The Ideal Penetration Test Report

A penetration test report is the final deliverable in a penetration test engagement. It is a detailed document that guides you through the findings, vulnerabilities detected, exploitation actions and provides mitigation recommendations. As the complexity and security needs of today's organizations icrease, tailor-made penetration tests and enriched reports with additional information are often requested.

Having studied well-known standards and guidelines regarding penetration test reporting and actually providing reports after every engagement, we conclude that there are some top quality topics every report should have:

1. Multi-level Reporting

Despite the fact that a penetration test is something quite technical, there is not only the IT department that is interested in the results. An three-level approach (executive, intelligence, technical) provides all the meaningful information to the various organizational departments in the appropriate language.

An executive summary section is the high-level view of the security risks identified through the engagement and directs mainly the non-technicals.

An intelligence section directs mostly the mid-level positions that may have a small technical knowledge and provides information as seen by an attacker's eye. It provides meaningful insights on the company's exposure to adversaries, before even caryying out any penetration attempt.

A technical section is the core element of a penetration test report, where among other elements which are analyzed below, includes: every vulnerability discovered along with its proper explaination and rating (OWASP, CVSS, CWE), exploitation steps, risk - impact values and mitigation actions.

App

App

2. Risk Contextualization

There are several formulas which can be utilised to measure and quantify the risk. However, there is a gap between the risk importance and the risk meaning. A vulnerability rated as high-risk does not state anything other than the obvious: "it's too bad/fix it asap!". An effective way of risk reporting should have two strong points:

  • Technical accuracy and traceability with traceID™
  • Explaination within the operational context the risks arise

In other words, the reporting should not only technically describe the vulnerability but provide and explain the business impact of exploiting the vulnerability. This is a crucial factor in the decision-making process regarding vulnerability mitigation and risk control.


3. Multi-remediation

Everyone should admit that a penetration test report lacking mitigation recommendations is a crippled report. The important aspect of mitigation recommendations is the extent and coverage of the proposed actions.

For example, detecting XSS and SQLi attacks in various modules within a .NET web-aplpication could have an expected approach:
Implement proper input sanitization on input elements and HTTP parameters to minimize the exposure to XSS and SQLi attacks.

Wanting to dive deeper in an attempt to discover the root cause of the vulnerability and recommend a more effective mitigation, we have aligned with the mentality of continuous improvement, as seen in well-known guidelines such as ISO 27002, ISO 27018 and ITIL. That means that the above recommendation would turn into:
As XSS and SQLi vulnerabilities have been discovered in every module within the web application, proper input sanitization shall be implemented in every DOM area where user input takes place. Additionally, since the flaw is repeatedly detected, make sure that the development team follows a Secure Software Development LifeCycle (SDDLC) to address such issues more efficiently. Taking into consideration the technology used, you may refer to .NET SSDLC checklist.

App

Ready to take a penetration test with insightful reporting?

Find Out How!