As organizations evaluate penetration tests and other types of security consulting, one of the common questions we get at Secure Ideas is “What is the deliverable?”. This is an essential question as the deliverable is the record of what was done, what needs to be done, and the guidance on improving things in the future.
So what should you expect and why are the pieces important? Let’s look at each piece now:
Executive Summary: This section of the report describes the history, the purpose, and a summary of the engagement. It tends to be written for non-technical, executive-level personnel so that they can understand the parts and results of the penetration test without needing to fully understand the technical details. This section will also provide risk-based guidance on the priorities for addressing findings. Finally, the executive summary may list factors that are helping or harming the security posture of the organization.
Narrative: This section contains a narrative of the testing process. It serves two primary purposes based on the mix of goals most organizations have for their penetration testing:
First, it provides an explanation of what happened during the testing. It walks the reader through the procedures and thought process the tester followed. This helps as the organization determines how to reproduce the findings and remediate the various issues. In some cases, it may also describe how a combination of vulnerabilities were exploited to reach a critical objective.
Second, the narrative walks through various parts of the testing that did not result in findings. While this often seems counterintuitive, good documentation of what tests failed helps the organization understand what security controls are working properly within their security program. This can also help account for effort when a test has very few findings to report.
Findings and Recommendations: The findings and recommendations section is often the most significant portion of the testing deliverable to those accountable or responsible for remediation. As the section is titled, everything in it is split into two pieces: the finding and our recommendation.
The finding is the description of the problem uncovered in the application. They can be anything from SQL injection to a misconfiguration within the platform hosting the application. Each finding outlines these three items:
Strategic Guidance: At first glance, this section may seem similar to the Findings and Recommendations section of the report. It outlines any recommendations that Secure Ideas believes the organization should consider as future improvements for its security posture, even though there may not be a specific finding or one that warrants a full finding.. These are meant to assist organizations in where to consider future investments in IT Security. For example, we may recommend additional developer training due to the types of flaws found within the application. While the skills and knowledge of the application developers isn’t really in scope for a penetration test, we may infer from the findings that the organization would benefit by providing additional training.
Appendices: While not a part of every deliverable, sometimes within a penetration test, there is data collected that needs to be communicated to the client organization. This is where that would be placed. For example, if Secure Ideas found leaked credentials for an application, we would record the specific accounts discovered in an appendix so the client can communicate with those users. Another reason for an appendix is if a finding is discovered in so many areas of the application the list would impact the readability of the report. We would create an appendix listing those locations.
Since the report is the only persistent part of a penetration test, companies must know what they are going to receive when making a choice between vendors. As you discuss your testing AND reporting needs, make sure to request a sample report, and discuss what your expectations are with the consultants. Also, remember that the sample will be redacted or sanitized to protect the original client’s information. If it is sanitized past the point of usefulness, move on to another company.