Chapter 13. Reporting

Out of all the information in this book, some of the most important but often largely overlooked topics are covered in this chapter. Although you can spend a lot of time playing with systems, at the end of the day, if you don’t generate a useful and actionable report, your efforts will have been more or less wasted. Sure, you had fun, but you’re unlikely to get paid for that fun. The objective of any security testing is always to make the application, system, or network more capable of defense, whether by being better hardened or through better detective capabilities. The point of a report is to convey your findings in a way that clearly identifies them and how to remediate them. This, just like any of the testing work, is an acquired skill. Finding issues is different from communicating them. If you find an issue but can’t adequately convey the threat to the organization and how to remediate it, the issue won’t get fixed, leaving it open for an attacker to exploit.

A serious issue with generating reports is determining the threat to the organization, the potential for that threat to be realized, and the impact to the organization if the threat is realized. You may think that using a lot of superlatives and adjectives to highlight a serious issue is a good way to draw attention to it. However, that approach is much like the proverbial boy who cried wolf. You can have only so many severity 0 issues (the highest-priority event) before people quickly become ...