Structure and content of a pen-testing progress status update
The pen-testing project is initiated, the requirements including the testing-environment are agreed and the pen-testing team has started the actual testing.
The actual pen-testing can take from 7 up to 20 days to be concluded depending on the selected scope and its complexity in combination with the system(s) to be tested.
Business users would like to get some insight also during the pen-testing and not wait till the results report is delivered. There are 2 major methods to keep the business informed:
1. Weekly status emails (push)
For this an email is sent out at the end of every week outlining the overall agreed scope of testing, information which particular pen-tests were completed and which of those are still due. The picture below captures the possible format and content of such an email.
2. Online status internet page (pull)
Additionally to weekly status updates via email there is a possibility to review the information and details via an internet site which is updated daily, as the pen-testing progresses.
For this, business users get access information to enter a webpage, protected by very strong authentication and access control so only the defined users can access those pages. The information they find there outlines:
- agreed testing environment
- agreed scope
- particular pen-tests according to that scope
- Whether a particular pen-test is completed or in work
- How many open vulnerabilities were found per pen-testing category and their severity categorisation
- status update timestamp
Structure and content of a pen-testing results document
The final pen-testing results document created after completing the pen-testing is delivered to business users in the most secure way possible as it can contain very sensitive information about open vulnerabilities to be absolutely avoided to get public.
The results document is encrypted and can only be accessed by the authorized users by business responsibles.
The document contains 3 major chapters:
1. Pen-testing summary
The pen-testing summary section contains a consolidated overview of the results and can also be considered as a management summary. It outlines on a single page which open vulnerabilities categories were detected, what are the severities of the particular open vulnerabilities per category and how many of them are existing per severity. Following table displays an example of such a summary one-pager.
Additionally the general information is provided in this section about the timeframe of the pen-testing, its environment, utilized prioritization methodology as well as the used risk assessment system description.
2. Open vulnerability details
Each detected open vulnerability is described in detail in this chapter, providing information about
- Categorization
- Severity
- Risk assessment / CVSS Score
- Impact / Proof of concept
- How to reproduce / Attacking Scenario
- Remediation recommendations.
Following screenshot provides an example of one of the detected open vulnerabilities in a real life results report delivered to a customer.
3. Pen-testing methodology description
This section provides information about the overall flow of the executed and completed pen-testing project, from initiation to completion and outlining the utilized frameworks, tools and methods in detail, for business users as a reference.
