Information security is a broad subject that can be tackled in many different ways depending on numerous factors.
When you want to improve the security of your web application, penetration testing is one of the approaches to achieve that. Whether you hire an external company or request an internal security team to conduct the pentest, you should receive a report at the end of the assessment. In this blog post, I describe the structure of a typical web application penetration testing report.
!This is the first post of the 6-part series called “Web application Penetration Testing Report”. In this series, I take you through the typical report structure and explain its different elements.
What is web application penetration testing?
Penetration Testing is a process in the cyber security experts’ arsenal that allows for identifying vulnerabilities and security misconfigurations in your web application. The main goal is to find security holes that could be exploited by cybercriminals and provide recommendations to fix them.
Penetration testers conduct a series of manual and semi-automated tests, analyze the application behaviors and functionalities, and exploit identified issues to confirm their impact.
If you would like to read about specific approaches to improving the security of web applications, check out our case study where we describe how we helped to secure an open-source project.
As a result of the penetration testing assessment, penetration testers create a report with vulnerabilities details and provide recommended actions to fix them.
Penetration testing can be conducted on other types of software as well. In Zigrin Security we provide penetration testing services for web applications, standalone applications, internal networks, IoT devices, mobile applications, network services, and more.
The report is a very important part of the penetration testing process. It provides detailed information about security issues and more importantly recommendations on how different parties should address them.
However, different people will focus on different parts of the report. As an example, a Chief Information Security Officer may not be interested in the actual HTTP request that led to SQL injection vulnerability. He will be more concerned about the overall impact of this security bug. A developer on the other hand will spend less time reading about the number of findings, or statistical data and focus more on the technical details and recommendations of each finding.
Therefore, it is important that whoever reads the report, can quickly find information that is of the most interest to him or her.
Different companies and pentesting teams create reports in different ways. However, the structure of the pentest report I describe here is the one we in Zigrin Security found to provide the most value to our customers.
This is the first part of the report where you find information about the subject of the penetration test, dates, authors, and other types of metadata.
This section is useful to understand what the report is about and when and why the testing was done. Especially when the document is opened by a person who was not involved in the whole process.
Here you will also see the scope of the penetration test and what was excluded from the test.
CEO, Cybersecurity Expert
Let’s talk about securing your web application
Book a chat with me
The executive summary is the most interesting part of the penetration testing report for Chief-level officers. The executive summary provides a high-level overview of the identified vulnerabilities. Here you learn about the number of detected vulnerabilities divided by severity and what type of impact they cause. If vulnerabilities can be chained to conduct more dangerous attacks, you will read about it here too.
The methodology used to conduct the penetration tests is described here. This means information such as the approach (black, grey, white box), testing phases, severity classification, and used tools.
The core of every pentesting report is the details of the findings. Every vulnerability is described in detail here. The findings details section is mostly interesting for security engineers and developers who are involved in fixing identified vulnerabilities. You will find here the title of every discovered vulnerability, its severity, description, technical details, and more importantly recommendations aiming to fix or remediate the impacts. For many vulnerabilities, you will also find a reference sub-section with external resources helping you to apply fixes or understand the vulnerability in a broader view.
Additional resources about the penetration testing reports can be found below:
!The next article will shed some light on what a good executive summary of the penetration testing report should look like.
Do you know a company that is getting a penetration test of a web application? Share this article so they know what to expect.
Is this article helpful to you? Share it with your friends.