really important because that's how a user knows what was out of scope and what was in the scope of this project.
Next, you should probably have a disclaimer as you would want to cover yourself legally in your report since security is always a really sensitive topic. So you have to make sure that you always cover yourself and the disclaimer is exactly for that so here you can tell anything that you want to the customer which will protect you.
Then there could be various other chapters like Methodology which means how you were going to do the test or what's your testing process etc.. And maybe about Clean up etc..
And the sixth is the most important, The Findings. In this chapter, you should describe all the findings which you found during your assessment. So let's talk about the findings, there are a few things that every finding should have for instance obviously a name this is just to differentiate between the various findings. Then the risk this can be critical, high, medium or low and maybe information. The risk is basically a combination of the exploitability of the finding and the severity of the finding.
The next one is the Summary. As I said there will be many people who are not going to read the whole report, they're just going to read the executive summary and maybe the summaries of each finding. The summary should summarize this finding in a few sentences and it should tell what the root cause of the problem is and what the impact of the vulnerability is.
And then comes the Finding Description. This is basically where you give every information about the vulnerability you can. So this should tell why the problem happens, what is really the vulnerability, a proof of concept attack with screenshots, a clear guide on how to reproduce the problem so that the developers can test it themselves and basically anything that you find important to describe this exact vulnerability. Then it can have an exploitability which basically explains in a few sentences how difficult it is to exploit this vulnerability and what the attacker would need regarding the skill set or technology or access rights or whatever to exploit the problem. And the last one is Severity. This basically explains the impact of the problem like what can an attacker do when he exploits this problem, Can he just read data or can he also write data or change the application or whatever. So here this is the scenario what another attacker would do when he exploits this problem thus some companies have different fields or even more but I think these are the most important. Also, your readers might be technically skilled people but probably not security wise skilled thus you might not have to explain what an HTTP request is but when it comes to security stuff then you have to clarify everything and you have to be really clear in your descriptions.
Interesting Reads : The Golden Rules of OPSEC | Learn about Tor Bridges What is Jondonym?
How to write effective Penetration Testing Reports
Reviewed by Admin
on
April 12, 2020
Rating:
Reviewed by Admin
on
April 12, 2020
Rating:
You have done a good job by publishing this article about Computer Forensic company London..... I appreciate your efforts which you have put into this article, It is a beneficial article for us. Thanks for sharing such informative thoughts.
ReplyDeleteI generally check this kind of article and I found your article which is related to my interest. Genuinely it is good and instructive information. Thankful to you for sharing an article like this. Cyber Security Training And Awareness Canada
ReplyDelete