What is a Penetration Test Report?
Penetration test reports are very important and provide you with the structured detailed of the pentest after the engagement has completed. However oftentimes this critical documentation lacks key aspects of what should be included, and clients begin to question the practical value of their assessments—and rightfully so. The report is everything.
While there are many nice things you can include in a report, Rhino Security Labs has identified four qualities that will make every pentest report outstanding.
1 - Executive Summary for Strategic Direction
The executive summary serves as a high-level view of both risk and business impact in plain English. The purpose is to be concise and clear. It should be something that non-technical readers can review and gain insight into the security concerns highlighted in the report.
While IT staffers may need all the technical details, executives don’t need to understand the technology. They need to understand business risk, something a good executive summary will effectively communicate. It is imperative that business leaders grasp what’s at stake to make informed decisions for their companies, and the executive summary is essential to delivering that understanding.
Visual communication can also be helpful in getting complex points across clearly. Look for graphs, charts, and similar visuals in communicating the summary data provided here.
2 - Walkthrough of Technical Risks
Most reports use some sort of rating system to measure risk, but seldom do they take the time to explain the risk. The client’s IT department needs to make swift, impactful decisions on how best to resolve vulnerabilities. To do so, they require approval from the people upstairs. To simply state that something is dangerous does not properly convey risk.
For instance, if a critical vulnerability is found allowing file-uploads to a healthcare portal, there are two ways to report this:
1 – Technically Accurate – Company X’s web application does not limit user uploads by file type, creating a vulnerability that allows an attacker to execute arbitrary code remotely and elevate their privilege within the application.
2 – Both Accurate and Contextualized – Company X’s web application does not limit user uploads by file type, creating a vulnerability that allows an attacker to execute arbitrary code remotely and elevate their privilege within the application. In this instance, the attacker would be able to view the medical records of any user and operate as an administrator on the application.
The second one has a more weight to it, indicating not only the technical aspects but the business impact as well. The most valuable reports are those that speak to all audience members in the language they understand – especially those in leadership positions.
For instance, if your team finds that a client’s healthcare management web portal allows users to upload a profile picture, but does not prevent them from uploading arbitrary code instead, there are essentially two ways to report this:
3 - Potential Impact of Vulnerability
Risk can be broken down into two pieces: likelihood and potential impact.
Likelihood is standard in most assessment reports. Of course, the odds of an exploitation—while important—aren’t enough to define risk. You wouldn’t rank a deep-seated remote code execution lower than an email address of a developer obviously present in an HTML script. This is because the former would be far more impactful to the client.
If you think you’re seeing a theme here, you’re not wrong. An assessment report isn’t just for the IT staff. Executives need to see a break-down of how a vulnerability that anyone could have would directly affect their organization specifically. Factoring both the likelihood and potential impact of an exploitation into the overall risk is a major component in an excellent report.
4 - Multiple Vulnerability Remediation Options
Most penetration test reports will include a generic, high-level description of how to handle these problems; however, these generic “catch-all’ remediation guides often fall short when it comes to the unique context of the client’s needs. If a client has a vulnerable service running on a webserver that they depend on, the remediation should offer more than telling them to simply disable the service altogether.
Of course, it’s important to let the client know that there’s a straightforward method of filtering for SQL injections, or configuring their firewall to block certain attacks. That said, a quality pentest report will give you multiple remediation options that are detailed enough to prepare the client’s IT team for a swift resolution. Assuming the internal staff already knows how to remediate all vulnerabilities greatly reduces the value of the penetration test.
The penetration test itself is not why clients seek out security assessments. The assessment report and client support are. That’s exactly why we put so much of our attention and effort into reporting.
Details like verbose descriptions, proper methodology, vulnerability description, and other factors are important as well; implementing these four concepts, in addition, is a recipe for an excellent report.