Skip to content

VIDEO

Upgrade Your Pentest Reporting: Out with Old, In with New

Today’s episode focuses on everyone’s least favorite penetration testing activity… report writing. Joe touches on the pains of the process, reflects on what could have been done to improve the process, and outlines a new way to write reports in a painless manner with PlexTrac.

Category: Pentesting, Reports, Thought Leadership

   BACK TO VIDEOS

Transcript

Hi, welcome to A Cup of Joe Espresso Shop, a small yet highly caffeinated shot of tips and tricks to make your business run smoothly and keep your employees happy. It’s today I want to talk about those days when you’re chestn’s not at your best, and you still got to get that report out.

I feel like death warmed over. No, it’s not covet. I checked. Call it a summer cold con flu. Or maybe sometimes it’s just a little too much fun with the team the night before. It happens to all of us from time to time, but that report still has to get out. It’s what the client has spent all that money on.

It wasn’t your lead skills as a pentester. Although they might be impressed with your creativity, they can’t do anything about it until they have the report in hand. One of my practices we spent a lot of time on the road, and I spent many an evening in a hotel room writing the report from the last engagement. I remember this one time being in London jet lagged, spiking a fever, popping antibiotics in Motron, and trying desperately to get all the important bits from my previous test down onto paper. You see, back then we used Microsoft Word templates to get the job done. In fact, pretty much in all of my practices, the majority of work was done in Word. We tried templating it as best we could, but the findings databases were always out of date.

They were spread across laptops or a backup drive, and the narratives were crafted individually. We tried a couple of times to move to some sort of report management platform, but that stuff is hard. And I don’t think any of those attempts have even completed after this many years. If I had to do it all over again, I think I would do a few things differently.

For starters, I would have spent more energy lobbying for tech writers and QA people. Just because pentesters can write doesn’t mean they’re writers, and certainly a few of them want to spend all their time on it. Why not bring in some experts to make everybody else’s lives easy? I would set more realistic expectations on turnaround time and make sure the team had sufficient space on the calendar to focus on the report. The evening report sessions were brutal. The report should be a priority, not an afterthought. As the primary deliverable, it deserves appropriate space in the schedule. Finally, I should have stopped and completely implemented a reporting and collaboration platform.

Now I wouldn’t build it from scratch, which in my experience, would have just created a bigger timesuck and maintenance issue than having the Word templates to begin with. I mean, after all, if I break a leg, I’ll try to set it myself. I go to a doctor. Just because we could have built a homegrown system doesn’t mean we were entirely equipped to do so. Businesses are successful when they focus on their strengths and find the right partners to help with the rest.

If I had PlexTrac, I might have slept better, enjoyed my time on the road a little more, and probably not have driven my team into early retirement. All right, these cold meds aren’t doing the things. I’m going to go take a nap or something. So that’s all the time we have today. My name is Joe Perini and I’m PlexTrac’s Evangelist, wishing you happy reporting.

Oh, God, that’s terrible.