What Happens Once a Penetration Test Uncovers Vulnerabilities?
Introduction
The process followed once a pentest has uncovered vulnerabilities determines how management will address the findings. The issues raised within the report will either make sense to management or not. Therefore, pentesters should consider the language used and neatness of the report so as not to lose the C-suite-level personnel with too much useless information or technical jargon.
In this article, we will address various points on how pentesters should move once they have uncovered vulnerabilities within client engagements. We take to account the methods of reporting instances of vulnerabilities as well as the process of patching discovered vulnerabilities.
How Should Pentesters Proceed?
When penetration testers notice a flaw or hole in network security, do they notify the company right away or complete the testing beforehand to file a full report? What are the steps in the reporting process?
Penetration testers will always be looking for security holes within the organization, bug bounty hunting or during a client engagement. This is almost always a continuous exercise and often demands considerable time and effort.
Testing and reporting will usually be based on a methodology that defines the necessary steps to be taken. Most of the pentesting methodologies will require that the pentester document findings across all phases of testing.
Once testing is complete, the tester consolidates the findings into a full report that is then shared with the management. However, this may not happen immediately once testing is complete; it will depend on the scope of the engagement, hence the size of the report. Generally, the pentest team requests an exit meeting from the client to mark the end of the pentest. During the meeting, discussions are held on the findings and a “management response” document is shared. This is when the client responds to the uncovered risks, choosing to (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Lester Obbayi. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/ki3VxyAjn10/
