Penetration Testing mailing list archives
Re: Reporting aspect of pen-testing
From: Ivan Arce <ivan.arce () corest com>
Date: Tue, 02 Dec 2003 16:31:31 -0300
Hello On the subject of reporting as many have pointed out, a good report should be a lot more than just listing the vulnerabilities found. The report cited below has NO RELATION WHATSOEVER with the services provided by Core Security Technologies (www.coresecurity.com), the company I work for and which has being doing penetration testing since 1996.But unto the topic... a penetration test final report should include at least the following:
1) An executive summaryA brief description of the work done. Goal, scope, timeline, budget, results and high level recommendations for upper management or C-level executives written in terms easily understandable for business and processes oriented readers. This should explin why and how was the money spent and what is the outcome of that expenditure
2) A detailed report that includes 2.1 Definition and scope of the penetration test 2.2 Goals of the penetration test. 2.3 Methodology used 2.4 Workplan (chronology/timeline of the test) 2.5 Conclusions Explanation of the results with a high level view of the organization and a clear desciption of the problems found and how they relate to the organization's business processes 2.6 General recommendations Suggestions on how to improve the security posture at a macro level, things like further segmentation of networks, deploying auditing and ID systems, strong password enformecent, security training, workstation hardening, implementing crypto in certain processes or components, changing authentication systems, etc belong here 2.7 A list of annexes with specific information and pointer to solutions It should have a least one annex: 2.7.1 Detailed findings List of all findings with at least the following qualifiers . Finding name or vulnerability ID . Risk level (this is arbitrary by nature but should be quantified in terms of risk implied to the specific organization that the pentest what conducted for) . Vulnerability classification Exploitation of the vulnerability lead to problems in system availability (DoS), ssystem integrity, data exposure, data integrity, etc. choose your own classification but stick to it across the entire pentest and across all pentests . Impact A brief desciption of the impact of exploitation . Systems vulnerable (not only applies to network systems but also to software components or business processes . Resources Resources need to exploit the vulnerability, this will help the reader qualify the potential attacker. . Description Obviously an in-depth description of the problem and how to repro it . Fix/workaround Description on how to fix the problem in the short term, workarounds and pointers to proper patches and alternative solutions. . References Pointer to related descriptions (CVEs, Bugtraq, etc) and related problems -ivanPS: Core Security Technologies (www.coresecurity.com) has no relation with "core-sec" or with any of their employees including an alleged "gera" apparently named after Core Security Technologies' employee Gerardo Richarte (gera) author of InlineEgg, the Insecure Programming exercises, CORE IMPACT exploits and speaker at several industry conferences.
--- Perscriptio in manibus tabellariorum est Noli me vocare, ego te vocabo Ivan Arce CTO CORE SECURITY TECHNOLOGIES 46 Farnsworth Street Boston, MA 02210 Ph: 617-399-6980 Fax: 617-399-6987 ivan.arce () coresecurity com www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A Carlos Eduardo Pinheiro wrote:
Hi guy, You can find useful information at http://www.isecom.org/, they developed some guidelines covering how to proceed a security audit ( including the reporting part ) I hope it helps. You can also take a look at an example report from core security ( http://www.core-sec.com/examples/core_example_1.pdf ) Regards, Carlos Eduardo Pinheiro - cabeca () gmx net ICQ: 134439332
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Reporting aspect of pen-testing riptide (Dec 01)
- <Possible follow-ups>
- Re: Reporting aspect of pen-testing Stephen de Vries (Dec 01)
- Re: Reporting aspect of pen-testing Anders Thulin (Dec 01)
- Re: Reporting aspect of pen-testing Carlos Eduardo Pinheiro (Dec 01)
- Re: Reporting aspect of pen-testing Ivan Arce (Dec 03)
- RE: Reporting aspect of pen-testing Brewis, Mark (Dec 03)
- RE: Reporting aspect of pen-testing Cotter, Joe (Dec 12)