Penetration Test - Reporting_and_Communication(1)
Writing Reports
PEN TEST REPORT
- Communicate findings AND recommendations
- Primary recommendations
- Only change to make your points
- Digest of all activities and conclusions
- Some conclusions are drawn during tests
- Some result from post-test analysis
Examples:
http://www.pentest-standard.org/index.php/Reporting
https://github.com/juliocesarfort/public-pentesting-reports
http://www.offensive-security.com/reports/sample-penetration-testing-report.pdf
https://www.niiconsulting.com/services/security-assessment/NII_Sample_PT_Report.pdf
TIPS FOR WRITING A REPORT
- Tell your story
- Know your audience(s)
- Executive 1-page summary
- Technical/management
- Motivation - audit?
- Leave the reader with a call to action
- Include steps to fix the issues
- Your report will be your voice after you leave
- Try to answer any questions that may arise
- What did you do?
- Why did you make the choices you made?
- What did you find, and how did your findings affect your conclusions?
- After settling on format, you need data
- Mostly presentation and summary of data
- Collect data
- Transform as needed into a common format
- Don't spend too much time on this, but try to harmonize data format
- Use tools like MS Excel
- Easier to read and analyze
COMMON SECTIONS
- Executive summary
- 1 page max - High level summary
- Targeted at executives - few details
- State the test goals and general findings
- Methodology
- Your approach to the overall test activities
- Tools and techniques
- Why you did what you did
- And why you didn't do more
- Findings and remediation
- Ranked list(more details than Executive summary)
- What you found (important findings first)
- What you recommend the client does - provide options as appropriate
- Ranked list(more details than Executive summary)
- Metrics and measures
- Details of what you found
- How you assessed each finding
- Risk rating
BEST PRACTICES
- Risk appetite
- Amount of risk client is willing to accept
- Tone of the entire report is based on the company's appetite for risk
- Risk appetite statement should appear in the report introduction
- Report storage
- Reports should become part of the organization's document repository
- Used as input for future pen tests and other assessments
- Security policy should state how long reports are kept
- Report handling and disposition
- Security policy should state how assessment reports are stored
- At the end of life, how are reports disposed of?
QUICK REVIEW
- The Pen Test report is your best opportunity to leave a lasting message
- Start writing your report early in the testing project
- Write to your audiences(executive vs. technical)
- Provide a definite "call to action" with remediation recommendations
相信未来 - 该面对的绝不逃避,该执著的永不怨悔,该舍弃的不再留念,该珍惜的好好把握。