Security Basics mailing list archives
Re: Penetration testing report,
From: intel96 <intel96 () bellsouth net>
Date: Sat, 09 Sep 2006 12:10:56 -0400
IRM, Since I left the government in the late 90's I have seen a lot of security reports from most of the major vendors (I will not mention names since some monitor these lists). Several of my clients have shown me these reports and most were produced from the vendor's security tools. One of my clients had a report from one of the main security vendors that was over 1000+ pages long printed. The client stated that the report provided no value because it was to big to digest and has never used that company again. I believe the best reports are one that are customized to meet the client's business and security objectives. I always work with the client during the report writing phase to ensure that it meets their needs. I will often rework the report as needed. This does not mean I remove security issues found, but it does mean that I will rephrase language within the report to be more politically correct, especially when major issues are found. Another major factor in report writing especially as a third-party consultant working for a company (e.g. a telecom company) that sells security services to their clients is to understand their report formats prior to an engagement. Once I conducted an engagement through a major telecom company for one of their clients that had purchased IDS/IPS products and MSSP services from the telecom. The technical part of engagement went well, because I gained access to the client's web servers and back-end database, but the report writing ate into my profit GREATLY. The major reasons were I did not understand the telecom report writing style and that I compromised their client's network just after they sold the client $1 million in security hardware and MSSP services. The project was suppose to show the client that the investment in hardware and MSSP services would protect them, but it failed and jobs were now on the line. A two-week engagement turned into two-months, because I failed to understand both parties business or security objectives and their reporting format. Another factor that I have learned in report writing is to develop something that will set you apart from the others. For larger clients I sometimes write customized web-enabled reports that have more detail than the printed ones. The last factor is to spend the extra money in binding the report professionally. Some security companies that have consultant arms will not spend $100+ dollars to bind a report professionally even though their client paid them thousands and sometimes tens of thousands to conduct the project! That is enough for now. Intel96 IRM wrote:
Hi all, Most of the penetration testing reports that I have seen is basically only doing scanning and patch assessment using common tools like Nessus and Microsoft Baseline Analyzer. Is this common? I was wondering what is decent penetration report look like. Cheers, John --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- How to monitor Windows user FRANCIS PROVENCHER (Sep 06)
- Re: How to monitor Windows user Sebastian {En3pY} Zdrojewski (Sep 07)
- RE: How to monitor Windows user Chris Dirricq (Sep 07)
- Penetration testing report, IRM (Sep 08)
- Re: Penetration testing report, intel96 (Sep 09)
- Penetration testing report, IRM (Sep 08)
- Re: How to monitor Windows user Alcides (Sep 09)
- Re: How to monitor Windows user crazy frog crazy frog (Sep 09)
- Re: How to monitor Windows user PCSC Information Services (Sep 11)