Stay up to date
Stay up to date with the latest threat reports, articles & mistakes to avoid.
Simple, yet important content.
No salesy pitches and all that, promise!
Your penetration testing report is the security passport for your product and services to the world. It demonstrates the validation of your security controls and cybersecurity strategy at a wider level.
As a penetration testing services provider, we understand the pains of multiple different reporting formats (organised chaos?) and risk calculations. We have included the expectations of a penetration testing report and tips on how best to request a level of customisation to help your internal vulnerability assessment and management process. Service providers should ensure that customers receive the best quality reports for their investments.
For this article’s purpose, we will define Penetration Testing as a method of gaining assurance against some or all of an organisations’ assets with similar tools, tactics and procedures (TTP) as used by adversaries.
What should a penetration test tell you?
Organisations with high-security maturity have a good idea of what pen testers are going to find. A third-party penetration test assures you to help with a good understanding of vulnerabilities in your assets. The final aim of a penetration test is to help improve an organisations’ internal vulnerability management process.
Penetration test regimes for the same asset may follow different approaches based on these parameters:
- what information is supplied to penetration testers (penetration test methodology)
- what test cases are included (tools, tactics and procedures)
- what assets are defined within the scope (pen test scope)
Whether some, all or no information is provided to penetration testers defines grey box, white box or black box pen test. Test cases defined based on asset environment, primary and secondary security concerns. Assets within the scope are defined based on functional requirements or drivers behind the penetration test. It may vary from a single server to multiple network segments to an entire estate.
Overall, a penetration test provides your products and services with the needed confidence to demonstrate strong controls, and no publicly known vulnerabilities are present in the product at the time.
What is a pentest report?
A penetration test report is the output of a technical security risk assessment that acts as a reference for business and technical teams. It serves multiple benefits in addition to a team’s internal vulnerability management process. Based on the sensitivity and business relationships, a report is used as a piece of evidence for product security assurance, an answer during M&A transactions, a proof of product/service security for big tenders or any related business stages where cybersecurity is questioned.
These testing reports are prepared using multiple methods. These range from traditional reports written by security consultants. Template-based report generators to online portals where reports can be viewed anytime.
What to expect from a Penetration test report?
A penetration test report should involve the following areas:
- An outline of risk exposure for the tested assets
- Strategic and tactical recommendations on how to improve security posture
- Security issues identified during the assessment
- Risk levels in the context of likelihood and impact
- Recommendations to address the findings
- Customer support involving debriefs to ensure customer has a full understanding of their risks and risk remediation plan
Discuss your concerns today
Without much ado, let’s dig in!
An executive report (also called a management report) section includes the following areas:
- Executive Summary – This section provides a high-level clear view of the risks and potential business impact. The main purpose here is to provide non-technical insight into the primary security concerns identified during the security assessment. This section must help executives translate security language into a business risk to ensure cybersecurity is an enabler.
- Key findings identified during the assessment in the context of the customer environment.
- Strategic and tactical recommendations to help stakeholders with risk remediation decision making in terms of resource investments.
This section often includes visuals in the form of charts, graphs and risk grids. All our executive summary reports are available in a single report or can be requested separately.
TIP: You should agree with your penetration testing services provider a report format in line with your internal risk reporting formats. Once requested, the customer should receive multiple formats; usually, a pdf report, a risk matrix (excel format) and internal risk findings document in line with your risk reporting format. It offers benefits such as consistency in risk ratings, direct input into internal risk register and reporting formats.
Walkthrough of technical risks
Technical findings section includes the following elements against every reported issue:
- Issue descriptions around vulnerability, misconfiguration or any other weakness along with likelihood of attack and impact (contextualized)
- Risk and Vulnerability metrics such as Control area, Critical/High/Medium/Low/Informational, CVSS scoring (if required), CWE IDs, likelihood, impact and remediation
- Risk certainty
- Technical details such as proof of concept in the form of raw data, screenshots and steps to reproduce the issue
- Detailed remediation measures in the context of the affected components
Automated tools often report previously calculated CVSS or similar scores rating certain vulnerabilities wrong. This form of reporting is prone to false positives in many situations because it fails to report on active exploitation of a vulnerability and does not consider the context of the affected service or product, and is unaware of its environment and metrics.
TIP: A penetration testing services provider must explain the risk scoring in the context of your assets to help you assess and remediate your technical risks.
Attack likelihood and potential impact
Pentest reports are sometimes challenged by peers in the security domain. This is both true and false.
False; sometimes, it is not possible to consider all the environment metrics of an asset.
True, since security assurance, management and other functional teams can’t interpret the right risk severities. This is because technical reports are missing out on the following items:
- Control categories where vulnerability has been identified
- Missing context of the affected asset in scope due to lack of details around risk, i.e. likelihood or probability of an attack and its impact.
We ensure that all findings are accompanied by control mappings and risk factors such as likelihood, impact and difficulty to fix an issue.
Sadly, many testing reports include technical findings in detail but miss out on the context of customer business. No explanations around probability and impact are available, leaving the customer distracted from their main task, i.e., assessing and preparing for remediation. Whether it is squeezed reporting time due to commercial pressures or the reporting process missing out on this is unknown.
Discuss your concerns today
Here is an example:
Insecure TLS configurations are often reported in line with the popular tool based speaks. Issue descriptions include the relevant details such as ciphers supported, protocol or configurational vulnerabilities, and associated technical risk ratings. However, it’s not fair on the customer’s side to find this issue as a significant concern unless factors such as the likelihood of attack, impact and service context (varies from SMTP, Web, SFTP or any other) are taken into account.
What is technically accurate may not be a representation of a true risk for a customer.
Considering the underlying context helps establish accuracy in line with customer assets in scope for a security assessment.
Risk remediation is the most important element of the report. Pentest buyers should look into a security partner who provides detailed guidance on risk remediation, not just reference links to vendor websites.
Remediation of vulnerabilities promptly is crucial to minimise the exposure risk to your assets. Fixing such issues varies in the investment of resources. Therefore, a remediation plan must be in place based on a prioritized approach. It may include simple tweaks, patching updates, configuration modification or third party solutions at times. Some risks may not be addressed, and businesses have to accept or transfer the risk.
Customer Support and Debrief
Cyphere’s engagement process includes ongoing email/phone support and debriefing with management and technical teams. This session involves a remediation plan, assessment walkthrough to ensure that customer contacts are up to date in the language they understand.
Additionally, an optional remediation consultancy is available to help mitigate risks identified during penetration testing. Our approach involves a risk-focused approach towards risk remediation due to organisations’ security skill-set and environment complexities.
Sample penetration testing report
Any technically skilled person can perform a pen test. There is more to this process – this includes communication, customer business insight, deliverables and client support. This explains why we take our entire engagement process seriously.
If your cybersecurity services vendor engagements do not cover these items or you are unhappy with your documentation – Get in touch to discuss your concerns or ask for sample penetration testing reports.