Recent
Writing reports – Oh noes!
Report writing has a bad reputation, every one seems to hate writing them and believe it to be the anticlimax of the assessment process. I haven’t been writing reports for very long, the reports that I have written I have enjoyed, no doubt in time the novelty will wear off and I will grow to hate them too. There are however lessons that I have learnt in my short report writing experience which I believe could have made my report writing that little bit easier and less time consuming. Those lessons I am going to share with you and if your just starting out in your report writing duties hopefully these can help you too. Or if your a report writing guru share your tips with me! The reports I have written are mainly web application assessments so I will concentrate on those.
During the testing phase of the assessment, document as much information as possible! There’s nothing worse than getting half way through your report and realising you forgot to document the affected vulnerable variable, you didn’t take a screenshot or you don’t know why you took the screenshot in the first place! This wastes a hell of a lot of time having to retrace your steps or having to revisit the vulnerability to gather more information. All this information should be documented and well organised. What I have done to help keep me keep organised is to create a spreadsheet template for the documentation of anything I find. Make sure you gather all the information necessary when you have found something and don’t move along until you have all the information you need for that particular finding.
Take screenshots of everything but remember what you took them for! Find a suitable screenshot application, most OSs come with their default screenshot applications however there are also others out there that may make your life easier. When taking the screenshots ensure that you don’t have any other tabs running or any other applications which are not related to the assessment it self. Save your screenshots in an adequate location and use an intelligent naming system. i.e. clientname-xss-1.png If possible time stamp every screenshot to keep a time log of your work.
OWASP
The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.
OWASP have tons of information on their website about all kinds of web application security topics. This information is very useful when writing reports to help you better explain the finding or to find the accepted term for the vulnerability you have found. OWASP also have some great books which can be bought in paper back form from lulu.com or downloaded for free in PDF format. If your not a member of OWASP become one now! (If you do use any direct quotes from OWASP reference them)
PAGE BREAKS! Use page breaks when writing your report, these help with the formatting and stop you having to keep reformatting the document as you add more information.
Be thorough! Explain as much as possible about the finding this will help the client in understanding the problem and hopefully save you some time at a later date in answering those questions. As well as being through and technical, explain your findings in laymen’s terms. You don’t know the technical expertise of the person who may be reading your report. In most cases managers and directors will read the report and they haven’t got a clue what a variable is or what Session Fixation is.
Proof read and re proof read. Your clients are paying good money for your professional expertise, they are expecting a professional report. Spell checkers don’t find all of the spelling errors! (Don’t forget to use the appropriate dictionary US/UK) Have some one within your company (who is authorised) to proof read the report for you. You’ve been looking at the report for the past 3 days, it’s always good to have a fresh pair of eyes have a look over it.
Keep a blank report template, this will save you time when writing future reports with not having to organise and format everything.
I’m sure there’s plenty of other things out there that I should be doing in my report writing to make my life easier, these I’m sure I will learn in time. If you have any tips/hints let me know!
Some resources and other helpful links:
Introduction_to_Security_Assessments.ppt
Security_Assessment_Template.doc
ORG (OWASP Report Generator)
The WASC Threat Classification v2.0
The Web Application Hackers Handbook – Checklist of tasks
2 Responses to “Writing reports – Oh noes!”
Matt Johansen said...
Great post! As a fellow consultant I know the joys and pains of testing and report writing. When you get in the upwards of 50 page documents it is so unbelievably important to stay organized (something us nerds aren’t usually notorious for).
It is still a skill I struggle with and I’m learning the hard way as I’m sure most new to the consulting world do.
Jean-Philippe Houde said...
One thing I often see is people taking old reports from client 1 to create report for client 2. I don’t recommend doing this, using a fresh template as you say is a better idea.
However, if you absolutely need to do it that way, make sure you remove ANY references to client 1, this include File -> Properties in MS Word, which often contains information from the original document (Client name, etc…).
Keep on the good work!