This tip is a part of the SearchSecurityChannel.com mini learning guide, Penetration testing tutorial: Guidance...
for effective pen tests
Penetration testing is a service commonly offered by information security solution providers. Unfortunately, for as long as pen tests have been offered, the final deliverable (a report) is often lacking in value for the client. This tip will explore some of the most common pitfalls of penetration testing reports, with recommendations on ways to improve them.
Problems with penetration testing reports
There are several common complaints from clients related to the penetration testing reports solution providers present at the end of an engagement.
1. The reports are merely copies of the scan results.
Copying vulnerability scan results verbatim from the scanning tool into the report adds little value for the client. It reduces confidence in the report, and in the organization performing the test.
2. The reports do not tell the client how to fix problems.
Some solution providers produce reports that detail the issues discovered during the test, without going into detail about how developers, administrators and security teams can fix the problems. This has much less value to clients, as anyone can tell an organization they have problems! A valuable penetration testing report contains remediation details.
3. The reports do not help clients replicate the problem.
Many clients want to recreate the compromise scenarios themselves. Detailed information about tools used, techniques employed, scripts written and other information can help them to glean more value from the test report.
4. The reports contain false positives.
False positives can fill a penetration testing report with unnecessary data and lead to wasted time. A skilled solution provider can often eliminate or at least reduce false positives, producing a concise and valuable report.
Suggestions for valuable penetration testing reports
Given these issues, there is much a solution provider can do to deliver greater value in pen test reports. The following suggestions should help improve the quality of reports in most cases:
- Translate results from network and vulnerability scanners into customized language that is tailored specifically to the client being tested. For example, a client’s business environment, risk concerns and priorities, and any specific testing parameters (user profiles and system types) should be included.
- For any issues discovered during the test, provide concrete evidence of the compromise via screenshots or “flags” planted on compromised systems. Many organizations will prohibit the planting of flags (often text files or images), so screenshots will be the most effective evidence of successful attack completion.
- Manually check all discovered vulnerabilities for false positives to ensure reports are as accurate as possible.
- Include extensive advice on how to address and remediate discovered vulnerabilities. By categorizing vulnerabilities as patching and configuration issues, coding errors, weak authentication scenarios, etc., solution providers can tailor advice to client’s IT teams best suited to perform the remediation steps.
- Describe the tools and tactics employed at each phase of the test, and whether the test was successful in compromising systems or applications. For example, listing the output of reconnaissance tools like Google search queries and Paterva’s Maltego, specific scanning commands with open source tools such as NMAP, Hping and Scapy, and exact sequences of variables chosen with exploitation tools like Metasploit (a free tool now owned by Rapid 7), will be invaluable for recreating and validating the issues themselves internally. In most cases, this data should be included as appendices to the main report so as not to clutter the report with extensive technical detail.
- Focus the report on specific risks or concerns important to the client. In some cases, clients will be looking for a general overview of network and application vulnerabilities, but tailoring the report to compliance initiatives, particular security controls, and sensitive data specific to the organization, may improve the report’s overall impact.
Penetration tests represent a client’s security posture at a point in time, and should ideally be used to demonstrate exactly what vulnerabilities are present and the inherent risks based on these vulnerabilities. By customizing and tailoring the results to the client, as well as providing more remediation guidance and testing details, solution providers can substantially increase the value of the test and final report for any client.
About the author:
Dave Shackleford is the founder and principal consultant with Voodoo Security, as well as a SANS analyst, instructor, and course author and GIAC technical director. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. He is a VMware vExpert and has extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Dave is the co-author of Hands-On Information Security from Course Technology as well as the "Managing Incident Response" chapter in the Course Technology book Readings and Cases in the Management of Information Security. Recently, Dave co-authored the first published course on virtualization security for the SANS Institute. Dave currently serves on the board of directors at the Technology Association of Georgia's Information Security Society and the SANS Technology Institute.