Re: Penetration testing report,

[intel96 <intel96 () bellsouth net>]

IRM,

Since I left the government in the late 90's I have seen a lot of
security reports from most of the major vendors (I will not mention
names since some monitor these lists).  Several of my clients have shown
me these reports and most were produced from the vendor's security
tools.  One of my clients had a report from one of the main security
vendors that was over 1000+ pages long printed.  The client stated that
the report provided no value because it was to big to digest and has
never used that company again. 

I believe the best reports are one that are customized to meet the
client's business and security objectives.   I always work with the
client during the report writing phase to ensure that it meets their
needs.  I will often rework the report as needed.  This does not mean I
remove security issues found, but it does mean that I will rephrase
language within the report  to be more politically correct, especially
when major issues are found.

Another major factor in report writing especially as a third-party
consultant working for a company (e.g. a telecom company) that sells
security services to their clients is to understand their report formats
prior to an engagement.  Once I conducted an engagement through a major
telecom company for one of their clients that had purchased IDS/IPS
products and MSSP services from the telecom.  The technical part of
engagement went well, because I gained access to the client's web
servers and back-end database, but the report writing ate into my profit
GREATLY.  The major reasons were I did not understand the telecom report
writing style and that I compromised their client's network just after
they sold the client $1 million in security hardware and MSSP services. 
The project was suppose to show the client that the investment in
hardware and MSSP services would protect them, but it failed and jobs
were now on the line.  A two-week engagement turned into two-months,
because I failed to understand both parties business or security
objectives and their reporting format.

Another factor that I have learned in report writing is to develop
something that will set you apart from the others.  For larger clients I
sometimes write customized web-enabled reports that have more detail
than the printed ones. 

The last factor is to spend the extra money in binding the report
professionally.  Some security companies that have consultant arms will
not spend $100+ dollars to bind a report professionally even though
their client paid them thousands and sometimes tens of thousands to
conduct the project!


That is enough for now.

Intel96


IRM wrote:
> Hi all,
>
> Most of the penetration testing reports that I have seen is basically
> only doing scanning and patch assessment using common tools like Nessus
> and Microsoft Baseline Analyzer. Is this common? I was wondering what is
> decent penetration report look like.
>
> Cheers,
> John
>
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence 
> in Information Security. Our program offers unparalleled Infosec management 
> education and the case study affords you unmatched consulting experience. 
> Using interactive e-Learning technology, you can earn this esteemed degree, 
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------
>
>
>   


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------