Penetration Testing mailing list archives

Re: Reporting aspect of pen-testing

From: "Stephen de Vries" <stephen () twisteddelight org>
Date: Mon, 1 Dec 2003 21:50:33 -0500 (EST)


TJ,

Depending on the organisation, you are probably going to have different
audiences for the pentesting report.  It will be usefull for managers to
be able to quickly understand what the business impact of the pentest are
without getting into the details, while the sys admins and security staff
would be keen to see all the gory details.  I'd suggest the following
layout:

*Introduction
*Objectives
*Scope
   - What did you do, which system did you test, what tests did you omit etc.
*Executive Summary
   - Summary of findings at a high level.  Bare in mind that your reader
is a manager and wants to know what the real risks are, try and use
simple language (and mono-syllables ;-) )
   - Business impact of findings: what do these findings mean to the
business?  How and where can they lose money?
   - Recommendation: again high level, focus more on processes than on
individual items.  If their IIS server is full of holes, suggest a
regular process of patching etc.

*Methodology
   - Some more detail on the methodology you followed.
*Technical Findings
   - A tabular list of each finding.  This could include a finding number,
vulnerability name, description, severity rating, references, fix
information.  Try and organise this so that it is usefull for the
reader, e.g. Group according to business unit, or a long list according
to severity.

*Conclusion
   - What was the overall rating?  How does this client compare to others
in the same industry?  Is this is kind of security you'd expect for
their industry?

*Appendix
List relevant technical details like port scan results, screen shots that
prove vulnerabilities, vuln scan results etc.

Remember that the report is confidential information and distribution
should be treated with care.


cheers,
Stephen

Hi folks,

I am putting together a pen testing proposal as part of my final
Master's project. If it's good enough, it will lead to a full pen test
of a real network. This list has been very helpful with the technology
background, but the part I am stuck on right now is the reporting
piece. When a pen-test is complete, what do you include in the report?
How do you structure the information for business contacts, I imagine
raw data is often not helpful  in many cases. Any hints or tips would
be greatly appreciated.

Thank you,
TJ


---------------------------------------------------------------------------
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: Reporting aspect of pen-testing riptide (Dec 01)
- <Possible follow-ups>
- Re: Reporting aspect of pen-testing Stephen de Vries (Dec 01)
- Re: Reporting aspect of pen-testing Anders Thulin (Dec 01)
- Re: Reporting aspect of pen-testing Carlos Eduardo Pinheiro (Dec 01)
  - Re: Reporting aspect of pen-testing Ivan Arce (Dec 03)
- RE: Reporting aspect of pen-testing Brewis, Mark (Dec 03)
- RE: Reporting aspect of pen-testing Cotter, Joe (Dec 12)