Artur Marciniec - Fotolia
When it comes to reporting, penetration testers often have a hard time getting inspired to write about
their engagement's technical details. Some testers will skim the surface and only identify successful portions of their test, while others view a report as a work of art and go out of their way to cover successful exploitation, identifying the impact of vulnerabilities in a way that an often nontechnical audience can understand, and to recommend corrective actions.
Writing a penetration testing report should never feel like a chore. After all, it's part of the job a pen tester is hired for. The following tips will help ease the pain of reporting that many pen testers feel when working in the wonderful field of pen testing.
1. Tell a story
Each vulnerability a pen tester finds should have a story attached to it. Testers should attempt to answer the following questions in their final penetration testing report:
- What was the vulnerability?
- What impact could it have on the organization (based on the function of the company)?
- Did the tester attempt to exploit the vulnerability? If so, what was the result of the exploit attempt?
- What can the organization do to remediate the issue?
- What can the organization do to mitigate similar issues in the future?
The report should include details on failed exploitation attempts, as well as successful ones. This not only shows vulnerabilities the organization must address, but also lets the target organization know where its defenses are working and helps them understand the tester's approach.
2. Write the report as you go
Pen testers should write up the methodology and finding section of the report as they conduct their engagements rather than collecting artifacts and assembling the story once the pen test is complete. This will enable pen testers to record their actions in real time, take screen captures and identify potential findings as a stream of consciousness.
Writing the report as they go will carry testers a long way in completing it effectively and efficiently. Once the testing is completed, a pen tester will only need to review and edit the full write-up of the findings -- not try to remember everything that happened along the way after the fact.
3. Stay organized
Recording findings as they go will also help pen testers keep their reports organized. It will ensure important details are captured and recorded -- and that testing doesn't need to be conducted twice.
To keep results organized and applicable for the hiring company, it is a good practice to list vulnerabilities using a relative risk rating that ranks them by seriousness. This method will ensure the most important -- critical -- vulnerabilities are at the beginning of the vulnerability section of the report, followed by high-, moderate/medium- and low-rated vulnerabilities.
Also note that, when dealing with potential security vulnerabilities that could make or break a company, grammar and spelling may not seem like a big deal. However, security professionals operate in a field that stresses attention to detail and thus need to demonstrate the same attention to detail when it comes to writing up a report. Therefore, pen testers should always use spell check and grammar check when writing a penetration testing report and look it over carefully before submitting the final draft.