course_notes

SCT_Topic_5_Professional_Reporting_of_Security_Testing_Findings

SCT Topic 5: Professional Reporting of Security Testing Findings

Taxonomy of security testing activities

This part actually overlap with what we talked about in SCT Topic 1, you can refer to there for more details.

Vulnerability assessment

Vulnerability assessment (VA) aims to execute the tools to identify vulnerabilities in systems and software.

To be notice, VA just use the tools and make report and comments based on the result, WITHOUT any human-driven inspection and further interaction.

And professional security testers need to use both free and paid tools, because we have to assume attackers also use all tools to scan for vulnerabilities.

Penetration testing

Penetration Testing (PT) simulate the attackers’ behaviours and try to “penetrate” into a computer ssytem.

  1. Pre-engagemnt interactions
  2. Intelligence gathering
  3. Threat modelling
  4. Vulnerability analysis
  5. Exploitation
  6. Post exploitation
  7. Reporting

Red Teaming

Red teaming aims to emulate Tactics, Techniques and Procedures (TTPs) of adversaries in a more realistic way.

Red Team
  • simulate attackers
  • hired security testers
Blue Team
  • real-world defenders
  • not informed the attacks in advance

  • Differences Between PT and RT

    Penetration testing Red teaming
    Security assessment Methodical Flexible
    Restricted scope No rules (without being illegal)
    Engagement of 1 - 2 weeks Engagement of between 2 weeks and 6 months
    Scope Generally announced No announcement
    identifies vulnerabilities Test Blue team on programs, policies, tools and skills

    Red teaming estimate the organisation’s with two metrics:

    • Time To Detect (TTD)
    • Time to Mitigate (TTM)

Professional reporting of results

Three fundamental objectives of a professional report:

  1. Describe the findings
  2. Rate the vulnerabilities
  3. Explain how the results will affect the customer in the real world

Possible sections in professional report

  1. Introduction/Overview
  2. Scope and objectives
  3. Deviations from the Statement of Work
  4. Methodology
  5. Significant assessment findings (critical findings)
  6. Positive observations
  7. findings summary
  8. Detailed summary
  9. Appendix

Essentails details should be elaborated in a report:

  1. Risk, exploitability and impact values : - Risk, how critical a certain vulnerability is

    • Exploitability, feasibility of taking advantage of a vulnerability
    • Impact, estimation of the damage

  2. Category : - define the category a vulnerability belongs to

    • e.g., data exposure, access control, validation

  3. Location : - The specific location of the vulnerability within the target system

  4. Description : - Detailed description, including code examples on how to exploit it and the damage could be done

  5. Steps to replicate : - Pick the easiest one to replicate the exploitation of vulnerability

  6. Recommendation : - Suggestion about how the client could remediate the vulnerability

    • May include patching guides, temporary hotfixes, or rethinking of system architecture

Suggestions for reporting

  • Don’t show automatically generated report to client
  • Rate the vulnerabilities properly (refer to the CIA)
  • Separate theoretical v.s. real findings
  • Make sure vulnerabilities are real
  • Reproducibility steps is important
  • Remediations and solutions are important
  • Standardise all templates
security_testing
Licensed under CC BY-NC-SA 4.0
Last updated on May 23, 2022 14:45 +0100
comments powered by Disqus
© 2022 Under The Ginkgo
Cogito, ergo sum
Built with Hugo
Theme Stack designed by Jimmy