Remediation Report

 Next up we have the remediation report, which contains the overall recommendations that once

implemented would increase the security of the organization. This is specifically an area of interest

for the management class, as they are the ones that are going to enforce the security policies of an

organization.

As mentioned earlier, these guys may or may not be technical; therefore our remediation report

should be very precise and easy to understand. Things that could improve overall security such as

implementing SDLC, a firewall, and an intrusion detection system should be recommended. The

following is an example of how a remediation report should look like:

Vulnerability Assessment Summary

Next, we have the vulnerability assessment summary, sometimes referred to as “findings summary.” This is where we present the findings from our engagement. Things such as the overall

strengths and weaknesses and risk assessment summary can also be included under this section.

“A picture speaks a thousand words” is a brilliant quotation that all of us remember from our

childhood, don’t we? Behold, for now it’s time to see the actual use of it. It always helps to include

charts in your report, which would give the audience a better understanding of the vulnerabilities

that were found. Security executives might be interested in this portion of the report as they would

need to enforce the countermeasures.

There are different ways for representing vulnerability assessment outputs in the form of graphical charts. Personally, I include two graphs; the first one classifies the vulnerability assessment on

the basis of the severity and the second one on percentage.

Tabular Summary

A tabular summary is also a great way to present the findings of a vulnerability assessment to a

customer. The following screenshot comes directly from the “NII Report” and summarizes the

vulnerability assessment based upon the number of live hosts and also talks about the number of

findings with high, moderate, or low risk.