How to Pull Security Testing Results Together for Reporting

By Kevin Beaver

When you have gobs of security test data — from screenshots and manual observations you documented to detailed reports generated by the various vulnerability scanners you used — what do you do with it all? You need to go through your documentation with a fine-toothed comb and highlight all the areas that stand out. Base your decisions on the following:

  • Vulnerability rankings from your assessment tools

  • Your knowledge as an IT/security professional

  • The context of the vulnerability and how it actually impacts the business

So that you can find out more information about the vulnerability, many feature-rich security tools assign each vulnerability a ranking (based on overall risk), explain the vulnerability, give possible solutions, and include relevant links to the following: vendor sites, the Common Vulnerabilities and Exposures website, and the National Vulnerabilities Database. For further research, you might also need to reference your vendor’s site, other support sites, and online forums to see whether the vulnerability affects your particular system and situation. Overall business risk is your main focus.

In your final report document, you might want to organize the vulnerabilities as shown in the following list:

  • Nontechnical findings

    • Social engineering vulnerabilities

    • Physical security vulnerabilities

    • IT and security operations vulnerabilities

  • Technical findings

    • Network infrastructure

    • Operating systems

    • Firewall rulebases

    • Databases

    • Web applications

    • Mobile apps

    • Mobile devices

For further clarity, you can create separate sections in your report for internal and external security vulnerabilities as well as high and moderate priority. One final note: it’s generally a good idea to vet your findings with system owners first to ensure that they’re actually valid.