Penetration Testing mailing list archives
Re: Reporting aspect of pen-testing
From: "Stephen de Vries" <stephen () twisteddelight org>
Date: Mon, 1 Dec 2003 21:50:33 -0500 (EST)
TJ, Depending on the organisation, you are probably going to have different audiences for the pentesting report. It will be usefull for managers to be able to quickly understand what the business impact of the pentest are without getting into the details, while the sys admins and security staff would be keen to see all the gory details. I'd suggest the following layout: *Introduction *Objectives *Scope - What did you do, which system did you test, what tests did you omit etc. *Executive Summary - Summary of findings at a high level. Bare in mind that your reader is a manager and wants to know what the real risks are, try and use simple language (and mono-syllables ;-) ) - Business impact of findings: what do these findings mean to the business? How and where can they lose money? - Recommendation: again high level, focus more on processes than on individual items. If their IIS server is full of holes, suggest a regular process of patching etc. *Methodology - Some more detail on the methodology you followed. *Technical Findings - A tabular list of each finding. This could include a finding number, vulnerability name, description, severity rating, references, fix information. Try and organise this so that it is usefull for the reader, e.g. Group according to business unit, or a long list according to severity. *Conclusion - What was the overall rating? How does this client compare to others in the same industry? Is this is kind of security you'd expect for their industry? *Appendix List relevant technical details like port scan results, screen shots that prove vulnerabilities, vuln scan results etc. Remember that the report is confidential information and distribution should be treated with care. cheers, Stephen
Hi folks, I am putting together a pen testing proposal as part of my final Master's project. If it's good enough, it will lead to a full pen test of a real network. This list has been very helpful with the technology background, but the part I am stuck on right now is the reporting piece. When a pen-test is complete, what do you include in the report? How do you structure the information for business contacts, I imagine raw data is often not helpful in many cases. Any hints or tips would be greatly appreciated. Thank you, TJ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Reporting aspect of pen-testing riptide (Dec 01)
- <Possible follow-ups>
- Re: Reporting aspect of pen-testing Stephen de Vries (Dec 01)
- Re: Reporting aspect of pen-testing Anders Thulin (Dec 01)
- Re: Reporting aspect of pen-testing Carlos Eduardo Pinheiro (Dec 01)
- Re: Reporting aspect of pen-testing Ivan Arce (Dec 03)
- RE: Reporting aspect of pen-testing Brewis, Mark (Dec 03)
- RE: Reporting aspect of pen-testing Cotter, Joe (Dec 12)