Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
flipboard.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Welcome to Flipboard on Mastodon. A place for our community of curators and enthusiasts to inform and inspire each other. If you'd like to join please request an invitation via the sign-up page.

Administered by:

Server stats:

1.2K
active users

flipboard.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#pentestreport

0 posts0 participants0 posts today
Public
PathetiQ

What makes for a good intrusion / pentest report? 🚫 Sadly, it’s not what is contained within this TrustedSec blog. 🚫

If you want to provide REAL value to your customer by producing a report that is actually usable within their business, here is a quick guide on what to include:

- Risk Rating: Always include an official CVSS/EPSS/etc score and URL along with a description on why the specific impact metric levels were chosen. Ensure that the risk is contextualized to the specific risk of the business and application you are testing. Generic risk descriptions are useless!

- Risk Description: Contextualize the risk to the business, system or application. Generic language copied from OWASP/PortSwigger/Etc are not relevant, and do not help the business understand the TRUE risk.

- Steps to Reproduce: Perhaps one of the most critical aspects of the report are the steps to reproduce the finding. Oftentimes, these reports are shared with Engineers who then have to go and implement the recommended fix. Their ability to reproduce the finding helps them to understand the risk, and use contextual knowledge to understand how this may be impacting other aspects of the system or application.

- Remediation Steps: Contextualized recommendations are vital to the organization, and should be as detailed as possible. Remember, most of the time it is Engineers implementing the fix, not security professionals. Also, if more than one valid recommendation exists, include them!

Unfortunately, TrustedSec’s blog shows a lot of what is wrong with the penetration testing industry. Providing no more value than running a scanner, and producing a report on their branded template.

At the end of the day, a customer will not see the number of hours spent behind the scenes doing the work required to produce a penetration test. The value to their organization comes from a report that is actionable. Reports like those shown in TrustedSec’s blog provide no more value than simply checking the box on what is likely an annually required test for most organizations.

#infosec #cybersecurity #pentest #reports #pentestreport #hacking #pentesting #intrusion

trustedsec.com/blog/level-up-y

ExploreLive feeds
About