What Items Should You Find in a Penetration Testing Report?
Before committing to a penetration test, companies should ensure that the services will provide actionable results for a sound return on investment. Here are 5 elements you should find in a penetration testing report to ensure success:
1. The executive summary
The executive summary provides an easy-to-understand description of identified risks and their potential impact (financial and otherwise) on the business being tested. Among other things, the summary should provide a description which is comprehensive, incisive and accessible to all stakeholders, including those who are not technically proficient. Upon reading the summary, all stakeholders should have a basic grasp on the extent of the problem and the best solutions to address it.
Your attempt to make your business more secure from cyberattacks will have failed if the results of testing are understood only by your IT team, principally because they are not in a position to make the some of the decisions necessary to move forward with solutions. Said differently, if your leadership team comes away from your penetration testing report confused, with more questions than answers, they will not be able to decide if proposed solutions are worth the investment of time and money suggested.
Look for an executive summary written in clear and concise language, without the use of insider, technical jargon. Any technical terms which are used should be clearly defined in ways C-suite executives can understand. Finally, a strong summary typically includes summary charts and graphs which are useful to all readers.
2. Technical vulnerability details
The description of security vulnerabilities necessarily includes technical details without which IT staffers would have insufficient direction to create effective solutions—but those details must be contextualized and clearly explained so that all readers can understand the nature of risks. Often, in other words, this section of a penetration testing report will accurately describe risks in technical terms, including evidence of the vulnerabilities and a walk-through to allow the team to replicate and better understand the vulnerabilities.
Vulnerabilities are often broken-down in a few categories, such as:
- Category of the vulnerability
- Severity and level of priority
- CVSS Score(Common Vulnerability Scoring System)
For example, if a healthcare company is vulnerable to files being uploaded through its portal, it’s not enough to describe the technical process by which the attack could take place, with reference to things like the execution of “arbitrary code remotely.” It must also include language which clearly spells out what that means to the business (using concrete examples, such as “this means hackers, operating as administrators, will be able to view your medical records of any user.”) In other words, the description of business impact is critically important to the usefulness of the report.
3. The potential impact of the vulnerabilities and the associated risk level
This section of the report should describe both the likelihood of the several risks your business faces and the possible impact of each vulnerability on your company (as noted above, the level of risk should be clearly contextualized and presented in a concise language). Regarding the level of risk, each vulnerability should be presented with its respective level of priority so they can be mitigated according to the risk they represent — in other words, some risks are more serious and impactful than others.
4. Solutions to fix the vulnerabilities
The penetration test report should, of course, present a general description of how best to remediate (in other words, fix) each vulnerability. But it’s also important that this description is tailored to the unique needs of your business.
For example, if your business relies on a given web server, it’s not reasonable for the report to suggest that you simply get rid of it and essentially start from scratch. The presented solutions must consider what is realistic for your business—and what isn’t. An effective penetration test report, for this reason, will present multiple remediation solutions, each of which includes sufficient detail for your IT team to resolve the problem, quickly and efficiently using external resources according to every risk that was identified.
5. Methodologies used
It’s important, particularly for your IT staff, to understand the methodologies employed in conducting penetration testing. To begin, testing can be either manual or automated.
As its name suggests, manual penetration testing is performed by a human being, specifically an expert engineer. Manual testing generally entails methodologies including data collection, vulnerability assessment, actual exploit (in which the tester launches an attack to reveal vulnerabilities) and the presentation of the report. Manual testing can be either focused, testing for specific (limited) vulnerabilities or comprehensive.
Automated penetration testing is faster, more efficient, less time-consuming and generally more reliable. Automated testing can be done using several renowned standards or internally developed standards. Among the available standards are:
- OWASP (the Open Web Application Security Project);
- OSSTMM (the Open Source Security Testing Methodology Manual); and
- NIST (the National Institute of Standards and Technology)
When these 5 items are clearly presented and logically organized, then the penetration testing report can effectively accomplish its objectives: to inform executives about whether their company is secure, to advise IT managers about risks to mitigate, and to guide IT staff members towards actionable solutions. Any reputable company who specializes in penetration testing should provide their clients with a complete report which enables each of them to repair any security gaps so they can gain peace of mind and prevent potentially damaging attacks.
To learn more about the ways our cutting-edge penetration testing, security audits and cybersecurity services can protect your company from cyberattacks, get a consultation with a certified specialist today.