Penetration Test Report

[fx0ne <seyi.akin () gmail com>]

Hi all,

I have been an information security consultant/pen tester for about 6 years
working with a company that has been an OSSTMM gold team member for about
two years and been using the methodology for close to five years now even
though we are mainly operating out of Africa where PT is still being
regarded as some sort of "black art". Most of our clients are big financial
institutions and conglomerates.

Let me cut to the chase. I would like to share with you a VA/PT report
framework that i came up with from my experience consulting in this field.
It has a bias towards the OSSTM methodology (infact a few points were
extracted from it's report). I do not know how reports are structured in
other parts of the world, but i do know that other than the engagement
itself, the report serves to justify the derived value around these parts.

I have googled for sample reports but to say i came up short is a
masterpiece of understatement. What i found were either too verbose and
grandiose or downright shallow in content missing out salient but pertinent
details in mostly audacious attempts at describing all the technical input
and results - Detailed layout, logical flow and visual analysis are
conspicuous only by their absence.

I have always believed that in order to get inside the mentality, first we
have to jettison the PT myth. Furthermore I am also of the opinion that a
VA/PT report should be as simple and clear as it is concise and should cut
across all strata of audience not just the technically minded.

All these put together led me to put up what is the first draft of the Open
Source Security Assessment Report (OSSAR v0.5) which i hope will complement
the OSSTMM. This is something that will be updated as often as i can with
new information. I will kindly request members of this group to download it
and give an objective opinion on the material. I am very much interested in
what this community thinks. Comments (+ve or -ve), suggestions and
modifications are welcomed. A review by Pete will also be highly
appreciated.

This is a VA/PT report for a fictitious bank called eClipse Bank PLC carried
out by another fictitious company Cynergi Solutions Inc. All names, URLs,
IPs, etc are fictitious. Some of the vulnerabilities discussed have actually
occurred for real but i have replaced all the pesky details.

The report is attached or it can be downloaded at
http://digitalencode.net/ossar/ossar_v0.5.pdf

Looking forward to your feedback.

Thank you
-- 
View this message in context: http://www.nabble.com/Penetration-Test-Report-tp24393503p24393503.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------