Penetration Testing mailing list archives
RE: Penetration Test Report
From: "Frye, Dan" <Dan.Frye () cedarcrestone com>
Date: Wed, 8 Jul 2009 14:30:28 -0400
I agree with your points on a report being simple and direct without the "fluff" that seems to be regarded as necessary by some (most?) PT vendors (I've already bought the service, I don't need the sales pitch on what your other offerings are or 4 pages of company history). Something I would add is that PT vendors habitually provide a "report" but a "report" isn't what I really need (you are correct that in most org's "the report serves to justify the derived value around these parts"). In every PT/VA they *always* come back with something, even if it's a couple pages of informational "you shouldn't do this" which for some business reason or another you've been forced to accept on your LAN/WAN. However, it's always necessary as security manager/CSO/CISO to take that information and go evaluate it - is the business case still valid? But a report doesn't help me do that - it gives me a 70 page document to give to management, who doesn't read it because it's 70 pages and then I have to make heads or tails from it. Assuming you have some critical, highs, etc in there too makes it even more important to go evaluate the report contents. What I really need (speaking as a generic security manager) is "actionable documentation". Taking my target audience into consideration, here's what I can find useful. - An executive report no more than 2 pages in length which I can use as a talking agenda during a 15 minute briefing. Graphs like "attack complexity vs mean time to patch" helps identify the quick wins with the most risk, "% breakdown of criticality levels (critical, high, low, etc)" to speak to the criticality of our specific attacks, etc. There are a lot of neat ways to cut up the metrics to help get your point across to Exec mgmt but a 70 page report is not it. - A working list of vulnerabilities, their priority, with extra columns of team ownership (unix, dba, windows, etc). If I got the report you submitted as part of a real engagement the tables in section 6.4 would immediately be copied into a spreadsheet, I'd tack on a few columns specific for my environment like owner, due date, status update, handler notes, etc, then send to my department heads. So why make that extra step? Provide that report in an XLS already, easily modifiable, and you just saved me half a day of copy and paste work. Maybe a DB extract as well, although it's pretty trivial to export from xls to a csv and import in your vuln tracking system. - Break down the vulns in multiple ways. Most PT/VA vendors do it by criticality, but that doesn't help show me the real picture of my environment. Are all the high vulns in my web application, and all the lows in my Unix servers? At least make a stab at trending the data. Even applying 30 minutes to looking for patterns will pay its weight in gold with a client. Help them find their process flaws - better server patching, a particular application that has the majority of the holes, etc. is where you can really derive good business intelligence, past the specific action items of remediating the vulns found. And that adds value to you as an organization which differentiates you from your competitors. - Send me something I can modify - doc, csv, xls. PDF is great... but a bear to transform into what I can disseminate internally to my teams, management, etc. I wouldn't even suggest sending a 70 page report out to a non-security guy/gal. - Examples, screenshots, how-to. That's in the doc towards the back and is good info - nothing proves your point better than a real example. Most times mgmt or the business unit will look at you and say "prove it" or "show me" and those go a long way towards getting them to take action. That's my 2 cents, hope it helps, Daniel -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of fx0ne Sent: Wednesday, July 08, 2009 12:13 PM To: pen-test () securityfocus com Subject: Penetration Test Report Hi all, I have been an information security consultant/pen tester for about 6 years working with a company that has been an OSSTMM gold team member for about two years and been using the methodology for close to five years now even though we are mainly operating out of Africa where PT is still being regarded as some sort of "black art". Most of our clients are big financial institutions and conglomerates. Let me cut to the chase. I would like to share with you a VA/PT report framework that i came up with from my experience consulting in this field. It has a bias towards the OSSTM methodology (infact a few points were extracted from it's report). I do not know how reports are structured in other parts of the world, but i do know that other than the engagement itself, the report serves to justify the derived value around these parts. I have googled for sample reports but to say i came up short is a masterpiece of understatement. What i found were either too verbose and grandiose or downright shallow in content missing out salient but pertinent details in mostly audacious attempts at describing all the technical input and results - Detailed layout, logical flow and visual analysis are conspicuous only by their absence. I have always believed that in order to get inside the mentality, first we have to jettison the PT myth. Furthermore I am also of the opinion that a VA/PT report should be as simple and clear as it is concise and should cut across all strata of audience not just the technically minded. All these put together led me to put up what is the first draft of the Open Source Security Assessment Report (OSSAR v0.5) which i hope will complement the OSSTMM. This is something that will be updated as often as i can with new information. I will kindly request members of this group to download it and give an objective opinion on the material. I am very much interested in what this community thinks. Comments (+ve or -ve), suggestions and modifications are welcomed. A review by Pete will also be highly appreciated. This is a VA/PT report for a fictitious bank called eClipse Bank PLC carried out by another fictitious company Cynergi Solutions Inc. All names, URLs, IPs, etc are fictitious. Some of the vulnerabilities discussed have actually occurred for real but i have replaced all the pesky details. The report is attached or it can be downloaded at http://digitalencode.net/ossar/ossar_v0.5.pdf Looking forward to your feedback. Thank you -- View this message in context: http://www.nabble.com/Penetration-Test-Report-tp24393503p24393503.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Penetration Test Report fx0ne (Jul 08)
- RE: Penetration Test Report Frye, Dan (Jul 08)
- Re: Penetration Test Report Randy Pacheco (Jul 09)
- Message not available
- Re: Penetration Test Report Brad Barkett (Jul 10)
- Message not available