Ethical Hacking and Penetration Testing Guide
Yüklə 22,44 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Understanding the Audience
|
Report Writing
In any penetration test, the report is the most crucial part. Writing a good report is key to success- ful penetration testing. The following are the key factors to a good report: ◾ Your report should be simple, clear, and understandable. ◾ Presentation of the report is also important. Headers, footers, appropriate fonts, well-spaced margins, etc., should be created/selected properly and with great care. For example, if you are using a red font for the heading, every heading in the document should be in that style. ◾ The report should be well organized. Introduction to Hacking ◾ 9 ◾ Correct spelling and grammar is important too. A misspelled word leaves a very negative impact upon the person who is reading your report. So, you should make sure that you proofread your report and perform spell-checks before submitting it to the client. ◾ Always make sure that you use a consistent voice and style in writing a report. Changing the voice would create confusion in the reader; so you should choose one voice and style and stick to it throughout your report. ◾ Make sure you spend time on eliminating false-positives (vulnerabilities that are actually not present), because false-negatives will always be there no matter what you do. Eliminating the false-positives would enhance the credibility of the report. ◾ Perform a detailed analysis of the vulnerability to find out its root cause. A screenshot of a RAW http request or the screenshot that demonstrates the evidence of the finding would give a clear picture to the developer of the status. Understanding the Audience Understanding the audience that would be reading your penetration testing report is a very crucial part of the penetration test. We can divide the audience into three different categories: 1. Executive class 2. Management class 3. Technical class While writing a report, you must understand which audience would read which part of your report; for example, the company’s CEO would not be interested in what exploit you used to gain access to a particular machine, but on the flip side, your developers will probably not be interested in the overall risks and potential losses to the company; instead, they would be interested in fixing the code and therefore in reading about detailed findings. Let’s briefly talk about the three classes. Executive Class This category includes the CEOs of the company. Since they have a very tedious schedule and most of the times have less technical knowledge, they would end up reading a very small portion of the report, specifically the executive summary, remediation report, etc., which we will discuss later in this chapter. Management Class Next, we have the management class, which includes the CISOs and CISSPs of the company. Since they are the ones who are responsible for implementing the security policy of the company, they would probably be a bit more interested in reading about overall strengths and weaknesses, the remediation report, the vulnerability assessment report, etc. Technical Class This class includes the security manager and developers, who would be interested in reading your report thoroughly. They would investigate your report as they are responsible for patching the weaknesses found and for making sure that the necessary patches are implemented. |