The most interesting part of the web application penetration testing report
Penetration testing reports can be lengthy sometimes. Depending on your role in the company, you may be interested only in some parts of the report.
!This is the last article in the series “Web application Penetration Testing Report”. In the previous article, I described 3 things that you will not find in a penetration testing report.
CEO
If you are a CEO, you don’t want to go through all the technical details of the report. What matters to you is the overall security posture. If no one already told you about the subject of the penetration test, go to the Introduction section. You will read about the scope and what was excluded from the penetration testing. You can also check what was the goal of the security assessment to better understand the purpose if you don’t know it yet. Next, go to the executive summary to see how many vulnerabilities were discovered and what a potential adversary can do with them.
This will give you an overview of what your team will be focusing on when working on the security of your web application.
CTO and CISO
If you are a CTO or a CISO you probably know about the scope of the pentest already. Look at the executive summary to see the impacts of vulnerabilities and which ones should be addressed first. They are sorted from critical to informational severity most often.
The generic recommendation section will tell you about proposed improvements that will harden your web application. These improvements may not be related to any currently discovered vulnerability but will prevent or limit the potential attacks in case of new vulnerabilities are discovered. This is a good starting point to plan some security improving actions especially when the web application is constantly updating and new features are developed.
Project Manager
If you are a Project Manager involved in penetration testing, the executive summary will be the most interesting part for you. You will want to know how many vulnerabilities were discovered and what are their severities. You will be able to understand what people need to be involved in fixing specific vulnerabilities and keep track of the fixing process. That way, no vulnerability is left unaddressed.
Security Engineer
If you are a Security Engineer you should be familiar with the scope and out-of-scope areas of the penetration test. This is important for you to understand what areas of your company’s security need to be addressed in the future.
For that reason start with the introduction section. Next, you can quickly review the numbers and what vulnerabilities were discovered in the executive summary. Finally, go to the findings details section. You are probably familiar with the nature of the vulnerability so you can omit the generic description of the finding. The technical details and the recommendations will be the most interesting to you. There you will find information on how to reproduce the vulnerability exploitation and what can be done to fix it. Besides the actual implementation of the fixes, you can use this information to look for similar issues in other applications in your company. You can also improve your company’s defense-in-depth mechanisms based on generic recommendations.
Additionally, you can try to observe tendencies. If there is some type of vulnerability that occurs frequently, it may be worth considering additional means to limit its presence in the future such as specific security training or implementing a Web Application Firewall with generic signatures.
Finally, think of a way to automate detections of simple vulnerabilities. It will not replace the actual penetration testing but may help you discover the vulnerabilities way faster in the development process.
CEO, Cybersecurity Expert
Let’s talk about securing your web application
Book a chat with me
Developer
If you are a Developer aware of the security testing, quickly review the list of detected vulnerabilities in the executive summary and go to the details of the findings. Read the descriptions to make sure you understand the vulnerability in general. Then, focus on the technical details to see where the vulnerability occurs in your application.
Even if you have some ideas of how to fix them, go to the recommendations section. There are multiple ways of fixing vulnerabilities, some are effective, and others can be bypassed. Therefore, it is good to see what penetration testers recommend.
Think of the described occurrence of the vulnerability that could exist in other parts of the code and search for it. After all, you know your application from a different perspective, very often way better than a penetration tester who conducted the test.
Regardless of your position, I hope you will be able to go through the penetration testing report more efficiently after reading this article.
! This is the last article in the series “Web application Penetration Testing Report” where I described different sections of the penetration testing report.
Are you looking for a professional penetration testing service with a clear report, easy-to-read executive summary, and a precise explanation of vulnerabilities? Do you want to improve the security of your web application by applying valuable recommendations?
Schedule a free 15 minutes online call with us. We will ask you about your web application and point you to solutions to improve its security.
Is this article helpful to you? Share it with your friends.