Beyond the discovery of security vulnerabilities, the penetration testing procedure is focused on multiple stages including planning, scenario preparation, execution, the final report, and recommendations. Here, the penetration testing report ties together multiple components of the entire procedure. Ideally, the report covers the details of the vulnerabilities discovered, the procedure of exploitation, approach towards testing, remediation suggestions, and other important information.
A good penetration testing report allows the firm to analyze the quality of approaches taken towards testing the system and the degree of exploitation. Many firms evaluate the sample pen-testing reports provided by third-party service providers to understand their level and methods of attacks implemented.
What are the two types of reporting?
There are two kinds of reporting that can be followed during the penetration testing methodology – vulnerability report and final report. Vulnerability reports should account for each specific vulnerability discovered during the pentesting procedure and include all the available technical details for the testing team. By understanding the impact of the vulnerability, its root cause, and the potential for exploitation, testers are able to form the right approach for fixing it.
The vulnerability report should ideally contain the description of the vulnerability and the impact of its exploitation within the system. Providing context here to emphasize the business impact for the technical and non-technical stakeholders will help present the priority of each security risk. The report should also talk about the affected portion of the system, whether it was a parameter or a URL, and the users that are affected by it. The next portion would deal with the steps taken to reproduce the same attack method by any team in the future.
The criticality meter will rate the impact of the vulnerability in the case of successful exploitation. Mention events that can realistically happen in such a scenario and are of immediate consequence. Therefore, under the heading of criticality, the business and technical impact will be detailed, according to the OWASP Risk Rating Methodology. This will be followed by the likelihood or the probability of such exploitation happening, and finally, a combination of both, called the overall severity, will be provided. Finally, the report will have a section that talks about the tools and setup required for generating each security risk and its potential remediation measures.
4 Common Systems and Methodologies Used
The penetration testing report can also provide insights into some commonly used methods and scoring systems for rating security risks.
1. The STRIDE model
Testers use this model to list out and classify all the potential vulnerabilities and threats for a target system. STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure (such as data leaks), Denial of Service (DoS), and Elevation of privilege.
2. The CVSS Score
The Common Vulnerability Scoring System Score is a commonly used metric for rating the criticality of security issues on a scale of 1-10. There are three metrics under CVSS, namely Base, Temporal, and Environmental, of which the Base metric provides a number from 1-10 and the other two factors modify it according to their impact.
3. The CWE system
The Common Weakness Scoring System is a methodology for prioritizing security issues on the basis of consistent classification. A community-based initiative, the CWE system is constantly modified according to the needs of different industries and firms.
4. CAPE
The Common Attack Pattern Enumeration and Classification catalogs the commonly occurring attack vectors which allow users to understand the different weaknesses hidden within the system. The CAPEC system is used for testing different web applications and additional capabilities for security loopholes.
4 General Tips for a Penetration Testing Report
While providing as many details as possible, it’s equally important to ensure that the penetration testing report is understandable for all stakeholders, however simple the vulnerabilities are.
● Avoid generic allotment of criticality – instead, evaluate the true potential for exploitation, the context within the system, and the users that can be affected
● Follow a consistent language – once a particular format is followed for writing the report, stick to it to provide a sense of familiarity for the readers, including the abbreviations and the capitalization
● Include details, screenshots, and proof of concepts as much as possible – if the reproduction of certain security vulnerabilities is complicated; make sure to include other aids such as pictures, flowcharts, and videos for better clarity. Highlight the navigation steps, the tools used, and the environment in which the attack method was used to generate the vulnerability
● Be conscious of your intended audience – stick to the point regarding the security issue and provide an adequate explanation for the assignment of a criticality level. Use simple sentences to point out the action taken to generate the security risk as well as for the remediation measures suggested.
Following the above-mentioned generic pattern for designing a firm’s penetration testing report will ensure that all the important details and steps are covered. Information accessible for everyone is key for every report’s success.
