Reporting: the key for good penetration testing

The hacker academy has a wonderful article about Reporting, which can be found at http://www.thehackeracademy.com/reporting-the-difference-between-good-and-great-penetration-testers/

Here are some key points from the webcast:

• The Executive Summary (It should be understood by your mom or your wife)

1. What did we do?
2. Why did we do it?
3. What did we find?
4. How bad is it?
5. How much needs to be done to fix it?
6. How good will we be afterwards?

• The Findings Summary (Designed to be read by the CIO / CISO / Director-level security executives. More details than the executive summary)

1. What is the severity distribution of the findings?
2. What are the strengths?
3. What are the weakness?
4. How do we compare to last year / last time?

(For example, we can have a overall strength or overall weakness sections. A chart of comparison with last result is very helpful )

• The technical details (the questions to answer)

1. How did we perform the penetration test?
2. What specifically did we find?
3. How can our findings be reproduced?
4. What needs to be done to fix each finding?

(Present great information with diagram. Avoid too much details. )

• Design is important (Convert your information more effectively)