The more issues identified the better, so naturally a white box approach should be embraced when possible. The end result of the assessment is the creation of a prioritized list of discovered vulnerabilities with methods of remediation.
A penetration test yields a report of how security was breached and methods of remediation.
Detailed Technical Report
A document developed for the use of the organization’s technical staff which discusses:
- the methodology employed
- positive security aspects identified and their importance
- detailed technical vulnerability/threat findings
- an assignment of a risk rating for each vulnerability/threat, supporting detailed exhibits for vulnerabilities when appropriate, and detailed technical remediation steps.
Executive Summary Report
A document developed to summarize the scope, approach, findings and recommendations – in a manner suitable for senior management (or non-IT professionals).
The following are the main sections, defined by the standard, as the basis for penetration testing execution:
- Pre-engagement Interactions
- Intelligence Gathering
- Threat Modeling
- Vulnerability Analysis
- Post Exploitation
Customer Maturity Level: Low to Medium.
Goal: Attain a prioritized list of vulnerabilities in the environment so that remediation can occur.
Focus: Breadth over depth.
Penetration Test – Requested by clients believing their defenses to be strong, but want to test that assertion.
Customer Maturity Level: High.
Goal: Determine whether a mature security posture can withstand an intrusion attempt from an advanced attacker with a specific goal.
Focus: Depth over breadth.