Penetration Testing mailing list archives
Re: Reporting aspect of pen-testing
From: riptide () idle curiosity org
Date: Mon, 1 Dec 2003 01:37:32 -0600 (CST)
TJ,
I would recommend the following outline
a short executive summary listing the date of the pen-test
(assessment) and report summary. Including items such as the top
findings, and any reactive actions taken.
Executive Summary
Introduction
scope
methodology
overall assumptions
The strategic findings and recommendations
The tactical findings and recommendations
Its great to list all finding and list them in order from highest to
lowest risk of exploitation.
R - T
On Sun, 30 Nov 2003, TJ O'Grady wrote:
Hi folks, I am putting together a pen testing proposal as part of my final Master's project. If it's good enough, it will lead to a full pen test of a real network. This list has been very helpful with the technology background, but the part I am stuck on right now is the reporting piece. When a pen-test is complete, what do you include in the report? How do you structure the information for business contacts, I imagine raw data is often not helpful in many cases. Any hints or tips would be greatly appreciated. Thank you, TJ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Reporting aspect of pen-testing riptide (Dec 01)
- <Possible follow-ups>
- Re: Reporting aspect of pen-testing Stephen de Vries (Dec 01)
- Re: Reporting aspect of pen-testing Anders Thulin (Dec 01)
- Re: Reporting aspect of pen-testing Carlos Eduardo Pinheiro (Dec 01)
- Re: Reporting aspect of pen-testing Ivan Arce (Dec 03)
- RE: Reporting aspect of pen-testing Brewis, Mark (Dec 03)
- RE: Reporting aspect of pen-testing Cotter, Joe (Dec 12)