Penetration Testing mailing list archives
Re: Reporting aspect of pen-testing
From: riptide () idle curiosity org
Date: Mon, 1 Dec 2003 01:37:32 -0600 (CST)
TJ, I would recommend the following outline a short executive summary listing the date of the pen-test (assessment) and report summary. Including items such as the top findings, and any reactive actions taken. Executive Summary Introduction scope methodology overall assumptions The strategic findings and recommendations The tactical findings and recommendations Its great to list all finding and list them in order from highest to lowest risk of exploitation. R - T On Sun, 30 Nov 2003, TJ O'Grady wrote:
Hi folks, I am putting together a pen testing proposal as part of my final Master's project. If it's good enough, it will lead to a full pen test of a real network. This list has been very helpful with the technology background, but the part I am stuck on right now is the reporting piece. When a pen-test is complete, what do you include in the report? How do you structure the information for business contacts, I imagine raw data is often not helpful in many cases. Any hints or tips would be greatly appreciated. Thank you, TJ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Reporting aspect of pen-testing riptide (Dec 01)
- <Possible follow-ups>
- Re: Reporting aspect of pen-testing Stephen de Vries (Dec 01)
- Re: Reporting aspect of pen-testing Anders Thulin (Dec 01)
- Re: Reporting aspect of pen-testing Carlos Eduardo Pinheiro (Dec 01)
- Re: Reporting aspect of pen-testing Ivan Arce (Dec 03)
- RE: Reporting aspect of pen-testing Brewis, Mark (Dec 03)
- RE: Reporting aspect of pen-testing Cotter, Joe (Dec 12)