Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

pen-test logo Penetration Testing mailing list archives

Re: Penetration Test Report
From: Randy Pacheco <randy.pacheco () psthawaii com>
Date: Thu, 09 Jul 2009 09:17:50 -1000
Aloha,

I agree with the comments about a too long of a report makes no one want to
read.  Even myself.  It took us numerous times to change our report style
until we were able to come up with a style that works with the Credit Union
Executives, Board Members and their third party vendor that takes care of
their infrastructure.  We did not want to tell them want to do but rather
showed the flaw, give feed back and talk about best practice.  We learned
that Credit Union's will take your recommendations as face value and try to
do what you recommend.  The issue here is that when you recommend and the
Credit Union uses it they can come back to you and hold you responsible for
the recommendation if they were to get compromised.  We did not want to be
in that situation so we stepped back and used the words "Best practice"
which does cover us.

At the end of our report we use the Appendix to show the vulnerabilities in
different formats for ease of reading.  In the actual body of the report we
only highlight the most important.  But we also take it further.  We look
for security policies, backup policies, Business continuity plan, User
polices, vendor policies, firewall policies, Website policies,
infrastructure documentation, inventory documents, user access policy and
PCI compliance training for employees.  We feel if we are going to do an
assessment, the assessment would be as if we were the owners of the business
and what we would want to show the NCUA that we are complying.





On 7/8/09 6:12 AM, "fx0ne" <seyi.akin () gmail com> wrote:



Hi all,

I have been an information security consultant/pen tester for about 6 years
working with a company that has been an OSSTMM gold team member for about
two years and been using the methodology for close to five years now even
though we are mainly operating out of Africa where PT is still being
regarded as some sort of "black art". Most of our clients are big financial
institutions and conglomerates.

Let me cut to the chase. I would like to share with you a VA/PT report
framework that i came up with from my experience consulting in this field.
It has a bias towards the OSSTM methodology (infact a few points were
extracted from it's report). I do not know how reports are structured in
other parts of the world, but i do know that other than the engagement
itself, the report serves to justify the derived value around these parts.

I have googled for sample reports but to say i came up short is a
masterpiece of understatement. What i found were either too verbose and
grandiose or downright shallow in content missing out salient but pertinent
details in mostly audacious attempts at describing all the technical input
and results - Detailed layout, logical flow and visual analysis are
conspicuous only by their absence.

I have always believed that in order to get inside the mentality, first we
have to jettison the PT myth. Furthermore I am also of the opinion that a
VA/PT report should be as simple and clear as it is concise and should cut
across all strata of audience not just the technically minded.

All these put together led me to put up what is the first draft of the Open
Source Security Assessment Report (OSSAR v0.5) which i hope will complement
the OSSTMM. This is something that will be updated as often as i can with
new information. I will kindly request members of this group to download it
and give an objective opinion on the material. I am very much interested in
what this community thinks. Comments (+ve or -ve), suggestions and
modifications are welcomed. A review by Pete will also be highly
appreciated.

This is a VA/PT report for a fictitious bank called eClipse Bank PLC carried
out by another fictitious company Cynergi Solutions Inc. All names, URLs,
IPs, etc are fictitious. Some of the vulnerabilities discussed have actually
occurred for real but i have replaced all the pesky details.

The report is attached or it can be downloaded at
http://digitalencode.net/ossar/ossar_v0.5.pdf

Looking forward to your feedback.

Thank you


-- 
Randal Pacheco




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]