Writing Reports

PEN TEST REPORT

Communicate findings AND recommendations
Primary recommendations
Only change to make your points
Digest of all activities and conclusions

Some conclusions are drawn during tests
Some result from post-test analysis

Examples:

http://www.pentest-standard.org/index.php/Reporting

https://github.com/juliocesarfort/public-pentesting-reports

http://www.offensive-security.com/reports/sample-penetration-testing-report.pdf

https://www.niiconsulting.com/services/security-assessment/NII_Sample_PT_Report.pdf

TIPS FOR WRITING A REPORT

Tell your story
Know your audience(s)

Executive 1-page summary
Technical/management
Motivation – audit?

Leave the reader with a call to action

Include steps to fix the issues

Your report will be your voice after you leave
Try to answer any questions that may arise

What did you do?
Why did you make the choices you made?
What did you find, and how did your findings affect your conclusions?

After settling on format, you need data
Mostly presentation and summary of data
Collect data

Transform as needed into a common format
Don’t spend too much time on this, but try to harmonize data format

Use tools like MS Excel

Easier to read and analyze

COMMON SECTIONS

Executive summary

1 page max – High level summary
Targeted at executives – few details
State the test goals and general findings

Methodology

Your approach to the overall test activities
Tools and techniques
Why you did what you did

And why you didn’t do more

Findings and remediation

Ranked list(more details than Executive summary)

What you found (important findings first)
What you recommend the client does – provide options as appropriate

Metrics and measures

Details of what you found
How you assessed each finding
Risk rating

BEST PRACTICES

Risk appetite

Amount of risk client is willing to accept
Tone of the entire report is based on the company’s appetite for risk
Risk appetite statement should appear in the report introduction

Report storage

Reports should become part of the organization’s document repository
Used as input for future pen tests and other assessments
Security policy should state how long reports are kept

Report handling and disposition

Security policy should state how assessment reports are stored
At the end of life, how are reports disposed of?

QUICK REVIEW

The Pen Test report is your best opportunity to leave a lasting message
Start writing your report early in the testing project
Write to your audiences(executive vs. technical)
Provide a definite “call to action” with remediation recommendations

相信未来 – 该面对的绝不逃避，该执著的永不怨悔，该舍弃的不再留念，该珍惜的好好把握。