Penetration Testing mailing list archives

Re: Reporting aspect of pen-testing

From: Ivan Arce <ivan.arce () corest com>
Date: Tue, 02 Dec 2003 16:31:31 -0300

Hello

On the subject of reporting as many have pointed out, a good report should
be a lot more than just listing the vulnerabilities found.

The report cited below has NO RELATION  WHATSOEVER with the services
provided by Core Security Technologies (www.coresecurity.com), the company I
work for and which has being doing penetration testing since 1996.

But unto the topic... a penetration test final report should include atleast the following:


1) An executive summary

A brief description of the work done. Goal, scope, timeline, budget,results and high level recommendations for upper management or C-levelexecutives written in terms easily understandable for business and processesoriented readers. This should explin why and how was the money spent andwhat is the outcome of that expenditure


2) A detailed report that includes
 2.1 Definition and scope of the penetration test
 2.2 Goals of the penetration test.
 2.3 Methodology used
 2.4 Workplan (chronology/timeline of the test)
 2.5 Conclusions
     Explanation of the results with a high level view of the organization
     and a clear desciption of the problems found and how they relate to the
     organization's business processes
 2.6 General recommendations
     Suggestions on how to improve the security posture at a macro level,
     things like further segmentation of networks, deploying auditing
     and ID systems, strong password enformecent, security training,
     workstation hardening, implementing crypto in certain processes or
     components, changing authentication systems, etc belong here
 2.7 A list of annexes with specific information and pointer to solutions
     It should have a least one annex:
 2.7.1 Detailed findings
     List of all findings with at least the following qualifiers
      . Finding name or vulnerability ID
      . Risk level (this is arbitrary by nature but should be quantified in
        terms of risk implied to the specific organization that the pentest
        what conducted for)
      . Vulnerability classification
        Exploitation of the vulnerability lead to problems in system
        availability (DoS), ssystem integrity, data exposure, data
        integrity, etc. choose your own classification but stick to it
        across the entire pentest and across all pentests
      . Impact
        A brief desciption of the impact of exploitation
      . Systems vulnerable (not only applies to network systems but also to
        software components or business processes
      . Resources
        Resources need to exploit the vulnerability, this will help the
        reader qualify the potential attacker.
      . Description
        Obviously an in-depth description of the problem and how to repro it
      . Fix/workaround
        Description on how to fix the problem in the short term, workarounds
        and pointers to proper patches and alternative solutions.
      . References
        Pointer to related descriptions (CVEs, Bugtraq, etc) and related
        problems

-ivan

PS: Core Security Technologies (www.coresecurity.com) has no relation with"core-sec" or with any of their employees including an alleged "gera"apparently named after Core Security Technologies' employee Gerardo Richarte(gera) author of InlineEgg, the Insecure Programming exercises, CORE IMPACTexploits and speaker at several industry conferences.


---
Perscriptio in manibus tabellariorum est
Noli me vocare, ego te vocabo

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

46 Farnsworth Street
Boston, MA 02210
Ph: 617-399-6980
Fax: 617-399-6987
ivan.arce () coresecurity com
www.coresecurity.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A



Carlos Eduardo Pinheiro wrote:

Hi guy,

You can find useful information at http://www.isecom.org/, they developed
some guidelines covering how to proceed a security audit ( including the
reporting part ) I hope it helps.
You can also take a look at an example report from core security (
http://www.core-sec.com/examples/core_example_1.pdf )

Regards,

Carlos Eduardo Pinheiro - cabeca () gmx net
ICQ: 134439332




---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: Reporting aspect of pen-testing riptide (Dec 01)
- <Possible follow-ups>
- Re: Reporting aspect of pen-testing Stephen de Vries (Dec 01)
- Re: Reporting aspect of pen-testing Anders Thulin (Dec 01)
- Re: Reporting aspect of pen-testing Carlos Eduardo Pinheiro (Dec 01)
  - Re: Reporting aspect of pen-testing Ivan Arce (Dec 03)
- RE: Reporting aspect of pen-testing Brewis, Mark (Dec 03)
- RE: Reporting aspect of pen-testing Cotter, Joe (Dec 12)