Reporting

This a guide for drafting an application assessment report

Introduction

• Objective

• Scope

• Schedule

• Targets

• Limitations

• Findings Summary

• Remediation Summary

Executive Summary

• Stick to facts

• Provide an overview of the assessment's timeline, goals, and the results

• Focus on High and Critical Findings

• Avoid Fear, Uncertainty and Doubt (FUD)

• Maximum of 1 page

• Use concise bullet for most important details (optional)

• Include controls that can be identified as a root cause for findings

• Ensure that the audience can actually perform recommendation

Findings

• Include description of vulnerability

• Remediation Steps

• Steps to reproduce PoC

• List each affect path and parameter

• Include screenshots, commands and code snippets

• Group findings by severity

• Include a checklist of controls that were tested (Best for reports minimal findings)

Appendices

Include an appendix for the following situations:

• Documenting Authorization letters

• Findings with a lot of parameters/information

• Listing enumerated usernames or guessed passwords

• Long command/code output

• Data exfiltrated from the application during exploitation

• Including key project information such as scope limitations