What Items Should You Find in a Penetration Testing Report?
Before committing to a penetration test, companies should ensure that the services delivered to them will provide actionable results for a sound return on their investment. Here are 5 elements you should find in a penetration testing report to ensure success:
1. The executive summary
The executive summary provides an easy-to-understand description of identified risks and their potential impact (financial and otherwise) on the business being tested. Among other things, the summary should provide a description that is comprehensive, incisive and accessible to all stakeholders, including those who are not technically proficient. Upon reading the summary, all stakeholders should have a basic grasp of the extent of the problem and the best solutions to address it.
Your attempt to make your business more secure from cyberattacks will have failed if the results of testing are understood only by your IT team, mainly because they are not in a position to make some of the decisions required to move forward with solutions. In other words, if your leadership team comes out of your penetration testing process confused, with more questions than answers, they will not be able to decide if the proposed solutions are worth the investment of time and money.
Look for an executive summary written in clear and concise language, without the use of insider, technical jargon. Any technical terms used should be clearly defined in ways C-suite executives can understand. Finally, a strong summary typically includes summary charts and graphs which are useful to all readers.
2. Technical details of the vulnerabilities
The description of security vulnerabilities necessarily includes technical details without which IT staffers would have insufficient direction to create effective solutions—but those details must be contextualized and clearly explained so that all readers can understand the nature of risks. Often, this section of a penetration testing report will accurately describe risks in technical terms, including evidence of the vulnerabilities and a walk-through to allow the team to replicate and better understand the vulnerabilities.
Vulnerabilities are often broken down in a few categories, such as:
- Category of the vulnerability
- Severity and level of priority
- CVSS Score (Common Vulnerability Scoring System)
For example, if a healthcare company is vulnerable for the files being uploaded through its portal, it’s not enough to describe the technical process by which the attack could take place, with reference to things like the execution of “arbitrary code remotely.” It must also include language which clearly spells out what that means for the business (using concrete examples, such as “this means hackers, operating as administrators, will be able to view the medical records of any user.”) In other words, the description of business impact is critically important to the usefulness of the report.
Want to know how Vumetric's pentest reports have helped 1,000+ organizations improve their cybersecurity?
3. The potential impact of the vulnerabilities and their associated risk level
This section of the report should describe both the likelihood of the several risks your business faces and the possible impact of each vulnerability on your company (as noted above, the level of risk should be clearly contextualized and presented in a concise language). Regarding the level of risk, each vulnerability should be presented with its respective level of priority so they can be mitigated according to the risk they represent—in other words, some risks are more serious and impactful than others.
4. Solutions to fix the vulnerabilities
The penetration test report should, of course, present a general description of how best to remediate (in other words, fix) each vulnerability. But it’s also important that this description is being tailored to the unique needs of your business.
For example, if your business relies on a given web server, it’s not reasonable for the report to suggest that you simply get rid of it and essentially start from scratch. The presented solutions must consider what is realistic for your business—and what isn’t. An effective penetration test report, for this reason, will present multiple remediation solutions, each of which includes sufficient detail for your IT team to resolve the problem, quickly and efficiently using external resources according to every risk identified.
5. Methodologies used
It’s important, particularly for your IT staff, to understand the methodologies employed in conducting penetration testing. To begin, testing can be either manual or automated.
As its name suggests, manual penetration testing is performed by a human being, specifically an expert engineer. Manual testing generally entails methodologies, including data collection, vulnerability assessment, actual exploit (in which the tester launches an attack to reveal vulnerabilities) and the presentation of the report. Manual testing can be either focused—testing for specific (limited) vulnerabilities—or comprehensive.
Automated penetration testing is faster, more efficient, less time-consuming and generally more reliable. Automated testing can be done using several renowned standards or internally developed standards. Among the available standards are:
- OWASP (the Open Web Application Security Project)
- OSSTMM (the Open Source Security Testing Methodology Manual) and
- NIST (the National Institute of Standards and Technology)
When these 5 items are clearly presented and logically organized, then the penetration testing report can effectively accomplish its objectives: Inform executives on whether their company is secure, advise IT managers about risks to mitigate, and guide IT staff members towards actionable solutions. Any reputable company who specializes in penetration testing should provide their clients with a complete report that enables them to repair any security gaps for peace of mind and prevention of potential damaging attacks.
To learn more about the ways our cutting-edge penetration testing, security audits and cybersecurity services can protect your company from cyberattacks, request a consultation with a certified specialist today.