What is Report Writing

• In penetration testing, report writing is a comprehensive task that includes methodology, procedures, proper explanation of report content and design, detailed example of testing report, and tester’s personal experience. Once the report is prepared, it is shared among the senior management staff and technical team of target organizations. If any such kind of need arises in future, this report is used as the reference.

Report Writing Stages

• Due to the comprehensive writing work involved, penetration report writing is classified into the following stages −
• Report Planning
• Information Collection
• Writing the First Draft
• Review and Finalization

​

Report Planning

• Report planning starts with the objectives, which help readers to understand the main points of the penetration testing. This part describes why the testing is conducted, what are the benefits of pen testing, etc. Secondly, report planning also includes the time taken for the testing.

• Major elements of report writing are −
• Objectives − It describes the overall purpose and benefits of pen testing.
• Time − Inclusion of time is very important, as it gives the accurate status of the system. Suppose, if anything wrong happens later, this report will save the tester, as the report will illustrate the risks and vulnerabilities in the penetration testing scope during the specific period of time.
• Target Audience − Pen testing report also needs to include target audience, such as information security manager, information technology manager, chief information security officer, and technical team.
• Report Classification − Since, it is highly confidential which carry server IP addresses, application information, vulnerability, threats, it needs to be classified properly. However, this classification needs to be done on the basis of target organization which has an information classification policy.
• Report Distribution − Number of copies and report distribution should be mentioned in the scope of work. It also needs to mention that the hardcopies can be controlled by printing a limited number of copies attached with its number and the receiver’s name

​

​

• Information Collection
• Because of the complicated and lengthy processes, pen tester is required to mention every step to make sure that he collected all the information in all the stages of testing. Along with the methods, he also needs to mention about the systems and tools, scanning results, vulnerability assessments, details of his findings, etc.
• Writing the First Draft
• Once, the tester is ready with all tools and information, now he needs to start the first draft. Primarily, he needs to write the first draft in the details – mentioning everything i.e. all activities, processes, and experiences.
• Review and Finalization
• Once the report is drafted, it has to be reviewed first by the drafter himself and then by his seniors or colleagues who may have assisted him. While reviewing, reviewer is expected to check every detail of the report and find any flaw that needs to be corrected.

​

• Executive Summary
• Scope of work
• Project objectives
• Assumption
• Timeline
• Summary of findings
• Summary of recommendation
• Methodology
• Planning
• Exploitation
• Reporting
• Detail Findings
• Detailed systems information
• Windows server information

​

Penetration Testing

• Penetration testing is a type of security testing that is used to test the insecurity of an application. It is conducted to find the security risk which might be present in the system.
• If a system is not secured, then any attacker can disrupt or take authorized access to that system. Security risk is normally an accidental error that occurs while developing and implementing the software. For example, configuration errors, design errors, and software bugs, etc.

Why Penetrating testing is Required

• Penetration testing normally evaluates a system’s ability to protect its networks, applications, endpoints and users from external or internal threats. It also attempts to protect the security controls and ensures only authorized access.
• Penetration testing is essential because −
• It identifies a simulation environment i.e., how an intruder may attack the system through white hat attack.
• It helps to find weak areas where an intruder can attack to gain access to the computer’s features and data.
• It supports to avoid black hat attack and protects the original data.
• It estimates the magnitude of the attack on potential business.
• It provides evidence to suggest, why it is important to increase investments in security aspect of technology

​

When to Perform Penetration Testing

• Penetration testing is an essential feature that needs to be performed regularly for securing the functioning of a system. In addition to this, it should be performed whenever −
• Security system discovers new threats by attackers.
• You add a new network infrastructure.
• You update your system or install new software.
• You relocate your office.
• You set up a new end-user program/policy.

​

How is Penetration Testing Beneficial?

• Penetration testing offers the following benefits −
• Enhancement of the Management System − It provides detailed information about the security threats. In addition to this, it also categorizes the degree of vulnerabilities and suggests you, which one is more vulnerable and which one is less. So, you can easily and accurately manage your security system by allocating the security resources accordingly.
• Avoid Fines − Penetration testing keeps your organization’s major activities updated and complies with the auditing system. So, penetration testing protects you from giving fines.
• Protection from Financial Damage − A simple breach of security system may cause millions of dollars of damage. Penetration testing can protect your organization from such damages.
• Customer Protection − Breach of even a single customer’s data may cause big financial damage as well as reputation damage. It protects the organizations who deal with the customers and keep their data intact.

​

What is a Penetration Testing Report or VAPT Report?

• A Penetration Testing report is a document that contains a detailed analysis of the vulnerabilities uncovered during the security test. It records the weaknesses, the threat they pose, and possible remedial steps. The Penetration Testing report gives you a complete overview of vulnerabilities with a POC (Proof of Concept) and remediation to fix those vulnerabilities on priority. It also gives a score against each found issue and how much it can impact your application/website.

How to create a powerful penetration testing report?

1. Detailed outline of uncovered vulnerabilities

• The first and the most important component of an ideal pentesting report is an outline of all the vulnerabilities uncovered in VAPT and documentation on the basis of findings. Regardless of where the vulnerability lies in the application, a proper birds-eye view of the vulnerabilities gives your security and executive team a clear idea of the situation and the path ahead. A too technical or detailed approach will leave you and your team perplexed. In a good penetration testing report, you should also expect to see an explanation of where these vulnerabilities lie and how an attacker can manipulate them, preferably in laymen’s language.

