码迷,mamicode.com
首页 > Web开发 > 详细

Penetration Test - Reporting_and_Communication(1)

时间:2020-12-21 11:11:34      阅读:0      评论:0      收藏:0      [点我收藏+]

标签:store   sts   def   Fix   stat   eth   general   more   pos   

Writing Reports

PEN TEST REPORT
  • Communicate findings AND recommendations
  • Primary recommendations
  • Only change to make your points
  • Digest of all activities and conclusions
    • Some conclusions are drawn during tests
    • Some result from post-test analysis

Examples:

http://www.pentest-standard.org/index.php/Reporting

技术图片

https://github.com/juliocesarfort/public-pentesting-reports

http://www.offensive-security.com/reports/sample-penetration-testing-report.pdf

https://www.niiconsulting.com/services/security-assessment/NII_Sample_PT_Report.pdf

TIPS FOR WRITING A REPORT
  • Tell your story
  • Know your audience(s)
    • Executive 1-page summary
    • Technical/management
    • Motivation - audit?
  • Leave the reader with a call to action
    • Include steps to fix the issues
  • Your report will be your voice after you leave
  • Try to answer any questions that may arise
    • What did you do?
    • Why did you make the choices you made?
    • What did you find, and how did your findings affect your conclusions?
  • After settling on format, you need data
  • Mostly presentation and summary of data
  • Collect data
    • Transform as needed into a common format
    • Don‘t spend too much time on this, but try to harmonize data format
      • Use tools like MS Excel
    • Easier to read and analyze
COMMON SECTIONS
  • Executive summary
    • 1 page max - High level summary
    • Targeted at executives - few details
    • State the test goals and general findings
  • Methodology
    • Your approach to the overall test activities
    • Tools and techniques
    • Why you did what you did
      • And why you didn‘t do more
  • Findings and remediation
    • Ranked list(more details than Executive summary)
      • What you found (important findings first)
      • What you recommend the client does - provide options as appropriate
  • Metrics and measures
    • Details of what you found
    • How you assessed each finding
    • Risk rating
BEST PRACTICES
  • Risk appetite
    • Amount of risk client is willing to accept
    • Tone of the entire report is based on the company‘s appetite for risk
    • Risk appetite statement should appear in the report introduction
  • Report storage
    • Reports should become part of the organization‘s document repository
    • Used as input for future pen tests and other assessments
    • Security policy should state how long reports are kept
  • Report handling and disposition
    • Security policy should state how assessment reports are stored
    • At the end of life, how are reports disposed of?
QUICK REVIEW
  • The Pen Test report is your best opportunity to leave a lasting message
  • Start writing your report early in the testing project
  • Write to your audiences(executive vs. technical)
  • Provide a definite "call to action" with remediation recommendations

Penetration Test - Reporting_and_Communication(1)

标签:store   sts   def   Fix   stat   eth   general   more   pos   

原文地址:https://www.cnblogs.com/keepmoving1113/p/14141094.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!