Pentest Report: Brief Guide and Template

In yesterday's article, we discussed in detail the methodology of comprehensive security testing and the corresponding tools of an ethical hacker . Even if you and I perfectly master the hacking technique and conduct testing at the highest level, but we cannot correctly present the results to the customer, the project will be "so-so." How to write a competent security testing report - we'll talk about that today.

Readers

Before we start writing any report, we need to ask ourselves the following two important questions:

• Who will read the report?
• What do readers expect from this document?

In the case of a security testing report, the readers are:

• CEO;
• Head of Information Security;
• Head of Information Technology.

The CEO pays for our security testing services and expects to see the main results in the report: whether it is possible to penetrate his company's network and what information can be obtained in this way.

The head of the information security department is interested in all aspects of the security testing carried out:

• What vulnerabilities and in what systems were found?
• Can a potential intruder use them?
• What information is available to access?
• What hacking tools were used?
• What needs to be done to close vulnerabilities?

The head of the information technology department is interested in what his people will have to do to close the discovered vulnerabilities and whether this will affect the performance of information systems.

Writers

Having dealt with the needs of the readers of our report, let's think about our own.

Security testers in a report need to demonstrate that:

• the works were completed in full in accordance with the agreements with the customer;
• evidence of security testing is sufficient to confirm the findings.

Now we can develop an appropriate report structure.

For your convenience, we post a report template that we have been using for several years in our courses on ethical hacking and the structure of which corresponds to the one described below.

The structure of the security testing report

Let us examine the key elements of the security testing report.

Section "Executive Summary"

A section for one, maximum, two pages in which we write what we did and why, we describe the main results and conclusions, and give key recommendations. We try not to use technical terms, since readers are top management, who do not always have good knowledge of IT / IB.

Section "Project Borders"

In this section, we describe what types of testing were carried out and about which information resources. Detailing should be such that readers understand what is included in the project and what remains beyond its framework. If necessary, we can indicate the addresses of offices and even the names of people involved in the project by the customer.

Section "Our approach"

Some ethic hackers do not like to describe their approach, referring to their know-how. We recommend adhering to transparency in relations with customers and describe at least the basic testing steps in accordance with the accepted methodology of security testing.

Comparing the stages of testing security with the identified vulnerabilities will also be useful.

One of the important points in the course of security testing is the assessment of risks associated with the possible exploitation of vulnerabilities. If we are not guided by the methodology of the customer, and use some of our own assessment scheme, then it is better to describe it here.

Description of identified vulnerabilities

The main volume of the security testing report will be descriptions of detected vulnerabilities. For audit reports, and the security testing report undoubtedly belongs to this category, the following information presentation structure is classic: observation (finding) - risk - recommendation.

The “observation” subsection describes which vulnerability was found, in which system, a demonstration of the possibility of its exploitation with appropriate screenshots is given. Sometimes customers insist on transferring the logs of tests to them, in this case it is advisable to indicate the tools used and give a link to the corresponding file (as a rule, it is transmitted to the customer only in electronic form).

The “risk” subsection describes the situation that may occur if potential attackers exploit this vulnerability. For a proper assessment, testing specialists need to determine the criticality of a compromised resource.

In the “recommendations” subsection, security testing experts give advice on how to remedy the situation. In this case, the council, as a rule, consists of two parts: the necessary correction and the necessary corrective action. Correction is what needs to be done right now (for example, changing the password), corrective action is what needs to be done in principle to eliminate the cause of the identified problem (for example, implement a password policy, train users, etc.).

Instead of conclusion

We briefly reviewed the report structure, which, of course, helps to develop a document, but any report writer also needs to master the skill of structuring information.

One of the best textbooks on this topic is the book by Barbara Minto “The Principle of the Pyramid of Minto. The golden rules of thinking, business writing and oral presentations ”, which we recommend to read.

useful links

1. Report template for testing security from the Echelon Training Center
2. Penetration Testing Report Collection