2. Executive Summary & CVSS Score

• Not all stakeholders are security professionals. Keeping this in mind you must provide an executive summary of the pentesting report for the decision makers. The executive summary does not cover technical details or terminology but the overview of the major findings explained in layman terms. The executive summary should be short, crisp, and well-formatted.

​

3. Assessment of the business impact

• The next important component you should expect in a VAPT report is a detailed outline of the impact of the uncovered vulnerabilities on your business. By default, the numerical scoring assigned is mapped around Common Vulnerability Scoring System (CVSS). However, these scores often fail to take into account the severity of the vulnerabilities. Therefore, a pentester should employ more sophisticated ways to assign the scores. For example, a scoring system that assigns both comparable scores (low/medium/high/critical) and an explanation regarding the extent of severity each vulnerability possesses for the business, will bring the desired precision.

4. Insight into Exploitation difficulty

• It is also important to mention the time period for which the pentester was exploiting the website unnoticed. The report should document how difficult it was to exploit the security loopholes. If it was easy for the pentester, it can be far easier for a hacker. It will also help you understand what you were doing wrong before, and rectify them.

​

5. Technical Risks Briefing

• The vulnerability risk rating (or CVSS score) is a straightforward way to indicate the severity of a vulnerability. It provides a quick understanding of the vulnerabilities at just a glance.
• However, when it comes to eradicating those vulnerabilities, just a rating or score won’t be substantial. Thus, when drafting a penetration testing report you must provide an explanation of the highlighted vulnerabilities and technical risks. This briefing when coupled with contextualization adds even more weight to the report.

6. Remediation

• Without remedial advice, a penetration testing report is just a document containing a list of vulnerabilities. Without proper remediation or suggestions for mitigation, your website or network will continue to stay unsafe. Some VAPT service providers do not include the remediation steps in their reports, stay away from them!
• Instead, look for a VAPT service provider that provides proper remediation steps along with the list of vulnerabilities in the pentesting report. Remediation advice varies for different vulnerabilities. For example, for some vulnerabilities, only installing a security patch will be enough whereas for others intervention of a development team might be required to rectify code vulnerabilities. In either situation, remediation steps provided by the VAPT service company come in handy.

7. Strategic Recommendations

• Strategic recommendations are often overlooked by most VAPT service providers. But they are crucial and can define your organization’s outlook on security and shape your security strategies. Security is not just a destination, but a journey. In the absence of a defined security strategy, one-time security fixes can only do so much to protect your organization. Strategic recommendations from security experts will prove to be invaluable for your business, hence, look for a service provider that will give strategic recommendations to improve the working and security of your business.

​

Penetration Testing Vs. Vulnerability

• Generally, these two terms, i.e., Penetration Testing and Vulnerability assessment are used interchangeably by many people, either because of misunderstanding or marketing hype. But, both the terms are different from each other in terms of their objectives and other means. However, before describing the differences, let us first understand both the terms one-by one.

• Penetration Testing
• Penetration testing replicates the actions of an external or/and internal cyber attacker/s that is intended to break the information security and hack the valuable data or disrupt the normal functioning of the organization. So, with the help of advanced tools and techniques, a penetration tester (also known as ethical hacker) makes an effort to control critical systems and acquire access to sensitive data.
• Vulnerability Assessment
• On the other hand, a vulnerability assessment is the technique of identifying (discovery) and measuring security vulnerabilities (scanning) in a given environment. It is a comprehensive assessment of the information security position (result analysis). Further, it identifies the potential weaknesses and provides the proper mitigation measures (remediation) to either remove those weaknesses or reduce below the risk level.

​

Limitations of Penetration Testing 

• Limitation of Time − As all of us know, penetration testing is not at all time bound exercise; nevertheless, experts of penetration testing have allotted a fixed amount of time for each test. On the other hand, attackers have no time constrains, they plan it in a week, month, or even years.
• Limitation of Scope − Many of the organizations do not test everything, because of their own limitations, including resource constraints, security constraints, budget constraints, etc. Likewise, a tester has limited scope and he has to leave many parts of the systems that might be much more vulnerable and can be a perfect niche for the attacker.
• Limitation on Access − More often testers have restricted access to the target environment. For example, if a company has carried out the penetration test against its DMZ systems from all across its internet networks, but what if the attackers attack through the normal internet gateway.

​

• Limitation of Methods − There are chances that the target system can crash during a penetration test, so some of the particular attack methods would likely be turned off the table for a professional penetration tester. For example, producing a denial of service flood to divert a system or network administrator from another attack method, usually an ideal tactic for a really bad guy, but it is likely to fall outside of the rules of engagement for most of the professional penetration testers.
• Limitation of Skill-sets of a Penetration Tester − Usually, professional penetration testers are limited as they have limited skills irrespective of their expertise and past experience. Most of them are focused on a particular technology and having rare knowledge of other fields.
• Limitation of Known Exploits − Many of the testers are aware with only those exploits, which are public. In fact, their imaginative power is not as developed as attackers. Attackers normally think much beyond a tester’s thinking and discover the flaw to attack.
• Limitation to Experiment − Most of the testers are time bound and follow the instructions already given to them by their organization or seniors. They do not try something new. They do not think beyond the given instructions. On the other hand, attackers are free to think, to experiment, and to create some new path to attack.

​