Penetration test reports can be overwhelming. The average report can be a hundred pages and full of technical jargon that even IT managers find daunting. When this is the case, the final report is often shelved, thereby wasting the thousands of dollars spent on the engagement, or the misunderstood report leads to misguided and incomplete remediation efforts.
For a company who engages a security firm in a penetration test, the final report is the most critical element. While the security firm will spend two to four weeks on a particular engagement before moving on to the next client, the hiring company will spend the next two to four years modeling and/or improving their security program based on the penetration test findings. With long-term security at stake, therefore, it is crucial that the final report is clear and understandable.
As a client, though, how can you ensure the quality of final deliverables? Referrals and recommendations from happy clients is a good place to start, of course. The easiest method, however, is to ask for, and review, a sample report. While the content of each report will be different based on the engagement, a sample report will provide a clear understanding of the format and quality of the final deliverable. For example, does the report appear to be manually written or automatically generated? Is it well-written or full of grammar mistakes and typing errors? More importantly, does the report address the various elements of the organization that will ultimately contribute to the policies and implementations of the company’s security program, namely:
- Executives. For the decision makers, the report should have a non-technical “Executive Summary” that clearly outlines the most critical findings of the engagement, the exploitation outcome of those findings, and the business risk of leaving those findings unaddressed.
- Managers. The report should detail how exploits were performed so that middle managers can discuss policy and implementation improvements that will remediate, or mitigate, the vulnerabilities that led to exploitation.
- IT Staff. The report should contain a vulnerability matrix that details all technical vulnerabilities identified, including descriptions, risks, and remediation steps for each issue.
By ensuring that final reports address each of these areas of the organization, companies can ensure that final deliverables are actionable and will actually improve the established security posture. Thus, rather than being overwhelming, the final report will contribute to the overall goal of being a secure corporation.
Feel free to contact us to view one of Rook’s sample reports.