Penetration Testing mailing list archives
Penetration Test Report
From: fx0ne <seyi.akin () gmail com>
Date: Wed, 8 Jul 2009 09:12:38 -0700 (PDT)
Hi all, I have been an information security consultant/pen tester for about 6 years working with a company that has been an OSSTMM gold team member for about two years and been using the methodology for close to five years now even though we are mainly operating out of Africa where PT is still being regarded as some sort of "black art". Most of our clients are big financial institutions and conglomerates. Let me cut to the chase. I would like to share with you a VA/PT report framework that i came up with from my experience consulting in this field. It has a bias towards the OSSTM methodology (infact a few points were extracted from it's report). I do not know how reports are structured in other parts of the world, but i do know that other than the engagement itself, the report serves to justify the derived value around these parts. I have googled for sample reports but to say i came up short is a masterpiece of understatement. What i found were either too verbose and grandiose or downright shallow in content missing out salient but pertinent details in mostly audacious attempts at describing all the technical input and results - Detailed layout, logical flow and visual analysis are conspicuous only by their absence. I have always believed that in order to get inside the mentality, first we have to jettison the PT myth. Furthermore I am also of the opinion that a VA/PT report should be as simple and clear as it is concise and should cut across all strata of audience not just the technically minded. All these put together led me to put up what is the first draft of the Open Source Security Assessment Report (OSSAR v0.5) which i hope will complement the OSSTMM. This is something that will be updated as often as i can with new information. I will kindly request members of this group to download it and give an objective opinion on the material. I am very much interested in what this community thinks. Comments (+ve or -ve), suggestions and modifications are welcomed. A review by Pete will also be highly appreciated. This is a VA/PT report for a fictitious bank called eClipse Bank PLC carried out by another fictitious company Cynergi Solutions Inc. All names, URLs, IPs, etc are fictitious. Some of the vulnerabilities discussed have actually occurred for real but i have replaced all the pesky details. The report is attached or it can be downloaded at http://digitalencode.net/ossar/ossar_v0.5.pdf Looking forward to your feedback. Thank you -- View this message in context: http://www.nabble.com/Penetration-Test-Report-tp24393503p24393503.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Penetration Test Report fx0ne (Jul 08)
- RE: Penetration Test Report Frye, Dan (Jul 08)
- Re: Penetration Test Report Randy Pacheco (Jul 09)
- Message not available
- Re: Penetration Test Report Brad Barkett (Jul 10)
- Message not available