Penetration Test

Writing Reports

PEN TEST REPORT

• Communicate findings AND recommendations
• Primary recommendations
• Only change to make your points
• Digest of all activities and conclusions
  • Some conclusions are drawn during tests
  • Some result from post-test analysis

Examples:

http://www.pentest-standard.org/index.php/Reporting

https://github.com/juliocesarfort/public-pentesting-reports

http://www.offensive-security.com/reports/sample-penetration-testing-report.pdf

https://www.niiconsulting.com/services/security-assessment/NII_Sample_PT_Report.pdf

TIPS FOR WRITING A REPORT

• Tell your story
• Know your audience(s)
  • Executive 1-page summary
  • Technical/management
  • Motivation - audit?
• Leave the reader with a call to action
  • Include steps to fix the issues
• Your report will be your voice after you leave
• Try to answer any questions that may arise
  • What did you do?
  • Why did you make the choices you made?
  • What did you find, and how did your findings affect your conclusions?
• After settling on format, you need data
• Mostly presentation and summary of data
• Collect data
  • Transform as needed into a common format
  • Don't spend too much time on this, but try to harmonize data format
    • Use tools like MS Excel
  • Easier to read and analyze

COMMON SECTIONS

• Executive summary
  • 1 page max - High level summary
  • Targeted at executives - few details
  • State the test goals and general findings
• Methodology
  • Your approach to the overall test activities
  • Tools and techniques
  • Why you did what you did
    • And why you didn't do more
• Findings and remediation
  • Ranked list(more details than Executive summary)
    • What you found (important findings first)
    • What you recommend the client does - provide options as appropriate
• Metrics and measures
  • Details of what you found
  • How you assessed each finding
  • Risk rating

BEST PRACTICES

• Risk appetite
  • Amount of risk client is willing to accept
  • Tone of the entire report is based on the company's appetite for risk
  • Risk appetite statement should appear in the report introduction
• Report storage
  • Reports should become part of the organization's document repository
  • Used as input for future pen tests and other assessments
  • Security policy should state how long reports are kept
• Report handling and disposition
  • Security policy should state how assessment reports are stored
  • At the end of life, how are reports disposed of?

QUICK REVIEW

• The Pen Test report is your best opportunity to leave a lasting message
• Start writing your report early in the testing project
• Write to your audiences(executive vs. technical)
• Provide a definite "call to action" with remediation recommendations