How Do Pentesters Document and Remediate Vulnerabilities in Web Apps?

Not all aspects of pentesting are exciting, hands-on exercises. In fact, pentesters find themselves spending a lot of time documenting and recording their findings after a pentest has occurred. And even before a pentest can begin, a clear understanding of the criteria to be used must be established, as well as the creation of a list of objectives that need to be completed, verified, and reported on afterwards.

What follows are some of the most common procedures for documenting and remediating Web app vulnerabilities, and how a pentesting consultant might generally decide to approach such a task. Some of these steps might vary from one organization to the next, but the general procedures remain the same.

What Is the Proper Format for Documenting the Results of a Penetration Test?

When documenting the results of a Web app penetration test, it is important that both the pentester and the organization for which he is undertaking the work agree on a format that needs to be followed. This means that there is no set format that pentesters use in general, so there is some flexibility in the documentation aspect of a Web app pentest.

It is important that the company which has requested such testing be able to understand the results, as well as what remedial actions are required after the testing. Other parties that will be looking at the report are: developers, project managers, business owners, management and the IT department, as well as those that are responsible for auditing and compliance.

The main aspect of reporting to keep in mind is that it must be easy to read and logically set up so that the sequence of testing makes sense to everyone. The list of remedial actions should be clearly defined. The report should also suggest which parties are responsible (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Graeme Messina. Read the original post at: