Reports - Paiet/SEC-335 GitHub Wiki
- Normalization of data
- Making sure the report is readable by diverse audiences
- Database data
- Data will need to create data sets that have logical connections
- Keep to the point
- Do your best not to ramble
- Make technical information accessible to techs
- Appendices
- Clickable links
- Written report of findings and remediation
- Executive summary
- Summarizes the findings
- Includes
- Tasks completed during testing
- Methodology used during testing
- High-level findings
- Remediation suggestions
- Conclusion statement
- Methodology
- Includes
- What tests were performed during the engagement
- Repeatable step-by-step guides
- Done so client can validate your results
- Findings and remediation
- Typically a table or chart
- Clearly illustrates the...
- Vulnerability
- Threat level
- Risk rating
- Exploitability
- Remediation steps
- Metrics
- Quantifiable measurements
- This vulnerabilities' criticality rating is 8.2 out of 10
- Measures
- The specific attributes of a data set used to calculate the Metrics
- Number of critical vulns
- Percentage of vulnerable hosts
- Risk rating
- Conclusion
- General summary of findings
- Give some evidence for conclusions
- Explain the goals
- Explain potential attacks and which assets would be leveraged/affected
- Prioritization based on your expert opinion/experience
- Risk appetite
- Difficult to ascertain
- Once defined, use Risk Ratings to determine Risks that are acceptable/unacceptable
- Storage time for report
- Regulated in some industries
- Secure handling
- Report contains sensitive info
- Setup access control
- Firewall
- Permissions
- Auditing access
- Availability to necessary audiences must be maintained
- Encryption
- Disposition of reports
- Formally transferring report to client
- Get a receipt!
- Authorized acknowledgement and sign-off
- Once transferred, any further disposition should be handled by authorized recipient
- Transfer your master copy of the report and data to secure backups