What does a good executive summary look like in a penetration testing report?
The executive summary section of a penetration testing report is one of the most important sections for Directors and Chief-level officers. In this article, I will describe what you can expect from a good executive summary section of the penetration testing report.
!This article is part of the series “Web application Penetration Testing Report”. In the previous article, I describe a typical structure of a web application penetration testing report.
Bad executive summary
Before we dive into a good executive summary let’s take a look at what characterizes a bad one.
When an executive summary shows just a vulnerability count and some colorful chart presenting their severity, then it is not a good executive summary. Even worse when it is a pie chart, which might suggest that all existing vulnerabilities were discovered (more about it in another article in this series). A pie chart is a bad way of presenting this type of data because it shows the relation between the elements in the chart. More important than a relation between vulnerability severities is the number of vulnerabilities in different severities. This is better shown using a bar chart.
CEO, Cybersecurity Expert
Let’s talk about securing your web application
Book a chat with me
Good executive summary
So what characterizes a good executive summary in a penetration testing report?
First of all, it should be written in a language understood by a target audience. This means as fewer technical details as possible.
Second of all, it should summarize the results of the penetration test. This is usually a list of potential attack scenarios that adversaries could launch by exploiting vulnerabilities discovered. This helps in understanding the overall impact of every vulnerability.
Another important piece of information is an overall, generic recommendation that helps to plan preventive actions beyond fixing a specific vulnerability.
In reports we write in Zigrin Security, we also include one more section in the executive summary. Sometimes, specific vulnerabilities have little impact or some limitations. This usually places them as low/medium severity vulnerabilities. There are situations, however, where an adversary can use multiple low/medium severity vulnerabilities to cause significant damage. It is called chaining vulnerabilities, and if this could take place, we also describe it in the executive summary. This helps to understand the overall impact of all vulnerabilities used together. Not just the impact of each separate vulnerability.
I hope this article shed some light on what a good executive summary looks like.
If you hired a company to do a penetration test for you, you know what to expect here.
If you are a penetration tester writing such reports, you know what to focus on in your next executive summary.
!The next article in the series will describe the most popular scoring system for vulnerabilities – CVSS (Common Vulnerability Scoring System).
Of course, this is not a definitive rule set for an executive summary.
Let me know in the comments what other sections you would like to see in an executive summary.
Is this article helpful to you? Share it with your friends.