AFTER THE PENTEST REPORT… REMEDIATION

A penetration test alone won’t secure your organization. It’s what you do with the pentest results that actually matter. Without remediation, there isn’t much accomplished in the way of decreasing your security exposure.

What is a Remediation Verification Penetration Test?

Remediation fixes vulnerabilities identified during the penetration test.

How do I choose which vulnerabilities to remediate?

Your pentest results should provide you with something that looks like the bar chart below. Severity and difficulty help determine priority. It’s really a client decision what they want to address first, however having all of the information and being able to see Severity, Difficulty, and Disposition of a finding is super helpful in prioritizing remediation efforts.

Retest

It’s often the case that stakeholders including business, audit, and compliance want verification that whatever you tried to fix actually was fixed. The Remediation retest answers: “did we fix it?”. You’ll want to make sure that your pentest team or some other third party does the verification especially if you’re trying to comply with PCI or some other industry compliance requirements.

Update the Deliverables

Following the completion of the remediation test, all detailed reports should be updated to reflect your remediation efforts and the retest results. The dispositions of the Vulnerabilities are updated from “open” to “closed” to confirm that remediation was successful. It’s important that findings themselves are not deleted or changed. A finding is still considered a finding as part of the engagement even if it was remediated after the fact.

Lastly, if there are other stakeholders, you’ll want to create any secondary or supporting deliverables that are specifically intended for the audience. These could be things such as attestations and/or a before and after summary that shows the effectiveness of the remediation effort and the current exposure of the organization.