In any penetration test, the report is the most crucial part. Writing a good report is key to successful penetration testing. The following are the key factors to a good report:
◾ Your report should be simple, clear, and understandable.
◾ Presentation of the report is also important. Headers, footers, appropriate fonts, well-spaced
margins, etc., should be created/selected properly and with great care. For example, if you
are using a red font for the heading, every heading in the document should be in that style.
◾ The report should be well organized.
◾ Correct spelling and grammar is important too. A misspelled word leaves a very negative
impact upon the person who is reading your report. So, you should make sure that you
proofread your report and perform spell-checks before submitting it to the client.
◾ Always make sure that you use a consistent voice and style in writing a report. Changing
the voice would create confusion in the reader; so you should choose one voice and style and
stick to it throughout your report.
◾ Make sure you spend time on eliminating false-positives (vulnerabilities that are actually not
present), because false-negatives will always be there no matter what you do. Eliminating the
false-positives would enhance the credibility of the report.
◾ Perform a detailed analysis of the vulnerability to find out its root cause. A screenshot of a
RAW http request or the screenshot that demonstrates the evidence of the finding would
give a clear picture to the developer of the status.
Understanding the audience
Understanding the audience that would be reading your penetration testing report is a very crucial
part of the penetration test. We can divide the audience into three different categories:
1. Executive class
2. Management class
3. Technical class
While writing a report, you must understand which audience would read which part of your
report; for example, the company’s CEO would not be interested in what exploit you used to gain
access to a particular machine, but on the flip side, your developers will probably not be interested
in the overall risks and potential losses to the company; instead, they would be interested in fixing
the code and therefore in reading about detailed findings. Let’s briefly talk about the three classes.
Executive Class
This category includes the CEOs of the company. Since they have a very tedious schedule and
most of the times have less technical knowledge, they would end up reading a very small portion
of the report, specifically the executive summary, remediation report, etc., which we will discuss
later in this chapter.
Management Class
Next, we have the management class, which includes the CISOs and CISSPs of the company.
Since they are the ones who are responsible for implementing the security policy of the company,
they would probably be a bit more interested in reading about overall strengths and weaknesses,
the remediation report, the vulnerability assessment report, etc.
Technical Class
This class includes the security manager and developers, who would be interested in reading your
report thoroughly. They would investigate your report as they are responsible for patching the
weaknesses found and for making sure that the necessary patches are implemented.
Writing Reports
Now we are going to get into the essentials of the reporting phase, which will teach you about the
structure of a report. We have discussed what a good report should look like. I pointed out that
knowing your audience was essential. One of the key factors about a good report is that it should
meet the needs for each audience and be presented in a clear and understandable manner.
The next major part of writing a report is the analysis, where we perform risk assessment and
calculate the overall risk to the organization based upon our findings; along with this, your report
should also provide remediation on how the risk can be averted.
Structure of a Penetration Testing Report
Let’s look step by step on how a good report should be laid out. At the end of this chapter, I have
provided links to some of the best reports which have been provided to the local mass.
Cover Page
We start with the cover page; this is where you would include details such as your company logo,
title, and a short description about the penetration test. I would suggest you hire a good designer
and work on a professional and appealing cover page because if your cover page looks great, it
would make a good first impression upon the customer reading it.
Table of Contents
On the very next page, you should have an index so that the audience interested in reading a particular portion of the report can easily skip to that portion.
Executive summery
As the name suggests, an executive summary is the portion that is specifically addressed to executives such as the CEO or the CIO of the company. The executive summary is the most essential part of a penetration testing report; a good executive summary can make all the difference
between a good report and a bad one.
Since the executive summary is specifically written to address the nontechnical audience, you
should make sure that it’s presented in such a way that it’s easily comprehensible. Following are
some of the essential points that you should take into consideration while writing an executive
summary.
◾ Since executives are very busy, they have minimal time to invest in reading your reports.
Therefore you should make sure that your executive summary is precise and to the point.
◾ Your executive summary should start with defining the purpose of the engagement and how
it was carried out. Things such as the scope should be defined but very precisely.
◾ Next, you should explain the results of the penetration test and the findings.
◾ Following this, you should discuss the overall weaknesses in general and the countermeasures that were not implemented that caused the vulnerability in the first place.
◾ Next comes the analysis part; this is where you should write about the overall risk that was
determined based upon our findings.
◾ And, finally, you should write about to what extent the risk would decrease after addressing
the issues and implementing the appropriate countermeasures.
The following is an example of an executive summary that we wrote for a customer. I would suggest you spend some time reviewing the essential points discussed and compare them with the executive summary that follows.
Comments
Post a Comment