1 00:00:06,430 --> 00:00:09,020 - [Speaker] The findings and recommendations section 2 00:00:09,020 --> 00:00:13,060 in the penetration report is the meat of that report. 3 00:00:13,060 --> 00:00:15,700 The information that is provided there 4 00:00:15,700 --> 00:00:19,050 will be used to move forward with the remediations 5 00:00:19,050 --> 00:00:22,350 and the mitigations of the issues that you found 6 00:00:22,350 --> 00:00:25,290 in the environment that you tested. 7 00:00:25,290 --> 00:00:26,860 And you already know that 8 00:00:26,860 --> 00:00:30,770 the executive summary, it's where the, 9 00:00:30,770 --> 00:00:33,440 very high level information about the findings 10 00:00:33,440 --> 00:00:35,170 are actually documented 11 00:00:35,170 --> 00:00:37,640 and not too technical. 12 00:00:37,640 --> 00:00:41,050 So again, remember that you actually have to 13 00:00:41,050 --> 00:00:43,560 keep in mind your audience. 14 00:00:43,560 --> 00:00:45,160 Now, for instance, 15 00:00:45,160 --> 00:00:46,450 if you're compiling a report 16 00:00:46,450 --> 00:00:48,430 for a web application penetration testing 17 00:00:48,430 --> 00:00:51,040 your ultimate audience for this section 18 00:00:51,040 --> 00:00:52,870 and I'm talking about the remediation section 19 00:00:52,870 --> 00:00:55,750 will likely be the development engineer 20 00:00:55,750 --> 00:00:58,330 who are responsible for creating 21 00:00:58,330 --> 00:01:01,040 and maintaining the application that is being tested 22 00:01:01,040 --> 00:01:02,780 or the Info Sec 23 00:01:02,780 --> 00:01:06,990 or information security team that is responsible 24 00:01:06,990 --> 00:01:08,830 for that application. 25 00:01:08,830 --> 00:01:10,940 Now you will therefore want to provide 26 00:01:10,940 --> 00:01:13,610 a sufficient amount of information for them 27 00:01:13,610 --> 00:01:14,830 to be able to 28 00:01:14,830 --> 00:01:17,160 one, recreate the issue in the lab 29 00:01:17,160 --> 00:01:18,610 or in their environment 30 00:01:18,610 --> 00:01:21,740 and identify exactly where in the coat 31 00:01:21,740 --> 00:01:23,700 you actually need to apply a patch and 32 00:01:23,700 --> 00:01:25,850 what changes have to be made. 33 00:01:25,850 --> 00:01:27,430 So let's say you actually found 34 00:01:28,660 --> 00:01:31,430 SQL injection flow during the penetration testing. 35 00:01:31,430 --> 00:01:32,550 In the report, 36 00:01:32,550 --> 00:01:36,110 then you actually need to provide the actual HTTP request, 37 00:01:36,110 --> 00:01:39,270 the response that you actually used to uncover the flow, 38 00:01:39,270 --> 00:01:41,820 what were the actual input vectors 39 00:01:41,820 --> 00:01:43,330 for that SQL injection. 40 00:01:43,330 --> 00:01:46,020 And you also need to provide proof 41 00:01:46,020 --> 00:01:49,130 that this is actually an exploitable flow 42 00:01:49,130 --> 00:01:51,230 and not a false positive. 43 00:01:51,230 --> 00:01:54,100 Now, ideally, if you're actually able to exploit the 44 00:01:54,100 --> 00:01:55,570 SQL injection flow, 45 00:01:55,570 --> 00:01:57,370 you should also provide a screenshot of 46 00:01:57,370 --> 00:01:59,500 showing the results to the exploitation 47 00:01:59,500 --> 00:02:01,540 and also recommendations 48 00:02:01,540 --> 00:02:04,000 on how to actually fix the issue 49 00:02:04,000 --> 00:02:07,550 and best practices on how to actually not only mitigate them 50 00:02:07,550 --> 00:02:11,490 but probably, teaching those development engineers 51 00:02:11,490 --> 00:02:13,560 or the Info Sec team how they can actually 52 00:02:13,560 --> 00:02:17,260 find those vulnerabilities in a systematic way, 53 00:02:17,260 --> 00:02:21,033 outside of a traditional pen testing engagement. 54 00:02:21,990 --> 00:02:24,090 Now another best practice is 55 00:02:24,090 --> 00:02:27,400 that you have to remember that this information can be 56 00:02:27,400 --> 00:02:28,800 of course, very sensitive. 57 00:02:28,800 --> 00:02:31,370 So if there's sensitive information from 58 00:02:31,370 --> 00:02:33,060 an exploited database 59 00:02:33,060 --> 00:02:35,330 then you should redact the screenshot 60 00:02:35,330 --> 00:02:37,360 in a matter that is actually sufficient 61 00:02:38,200 --> 00:02:41,070 to limit the sensitivity. 62 00:02:41,070 --> 00:02:46,070 Now I have over 100 real life penetration testing reports 63 00:02:46,140 --> 00:02:50,430 of course, sanitized reports in my GitHub repository. 64 00:02:50,430 --> 00:02:54,080 These reports are from many different security companies. 65 00:02:54,080 --> 00:02:57,010 You can review them and learn from them, 66 00:02:57,010 --> 00:03:00,090 use them as a reference on how you can actually 67 00:03:00,090 --> 00:03:02,510 write your penetration testing reports 68 00:03:02,510 --> 00:03:05,300 and include mitigations and recommendations 69 00:03:05,300 --> 00:03:08,030 and how you should structure the report 70 00:03:08,030 --> 00:03:09,453 in an effective manner.