Why reporting for a penetration test is so important

Worldwide, thousands of cyber security companies provide many types of penetration tests. But what makes a penetration test and the results stand out for customers? Securify knows it is difficult to see the details of penetration testing processes for customers during a project due to the fact that some of them are very complicated and technical. In order to make the findings and results comprehensible, outstanding reporting of a penetration test is inevitable and necessary.

The reports are the principal deliverable of the penetration test. Even though you have the best penetration testing team, you cannot express yourself adequately without good reporting. Hence, Securify cares about the reports delivered at the end of the projects.

Before going further, let's first look at Securify's organizational scheme. Securify comprises multiple teams, such as Management, Penetration Testing, IT, Sales, and Project Management. Performing security assessments and delivering reports for every project are responsibilities of the penetration testing team. Even though the duties of teams are different, all teams work for the same purpose:

Providing a more secure digital environment to customers of Securify

An essential characteristic of reports is that they can simultaneously appeal to technical and non-technical people. In order to be understandable for everyone, reports comprise multiple sections, which contain information on different levels. A summary for the management, an overview of findings, a plan of approach, a technical conclusion and recommendations, attack scenarios and details of vulnerabilities.

Management Summary

The first part of the report, the 'Management Summary,' comprises general information about the penetration test, such as the time interval of security assessment, the scope, and the type of tests performed. This chapter explains what effects an attacker can have on target systems by exploiting the detected vulnerabilities, the root causes of problems, and what needs to be done to take security further. 'Management Summary' is written so that anyone can understand without technical cybersecurity knowledge.

Technical conclusion and recommendations

The 'Technical conclusion and recommendations' part is like the 'Management Summary' but aims to share more technical details about the security level. A difference is that this chapter also lists the answers to research questions. Before starting an assessment, Securify's customers can share questions about their cyber security. Some examples of what research questions can be are:

• Can an anonymous attacker gain unauthorized access to confidential data? • To what extent is the cloud configuration hardened? • What is the overall security level of web applications? • Which risk does the company encounter in a situation in which attackers can abuse the APIs?

Client is reading a Securify report

Attack Scenarios

Some vulnerabilities can be combined and chained to introduce an even bigger risk to the client. In such cases, the ‘Attack Scenarios’ chapter comes to our aid. Details are shared from the first entry point to the last exploitation step to make visualization easier.

Plan of Approach

Penetration testers should also comprehend the application to perform an appropriate security assessment. Therefore, they depict the components in scope from their point of view to show that they conducted the examinations with a thorough understanding of the details. Depending on the penetration test, Securify can apply different methodologies such as black-box, gray-box, or white-box. In addition, the Plan of Approach chapter contains the details of the methodology used as well as all information about scoping and the target application.

Defining a detailed scope is essential to show which components are tested during the assessment. In a worst-case scenario, the scope sometimes cannot be thoroughly tested against security vulnerabilities when problems arise. These problems can be downtimes, non-working functionalities, or difficulties with authentication.

Overview of vulnerabilities

There are two other chapters for vulnerabilities found during the assessment. The first one helps to see the overview of vulnerabilities, supporting it with graphs and tables. The other one is for sharing all possible technical information which helps in understanding and reproducing the finding. Every vulnerability's specific risk and impact are calculated meticulously, as well as the probability of a successful attack. In addition, Securify provides recommendations which can help to mitigate the risk.

Securify's quality is shown in the reports it produces. The reports are the visible face of our assessments. The top priority is consistently delivering the highest quality reports. Securify has adopted the four eyes policy:

Four eyes are better than two eyes.

For this reason, before reports take their final form, they are always checked by two experienced offensive security specialists who created countless reports. Necessary updates are always made before the delivery to ensure the reports' quality.

Delivered in a secure way

Last but not least, once a report is finalized, penetration testers deliver them in encrypted archives, making sure the report cannot be opened by a person not authorized to do so. Moreover, the password is always sent through a second factor to make it extra secure. What sets Securify apart from other cybersecurity companies is that the quality of reports is never compromised. Naturally, this standard is the same for all other services provided by Securify.

Questions or feedback?