The Ideal Penetration Test Report

A penetration test report is the final deliverable in a penetration test engagement. It is a detailed document that guides you through the findings, vulnerabilities detected, exploitation actions and provides mitigation recommendations. As the complexity and security needs of today's organizations increase, tailor-made penetration tests and enriched reports with additional information are often requested.

Having studied well-known standards and guidelines regarding penetration test reporting and actually providing reports after every engagement, we conclude that there are some top quality topics every report should have:

1. Multi-level Reporting

Despite the fact that a penetration test is something quite technical, there is not only the IT department that is interested in the results. An three-level approach (executive, intelligence, technical) provides all the meaningful information to the various organizational departments in the appropriate language.

An executive summary section is the high-level view of the security risks identified through the engagement and directs mainly the nontechnical people.

An intelligence section directs mostly the mid-level positions that may have a small technical knowledge and provides information as seen by an attacker's eye. It provides meaningful insights on the company's exposure to adversaries, before even carrying out any penetration attempt.

A technical section is the core element of a penetration test report, where among other elements which are analyzed below, includes: every vulnerability discovered along with its proper explanation and rating (OWASP, CVSS, CWE), exploitation steps, risk - impact values and mitigation actions.



2. Risk Contextualization

There are several formulas which can be utilized to measure and quantify the risk. However, there is a gap between the risk importance and the risk meaning. A vulnerability rated as high-risk does not state anything other than the obvious: "it's too bad/fix it asap!". An effective way of risk reporting should have two strong points:

  • Accuracy & traceability of findings
  • Technical & business impact analysis within the operational context the risks arise

In other words, the reporting should not only technically describe the vulnerability but provide and explain the business impact of exploiting the vulnerability. This is a crucial factor in the decision-making process regarding vulnerability mitigation and risk control.

3. Multi-remediation

Everyone should admit that a penetration test report lacking mitigation recommendations is a crippled report. The important aspect of mitigation recommendations is the extent and coverage of the proposed actions.

For example, detecting XSS and SQLi attacks in various modules within a .NET web-aplpication could have an expected approach:
Implement proper input sanitization on input elements and HTTP parameters to minimize the exposure to XSS and SQLi attacks.

Wanting to dive deeper in an attempt to discover the root cause of the vulnerability and recommend a more effective mitigation, we have aligned with the mentality of continuous improvement, as seen in well-known guidelines such as ISO 27002, ISO 27018 and ITIL. That means that the above recommendation would turn into:
As XSS and SQLi vulnerabilities have been discovered in every module within the web application, proper input sanitization shall be implemented in every DOM area where user input takes place. Additionally, since the flaw is repeatedly detected, make sure that the development team follows a Secure Software Development LifeCycle (SDDLC) to address such issues more efficiently. Taking into consideration the technology used, you may refer to .NET SSDLC checklist.


Concerned about your cybersecurity posture?
Our specialists are more than happy to discuss a solution with you!

Start Here!

Latest News

Ukrainian NBU BankID System preparing for EU recognition

SpearIT is pleased to announce that has undertaken the preliminary conformity assessment of Ukraine's BankID national electronic identification scheme, ...

Read More

Cypriot National eID becomes notified

SpearIT is pleased to announce that the electronic identification (eID) scheme of Cyprus has now been notified as LoA High...

Read More

Cypriot National eID becomes pre-notified

SpearIT is pleased to announce that the first Cypriot electronic identification (eID) scheme has now been pre-notified in the eIDAS Cooperation Network...

Read More