Why modern pentest reports still don’t make much sense?
How evolving pentest methods haven’t resulted in better reporting in 2023 yet, and why is there a need for actionable pentest data?
The way pentests are carried out must change with the fast-changing threat landscape. New innovations in how to carry out pentests to make them more automated and efficient are usually overseen by smaller pentest providers due to a lack of budgets or an inability to fight tool fatigue syndrome.
One aspect of pentesting is being overlooked the most: reporting. Sure, people have found ways to use generative AI to write their pentest reports for them (by the way, Hexway Hive just integrated ChatGPT, but that’s not what we are talking about here). The contents of the pentest report usually lack essential parts like easy reading and structure that allow the reader to really understand what the pentesters are trying to provide the company. Let’s take a look at how things can be better when it comes to modern pentest reports.
A lot of existing pentest reports suck
There we said it. Many of the current pentest reports are haphazardly put paragraphs of jargon-filled technical text (we hope you noticed how the headline hurts the eye). We mention some of the most prevalent issues below.
Lack of standardization
There is no standard format or extension in which pentest reports are created. One vendor might use one format, while another might use a different one. This leads to a challenging time in receiving reports by clients and comparing results.
There’s no perfect pill to that, but at least we can add some standards in your approach, e.g, creating internal instruction on how your company provides reports or making your personal report template you can use throughout all the projects or even using client’s example to provide them reports in a way they want them to be like.
Things told without context only make sense to a few people (in our case, the pentesters). When the pentest reports are created without enough context to the discovered bug and vulnerabilities, clients and other stakeholders might be unable to co-relate the relevance and impact on their product’s security. They might think this pentest wastes time and money and never return to this company's services.
Most of the time, the reader of the final report will not be even close to a hacking world. Usually, it’s management or internal developers who will fix these bugs. It can lead to the inability to take action on reports if you’ll all be pwn3d all the 0dayz to pop shellz.
It’s not the worst part — this can also lead to losing a customer as your reports were too hard to read. Ah, such a world.
There are so many other things… Issues like unawareness towards risk, less proficiency in communication, insufficient mitigation suggestion, overall summaries…
What should I do then? No worries, we got you covered. The next part gives some advice on how to better your reports now. If you are ready to go even further, we have an amazing service called Custom branded report, where you can send us your current report template, and we will turn it into something readable and visually great.
How to write better reports?
We have made it clear that there is a dire need for changes in how pentest reports are being done and what content is being put into them. The following points can help in generating smarter pentest reports.
Using a standardized framework to create reports has a lot of benefits. It not just allows the client to receive information in an expected format every time, but it also allows them to automate internal security processes and utilize your reports better. This makes ingesting data into their security posture much more efficient.
Explain your findings
When creating a penetration testing report, it's not enough to just list the found vulnerabilities. Providing context and explaining the process can make your report much more comprehensible and actionable. Always keep in mind who will be reading the final report.
Let's illustrate this with a real-life example. Suppose you're a security analyst who has discovered an IDOR (Insecure Direct Object References) bug during a pentest for a retail company's online shopping platform.
Instead of simply stating, "An IDOR bug was found," you could provide more context and explanation. For instance, you might write:
"During the analysis, an IDOR (Insecure Direct Object Reference) vulnerability was identified.
The bug we found allows a user to view other customers' order history, bypassing the website's security measures. This is like someone being able to see what you've bought simply by guessing your receipt number.
The potential impact on the business could be significant. Customers trust you with their data, and if they feel that trust is broken, they may choose to shop elsewhere. Therefore, fixing this issue is crucial to maintain customer trust and protect your business reputation."
By providing context and explaining the process in this way, you can help your clients better understand their product's security from a perspective they can relate to. Of course, it is necessary to provide the description with exhaustive technical details, reproduction instructions, and if possible, recommendations for rectification and prevention in the future. It is also important to add examples of how this vulnerability can be exploited.
Use curated language
Creating a report that is easy to understand for a broad audience, regardless of their technical expertise, is crucial. This approach enhances the value of your pentest reports. It's important to remember that your audience may include a variety of stakeholders, from technical experts to upper management teams who may not have a deep understanding of technical jargon. These decision-makers prefer clear, understandable information over a complex technical explanation.
Let's consider a real-life scenario. You have just completed a pentest for a large corporation. Your audience includes the company's CEO, the IT team, and non-technical staff members. Also, always remember that your report should include texts for all its final readers. It’s a common practice to add different sections for management and developers.
"The server exhibited vulnerabilities to a cross-site scripting (XSS) attack due to outdated security patches"
It might be difficult for non-technical readers to understand, right? It’s better to add explanations of what this exact type of attack is and how it affects the product.
In this way, simplifying the language and using real-life analogies can make your pentest reports more accessible and valuable to a wider audience.
Add more visuals
Visual aids such as graphs, dashboards, and other forms of data visualization can better the readability and impact of pentest reports. They provide a quick overview of the security posture, which is particularly useful for readers who may not have the time or need to delve into the details. This approach improves the report's overall quality by providing a lot of information at a glance and… Fun fact — this also makes your report reader-friendly.
For example, let's say you've conducted a pentest for a software company's web application. You've found several vulnerabilities, including SQL Injection, Cross-Site Scripting (XSS), and Insecure Direct Object References (IDOR).
Instead of just listing these vulnerabilities, you could create a pie chart showing the distribution of different types of vulnerabilities found. This would give the reader an immediate understanding of the most common vulnerabilities in the application.
You could also include a dashboard that shows the severity of each vulnerability, the affected component of the application, and the proposed remediation steps. This would provide a high-level overview of the security issues and how to address them.
Here’s how it may look like
|Vulnerability Type||Severity||Affected Component||Remediation Steps|
|SQL Injection||High||Payment System||Update and sanitize input validation procedures|
|XSS||Medium||User Profile Page||Implement output encoding/escaping|
|IDOR||Low||Order History Page||Implement proper access controls|
By incorporating these visual aids into your report, you can make it more efficient, concise, and accessible to a wider audience, while still covering a broad technical ground. Of course, there's always room for improvement, and you can continually refine your approach to achieve even better performance.
What to do for better reporting?
We discussed what we can improve and modify to keep pentest reporting up with modern needs.
But the question arises: how to achieve this?
As we saw, standardization is an important thing, and when we talk about standardization in reporting, there is a need for a reporting tool that helps achieve that. Hexway Hive & Apiary is one of the solutions that solves all your reporting problems.
Hexway Hive acts as a central repository for all your data and allows you to import multiple different data formats, leading to a unified structure for your pentest reports. And Hive is not just a reporting tool, it is an all-in-1 pentest management tool & framework you can use to oversee your pentests. With progress and issue tracking, two-way communication channels with the clients, and related visualizations, you can provide top-notch reports for each of your pentest.