What Should You Report?

Out of Scope Issues

Findings that are discovered during the course of the pentest on a target

Findings that indicate systemic flaws in the overall architecture

Findings

We need to include what was not found as well

There will be times when a finding needs to be reported on immediately.

Solutions

Believe it or not, clients like to be told what to do.

Manuscript Preparation

Title Page

Introduce the topic of the report

Introduce author and the penetration test team’s organization

Great place to brandish logos and make everything look appealing

Primary goal: Provide a clear message of what the report is about

Abstract

The abstract = The executive report

The executive summary should be no longer than one page and contain concise analysis and findings

Text

elements

Description of the target network or system

Vulnerability findings

Remediation

we should include graphical representation of the architecture and include descriptions of each element

Vulnerability findings and remediation options should be meshed together

References

we should provide the reader Internet references regarding the vulnerabilities

The National Vulnerability Database, located at http://nvd.nist.gov, is a good choice

Appendices

At least two appendices

a list of definitions

The step-by-step events surrounding each vulnerability exploitation

results matching ""

    No results matching ""