Re: web app pentest report

[Pete Herzog <lists () isecom org>]

Hi,

> explanation, and 3) HOW TO FIX THE ISSUE!! You would not believe what

If you can reliably fix the issue then I recommend you suggest it. 
Since you won't know their infrastructure as well as them, you should 
consider fixes that include changes to internal processes, 
architecture, controls, and the service environment.  Don't help trap 
them in the poor bug/patch/upgrade security cycle. Make suggestions 
that would show that with the right environmental changes or added 
controls a flaw in the application will have no adverse impact.

Also consider your job as telling them what they did right as well as 
what's wrong.  This will help them apply the right things to everything.

> Look also at the report standard for OSSTMM. That's a good guide as to
> how a report should look. Alter it around for an app assessment.

OSSTMM 3.0 LITE out now (www.osstmm.org) contains the Security Test 
Audit Report (STAR) which is already used by various companies in web 
app pen tests.  There's nothing there to adjust.  But you will need to 
follow it with a list of problems you found.

Sincerely,
-pete.



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------