Penetration Test - Reporting_and_Communication(1)

Writing Reports

PEN TEST REPORT
  • Communicate findings AND recommendations
  • Primary recommendations
  • Only change to make your points
  • Digest of all activities and conclusions
    • Some conclusions are drawn during tests
    • Some result from post-test analysis

Examples:

http://www.pentest-standard.org/index.php/Reporting

Reporting-risk-scale.png

https://github.com/juliocesarfort/public-pentesting-reports

http://www.offensive-security.com/reports/sample-penetration-testing-report.pdf

https://www.niiconsulting.com/services/security-assessment/NII_Sample_PT_Report.pdf

TIPS FOR WRITING A REPORT
  • Tell your story
  • Know your audience(s)
    • Executive 1-page summary
    • Technical/management
    • Motivation - audit?
  • Leave the reader with a call to action
    • Include steps to fix the issues
  • Your report will be your voice after you leave
  • Try to answer any questions that may arise
    • What did you do?
    • Why did you make the choices you made?
    • What did you find, and how did your findings affect your conclusions?
  • After settling on format, you need data
  • Mostly presentation and summary of data
  • Collect data
    • Transform as needed into a common format
    • Don't spend too much time on this, but try to harmonize data format
      • Use tools like MS Excel
    • Easier to read and analyze
COMMON SECTIONS
  • Executive summary
    • 1 page max - High level summary
    • Targeted at executives - few details
    • State the test goals and general findings
  • Methodology
    • Your approach to the overall test activities
    • Tools and techniques
    • Why you did what you did
      • And why you didn't do more
  • Findings and remediation
    • Ranked list(more details than Executive summary)
      • What you found (important findings first)
      • What you recommend the client does - provide options as appropriate
  • Metrics and measures
    • Details of what you found
    • How you assessed each finding
    • Risk rating
BEST PRACTICES
  • Risk appetite
    • Amount of risk client is willing to accept
    • Tone of the entire report is based on the company's appetite for risk
    • Risk appetite statement should appear in the report introduction
  • Report storage
    • Reports should become part of the organization's document repository
    • Used as input for future pen tests and other assessments
    • Security policy should state how long reports are kept
  • Report handling and disposition
    • Security policy should state how assessment reports are stored
    • At the end of life, how are reports disposed of?
QUICK REVIEW
  • The Pen Test report is your best opportunity to leave a lasting message
  • Start writing your report early in the testing project
  • Write to your audiences(executive vs. technical)
  • Provide a definite "call to action" with remediation recommendations
posted @ 2020-12-15 21:21  晨风_Eric  阅读(180)  评论(0编辑  收藏  举报