Penetration Testing mailing list archives
RE: Reporting aspect of pen-testing
From: "Brewis, Mark" <mark.brewis () eds com>
Date: Tue, 2 Dec 2003 11:09:30 -0000
TJ, Over time (and I appreciate that you don't have that luxury,) you develop your own style in reporting. There is no one report template that fits all jobs. What you do have though, as other posters have pointed out, is a basic structure, which is some variation on: - Executive Summary - Scope - Detailed Reporting - Risk Assessment - Conclusions and Recommendations - Technical Annexes and Appendices If you think of the Executive Summary as a separate document that can be taken off the front of your report and distributed separately, you won't go wrong. Scope - what when why how and why not. Detailed Reporting and Risk Assessment needn't be separate sections. Recommendations can range from the highly detailed to the generic - it very much depends on what the client wants. Annexes and Appendices can include your evidence, tool output, advisories, patch status lists etc. Again, this depends on the job and the client. The important part for the client is (generally) the Risk Assessment (as an extrapolation of findings.) The question you are answering is "What does what you have found mean for me?" The reporting of an assessment of risk is a complex process. The technical side (the severity of a vulnerability) is easy enough to assess, but modelling that within the client environment can be a remarkably difficult task. You don't know their business as well as your client does. All you can really do is assist them in making their own conclusions on risk for their environment, by presenting your findings clearly, and in a context they can understand. There is a huge amount of information out there on risk - some of it is too simplistic, other papers and models are too complex or academic to use on a daily basis. Finding one that you are comfortable with, and learning how to interpret technical results to fit the model, takes time. A good starting point is: NIST Risk Management Guide for Information Technology Systems, Recommendations of the National Institute of Standards and Technology, Special Publication 800-30: Gary Stoneburner, Alice Goguen, and Alexis Feringa. http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf This is a concise, model, with an easy to understand matrix. Hope this helps, Good Luck with the Masters, Mark Brewis Security Consultant EDS Information Assurance Group Wavendon Tower Milton Keynes Buckinghamshire MK17 8LX. Tel: +44 (0)1908 28 4013 Mbl: +44 (0)7989 291 648 Fax: +44 (0)1908 28 4393 E@: mark.brewis () eds com This email is confidential and intended solely for the use of the individual(s) to whom it is addressed. Any views or opinions presented are solely those of the author. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this mail is strictly prohibited. Precautions have been taken to minimise the risk of transmitting software viruses, but you must carry out your own virus checks on any attachment to this message. No liability can be accepted for any loss or damage caused by software viruses. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Reporting aspect of pen-testing riptide (Dec 01)
- <Possible follow-ups>
- Re: Reporting aspect of pen-testing Stephen de Vries (Dec 01)
- Re: Reporting aspect of pen-testing Anders Thulin (Dec 01)
- Re: Reporting aspect of pen-testing Carlos Eduardo Pinheiro (Dec 01)
- Re: Reporting aspect of pen-testing Ivan Arce (Dec 03)
- RE: Reporting aspect of pen-testing Brewis, Mark (Dec 03)
- RE: Reporting aspect of pen-testing Cotter, Joe (Dec 12)