10 Steps to Writing a Useful Penetration Test Report

As soon as your penetration test is prepared, the first thing you probably want to ask is about the penetration testing report! And it makes sense—you want to know what kind of information you can get after your penetration test is complete to see how your organization is performing.

A penetration test is only as valuable as the penetration test report. And what makes a penetration test valuable? One that you can actually use for your company.

What should be included in a penetration test report?

It’s essential to understand what to look for in a penetration test report so you can know how to read it and make it useful. Penetration test reports may be different depending on what security organization you choose, but in general penetration test reports should contain these 10 elements:

1. Executive Summary

2. Objective of the Penetration Testing

3. Penetration Testing Team

4. Penetration Testing Tools Used

5. Summary of Penetration Testing Findings (with graph)

6. Prioritized Vulnerabilities Findings

7. Risk and Impact Ranked Findings

8. Finding information references

9. Steps to recreate the finding

10. Suggested vulnerabilities remediation options

Executive Summary

An executive summary should be just that—a summary. Not a ten-page technical white paper. It should contain the high-level meat of the penetration test, and it should be designed for the executive team. The executive summary shouldn’t focus on code or specific applications. Instead, it should talk about the degree to which your organization is vulnerable and what it will take to fix it. A memorable conclusion to this summary will be important in communicating the basic good and bad news for your company.

The Objective of the Penetration Testing

This should be pulled right from the statement or work or the project charter and helps restate the scope of your effort. The objective here is to give context (in the form of their requirements) to the penetration test report results based on the direction and scope of the project.

Penetration Testing Team

Often for security compliance reasons, clients need the names and contact details of the individuals that actually participated in the penetration test. This may include name, email, and internal phone number Even if it’s not a compliance requirement, it’s just good practice and makes it easy for organizations to find the information of their testers easily. Be sure this is included in your penetration test report.

Tools Used

Some stakeholders won’t need to know all the tools you use, but the IT team or developers may want to understand the tools used as they start to remediate some of the findings. It’s easier to reproduce the findings when the organization can understand the tools that were used on the original test.

Summary of Findings (With Graph)

Summaries are an important way to get into the nitty-gritty details of your security posture. Graphing findings into risk categories is an easy way for pen test report users to identify which groupings need the most work and will require the most effort. It’s not uncommon for test reports to be used to justify budget requests, and having the test report results easy to consume is a big win for your organization. This is an important part of your penetration testing report, so be sure the security company you’ve chosen does this.

Prioritized Report Findings

Not all report findings are created equal. Therefore, it’s important that the penetration testing report findings are listed in order of importance and relevance so that you can understand what to work on first. Watch for report findings that are easy to understand and within your scope. Penetration testers shouldn’t include every vulnerability—some will be a very low priority and won’t be helpful for your organization.

Risk and Impact Ranked Report Findings

Just like the prioritized findings, security risk, and security impact help determine priority. It’s really a client and company decide what they want to address first, however having all of the security information and being able to provide Severity, Difficulty, and Disposition of a finding is super helpful in prioritizing remediation efforts.

Finding References

An internal remediation element of a report should include web link resources and references to help your organization be able to identify remediation options and get the details they need quickly.

References:

• OWASP Clickjacking - Vulnerability: http://www.owasp.org/index.php/Clickjacking
  

• CWE-693: Protection Mechanism Failure - Vulnerability: http://cwe.mitre.org/data/definitions/693.html
  

• CAPEC-103: Clickjacking- Vulnerability: http://capec.mitre.org/data/definitions/103.html
  

• Frame Busting - Vulnerability: http://seclab.stanford.edu/websec/framebusting/
  

• Mozilla – X-Frame-Options - vulnerabilities : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
  

• W3C - Content Security Policy Level 2 - vulnerabilities: https://www.w3.org/TR/CSP2/#directive-frame-ancestors

Steps to Recreate the Finding

In addition to having resources and references to the vulnerabilities, the penetration testing report should provide detailed instructions in the report discussing how they found the issue. Screenshots and even screen recordings of the network or web application can be used to help your organization understand how to find, and then solve, the problem. If your security company doesn’t include this in the report, you’ll likely have to contact them to get more information. So having the steps to recreate the finding inside the report is key for your success.

Suggested Remediation Option

There may be an overlap between recreating findings, references for findings, and suggested remediation options. However, adding the remediation steps will be important so your organization clearly understands what you need to do in order to increase your security. Look for a security testing company that will include this in the penetration testing report.

Why does a penetration testing report matter?

A penetration testing report is crucial for your organization after getting a penetration test

done. This report is the main deliverable from your penetration testing company. It helps you understand what reporting was done, and how you can fix the issues that have come up. It gives you all the details you need to be able to make meaningful changes to your security systems. When looking for a penetration testing company, it’s crucial to find an organization that will give you the best report possible.