While maybe not the most enjoyable of the penetration testing phases, reporting is probably the most important phase.
Why?
Because it’s here that you tell your client their systems’ weaknesses and give them suggestions to resolve those weaknesses. You should tell the client exactly what the exploits where that you used to compromise their systems as well as exactly what steps should be taken to remediate them. The whole point in this penetration testing engagement was to make their systems more secure, right? So don’t hold anything back.
To make things totally clear for the client, we like to:
-
Weight each exploit or weakness using a metric based on their risk level – Low, moderate, high, or extreme. This weight is based on how easy it was to exploit and how much damage it could cause.
-
Then, we always add a suggested remediation timeline. Critical items are in the 1 – 3 month timeline and non-critical findings are in the 3 – 6 month bracket.
-
We like to make it very easy for the client to see what they need to address, what is most critical, and just how critical it is.
Visit Here for more info.