Penetration testing is not going to be worth anything if there are no reports to detail what has been done and what needs to be corrected. It is the Penetration Test report that tells IT managers and other company stakeholders just how good or bad your network, web applications and Internet security performs are. But how does one write an engaging and useful report?
Here are our 5 top tips:
1. Be sure to keep your target readers in mind
You can write one penetration test report but target a lot of readers. For example, you could expect that senior management will read (and understand) your executive summary, while the IT team will be reading the technical details.
2. Plan your report.
Even before you conduct an audit on Web application or network security or any other forms of security testing, you would need to create a preliminary pentest report that would double as your planning.
State the following in your report:
- Testing objectives.
There are many reasons why a company conducts a penetration testing. When writing your test report, you should first say why the penetration testing was conducted in the first place.
Be sure to mention when you did the testing so that you can be sure that the company could appoint someone to be there while you test, if necessary. This would also help safeguard you if the company changes anything on its IT infrastructure and these changes were implemented after your tests.
A penetration testing report must be kept confidential due to the fact that it contains a lot of sensitive information. You would need to detail this explicitly. You should also need to keep track of what department was given a copy of the report, when it was given, and what format it was in.
3. Collect and document.
Make sure that you have collected everything that you need, including the tools used and the systems that you’ve tested. Proper documentation of scanned results, screenshots, notes, activity logs, and others would help you proceed to the next step and in writing a full penetration test report.
4. Write your report
After this, you would need to have it peer-reviewed. Have everyone on the testing team read the draft and have them edit it. It is important that whoever was involved in the actual testing should be able to read and review your draft to make sure that the details you stated therein are accurate.
After the accuracy is ensured, have your report finalized by letting somebody proofread it, and making sure that it follows the company standards.
5. Typical Penetration Test report formats.
To help ensure that you do not leave out any important information in writing your report, you might want to follow the typical or recommended report format:
- Cover page
Contains all the necessary details about the report: the title, the version, date, the service provider and other similar information.
- Document properties
Contains the names of the testers, reviewers, and the one who approved the final report. This section also contains the classification of the document, as well as the title, version, and author.
This will track the modifications made to the report, including what has been changed, and when & who wrote the revisions.
- Table of contents and list of illustrations
This will list out the figures and diagrams starting form network diagram, application architecture, proof of exploits, screenshots etc
- Executive summary
This is the report summary. It is typically placed near the beginning of the report, but is actually written after the whole report has been finalized. The executive summary should have the scope objectives, assumption, the timeframe of the testing, as well as a brief summary of findings and recommendations.
- Methodology used
- Detailed findings
You should be able to present your pentest findings as comprehensively and completely as possible in your penetration testing report, but be sure to keep everything simple. Make sure you’re able to show the vulnerabilities, the impact, the likelihood that this particular vulnerability is going to be exploited, and then evaluate the risk, along with your recommendations. Use graphs, tables, bar charts, and diagrams when necessary.
- Cite others for their work
Be sure to give proper references when using others’ work for your penetration test report, including the author’s name, the date of the original publication, the title of the publication, the publisher, place of publication, specific page numbers, and other similar details.
- Appendices and glossary
These two contains additional information that might make your report easier to read. This is where readers could get more information.
Keep all these things in mind when writing your penetration testing report and you can be assured of quality report writing that is of value to everyone who reads it.