RE: Penetration Test Report

["Frye, Dan" <Dan.Frye () cedarcrestone com>]

I agree with your points on a report being simple and direct without the
"fluff" that seems to be regarded as necessary by some (most?) PT
vendors (I've already bought the service, I don't need the sales pitch
on what your other offerings are or 4 pages of company history). 

Something I would add is that PT vendors habitually provide a "report"
but a "report" isn't what I really need (you are correct that in most
org's "the report serves to justify the derived value around these
parts"). In every PT/VA they *always* come back with something, even if
it's a couple pages of informational "you shouldn't do this" which for
some business reason or another you've been forced to accept on your
LAN/WAN. However, it's always necessary as security manager/CSO/CISO to
take that information and go evaluate it - is the business case still
valid? But a report doesn't help me do that - it gives me a 70 page
document to give to management, who doesn't read it because it's 70
pages and then I have to make heads or tails from it. Assuming you have
some critical, highs, etc in there too makes it even more important to
go evaluate the report contents.

What I really need (speaking as a generic security manager) is
"actionable documentation". Taking my target audience into
consideration, here's what I can find useful.

- An executive report no more than 2 pages in length which I can use as
a talking agenda during a 15 minute briefing. Graphs like "attack
complexity vs mean time to patch" helps identify the quick wins with the
most risk, "% breakdown of criticality levels (critical, high, low,
etc)" to speak to the criticality of our specific attacks, etc. There
are a lot of neat ways to cut up the metrics to help get your point
across to Exec mgmt but a 70 page report is not it.

- A working list of vulnerabilities, their priority, with extra columns
of team ownership (unix, dba, windows, etc). If I got the report you
submitted as part of a real engagement the tables in section 6.4 would
immediately be copied into a spreadsheet, I'd tack on a few columns
specific for my environment like owner, due date, status update, handler
notes, etc, then send to my department heads. So why make that extra
step? Provide that report in an XLS already, easily modifiable, and you
just saved me half a day of copy and paste work. Maybe a DB extract as
well, although it's pretty trivial to export from xls to a csv and
import in your vuln tracking system. 

- Break down the vulns in multiple ways. Most PT/VA vendors do it by
criticality, but that doesn't help show me the real picture of my
environment. Are all the high vulns in my web application, and all the
lows in my Unix servers? At least make a stab at trending the data. Even
applying 30 minutes to looking for patterns will pay its weight in gold
with a client. Help them find their process flaws - better server
patching, a particular application that has the majority of the holes,
etc. is where you can really derive good business intelligence, past the
specific action items of remediating the vulns found. And that adds
value to you as an organization which differentiates you from your
competitors.

- Send me something I can modify - doc, csv, xls. PDF is great... but a
bear to transform into what I can disseminate internally to my teams,
management, etc. I wouldn't even suggest sending a 70 page report out to
a non-security guy/gal.

- Examples, screenshots, how-to. That's in the doc towards the back and
is good info - nothing proves your point better than a real example.
Most times mgmt or the business unit will look at you and say "prove it"
or "show me" and those go a long way towards getting them to take
action.

That's my 2 cents, hope it helps,

Daniel


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of fx0ne
Sent: Wednesday, July 08, 2009 12:13 PM
To: pen-test () securityfocus com
Subject: Penetration Test Report


Hi all,

I have been an information security consultant/pen tester for about 6
years
working with a company that has been an OSSTMM gold team member for
about
two years and been using the methodology for close to five years now
even
though we are mainly operating out of Africa where PT is still being
regarded as some sort of "black art". Most of our clients are big
financial
institutions and conglomerates.

Let me cut to the chase. I would like to share with you a VA/PT report
framework that i came up with from my experience consulting in this
field.
It has a bias towards the OSSTM methodology (infact a few points were
extracted from it's report). I do not know how reports are structured in
other parts of the world, but i do know that other than the engagement
itself, the report serves to justify the derived value around these
parts.

I have googled for sample reports but to say i came up short is a
masterpiece of understatement. What i found were either too verbose and
grandiose or downright shallow in content missing out salient but
pertinent
details in mostly audacious attempts at describing all the technical
input
and results - Detailed layout, logical flow and visual analysis are
conspicuous only by their absence.

I have always believed that in order to get inside the mentality, first
we
have to jettison the PT myth. Furthermore I am also of the opinion that
a
VA/PT report should be as simple and clear as it is concise and should
cut
across all strata of audience not just the technically minded.

All these put together led me to put up what is the first draft of the
Open
Source Security Assessment Report (OSSAR v0.5) which i hope will
complement
the OSSTMM. This is something that will be updated as often as i can
with
new information. I will kindly request members of this group to download
it
and give an objective opinion on the material. I am very much interested
in
what this community thinks. Comments (+ve or -ve), suggestions and
modifications are welcomed. A review by Pete will also be highly
appreciated.

This is a VA/PT report for a fictitious bank called eClipse Bank PLC
carried
out by another fictitious company Cynergi Solutions Inc. All names,
URLs,
IPs, etc are fictitious. Some of the vulnerabilities discussed have
actually
occurred for real but i have replaced all the pesky details.

The report is attached or it can be downloaded at
http://digitalencode.net/ossar/ossar_v0.5.pdf

Looking forward to your feedback.

Thank you
-- 
View this message in context:
http://www.nabble.com/Penetration-Test-Report-tp24393503p24393503.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------