Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: Penetration Test Report

  1. #11
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    9

    Default

    Thanks again for your suggestions. These will be taken on board and will be included in the next installment.



    Quote Originally Posted by lupin View Post

    So whats your plan for progressing this project?
    Just sent a copy to Pete Herzog of ISECOM and he's promised to review it within the next few days. I am open to any form of collaboration on this and any input and contribution will be immensely valuable. I Will upload the base template in a couple of days.

    Thanks

  2. #12
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    5

    Default

    Just going back to the C-Level comments.

    What we like to do in our reports is aim the Exec Sum squarely at those C-Level types. This is the place for all those fluffy words that they like to hear. It is very important that they understand the importance and impact of what we are telling them in the report. We have found the best way to do this is by speaking in their terms. Let them know of the potential monetary or reputation risk etc. It needs to be all about "Business Impact" for these guys. Find what will motivate the execs and then apply leverage.

    Basically the Exec Sum is for the Execs and the rest of the report is for the techies (note: Not all techies are created equal. Try and gauge your audience prior to writing the report so you can shape it appropriately).

    It's also very important provide leverage for our techie counterparts. We have found that in most orgs, the security guys just don't have the weight needed to get a lot of security projects off the ground. The amount of times I have heard something like, "I have been telling them about this problem for years and never gotten funding to fix it.. your report did it in 5 mins!!" is amazing.. (for some reason Execs hire staff so they can ignore their advice...). If you get the chance (depending on the engagement), talk to the techies about what they think are the general problems related to the site. Ask them what they feel should be addressed as a matter of priority. If these findings fit with your findings then emphasis them to the execs. You will make the techie feel good, possibly get them the funding they are after.. and more often than not, you will receive repeat business as it will be the techie driving the next audit so he can use your report as leverage again .

  3. #13
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Since you modified your first post, you'd want to add the link again.

    Nice reports and thanks for sharing.
    Tiocfaidh ár lá

  4. #14
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    9

    Default

    I have been a bit busy of late but recently made some amendments to OSSAR (v1.0) based on the feedback received from forum members. I'm pretty sure I have omitted some suggestions because of my pressing schedule. Therefore, in addition to posting both the pdf copy, an editable version in Open Office odt format is also provided. The documents can be downloaded here:

    http://inverse.com.ng/ossar/ossar_v1.0.pdf
    http://inverse.com.ng/ossar/ossar_v1.0.odt

    Any feedback will be highly appreciated. Thanks

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •