Phase 4 - Documentation: Collecting Results
Documentation is an essential part of every penetration test. During the pentest, all steps leading to a successful attack are thoroughly documented. This ensures that after the test, everything can be reconstructed in detail. At the end of the pentest, this documentation is used as the basis for an individual report, which makes the results of the test understandable for the technical administration, as well as the management. The page count of such a report normally ranges in the three digit numbers. The whole report is written by the pentesters who performed the test, to ensure that the documentation optimally covers the pentest results and contains all the important details concerning individual findings.
Long Story Short
The report consists of several parts. At the beginning, there is a short executive summary, which summarises on a few pages all important results of the pentest in a concise overview. This report is consciously held nontechnical, to enable everyone to get an overview of the risk potential at hand and to develop an objective basis for further decisions, even without intricate technical knowledge.
Details and Technical Aspects
In a crucial phase of our product development, RedTeam Pentesting gave us valuable advice and results concerning the security of our product. They were able to identify vulnerabilities that were overlooked by a standardised process. The projected costs of performing the penetration test first made me hesitate and think about whether such a test would be worth it - in retrospect I am happy to have made this step.
The second part is a comprehensive technical report with a detailed description of the vulnerabilities that were discovered. This makes the pentest transparent and comprehensible for technically educated people. For every security flaw, extensive documentation is provided that precisely describes the technical background of the security vulnerability and how it may be exploited. Additionally, a risk analysis shows the potential risks of the flaw in the overall context of the tested systems. Finally, constructive solution proposals are given for the respective problem, to directly provide ideas for improvement based on best-practice approaches.