I have just noticed that I have replied directly to Matt, instead of replying to the list...
So, here is my reply:
----------------------------------------------
I do not fully agree with you. There are usually 3 types of information I deliver, based on indeed more than the output of a one single tool.
First a hand-made management report, which is usually very textual with a few high level graphs, mainly stats
Second, I deliver technical reports, coming directly from the tools. The audience of these are infrastructure, network, security people, who understand bits and bytes. This is the item I w
ant to
improve
Lastly, I also deliver recommendations, based on the findings. This is also essentially a hand made report.
I use to present all the information in one single binder: management, technical and recommendations in one document.
The advantage of doing this is that everyone in the audience knows what his expected actions are.
If 34 patches need to be installed (which is a technical info), this needs to be tested, and has a cost, therefore this information is also needed by the management.
This is exacly why I want to improve by integrating all
the
deliverable into one document.
Patrick Derwael
From: Matt Jonkman [mailto:[EMAIL PROTECTED]
Sent: Fri 2005-11-18 23:13
To: Patrick Derwael
Cc: [email protected]
Subject: Re: Reports
From: Matt Jonkman [mailto:[EMAIL PROTECTED]
Sent: Fri 2005-11-18 23:13
To: Patrick Derwael
Cc: [email protected]
Subject: Re: Reports
I would highly recommend NOT getting into the business of presenting
scan output to your customers. You'll not have very satisfied customers,
and you'll probably not get much repeat business. (just my opinion of
course)
A pen test, vulnerability assessment, etc, is not running a scanner and
printing off the results. It involve s looking at a net with many tools,
and using your gray matter and experience to interpret those results,
verify those are valid or not.
The report should be a human written analysis of what you found, what
the network's strengths and weaknesses are, and what you recommend to
remedy those. Included somewhere in that report should be a list of the
specific vulnerabilities that you found and verified by hand.
In short, if you've ever been given the results of a scanner as a report
for an assessment, you've been robbed. :)
If you're in the business of giving reports from scanners as
vulnerability assessments, you'd better make sure you have very good E&O
insurance. :) Cause it's going to come back to get you.
I'll get off my soapbox. But to answer the original question: There
don't exist a lot of tools to make scan results look pretty, because
that's not what scan results are for. Scan results are for the security
professional to read and interpret, the charts and graphs should be
generated by the security professional in your favorite spreadsheet
program, based on your interpreted data.
Matt
scan output to your customers. You'll not have very satisfied customers,
and you'll probably not get much repeat business. (just my opinion of
course)
A pen test, vulnerability assessment, etc, is not running a scanner and
printing off the results. It involve s looking at a net with many tools,
and using your gray matter and experience to interpret those results,
verify those are valid or not.
The report should be a human written analysis of what you found, what
the network's strengths and weaknesses are, and what you recommend to
remedy those. Included somewhere in that report should be a list of the
specific vulnerabilities that you found and verified by hand.
In short, if you've ever been given the results of a scanner as a report
for an assessment, you've been robbed. :)
If you're in the business of giving reports from scanners as
vulnerability assessments, you'd better make sure you have very good E&O
insurance. :) Cause it's going to come back to get you.
I'll get off my soapbox. But to answer the original question: There
don't exist a lot of tools to make scan results look pretty, because
that's not what scan results are for. Scan results are for the security
professional to read and interpret, the charts and graphs should be
generated by the security professional in your favorite spreadsheet
program, based on your interpreted data.
Matt
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
Téléchargez le ici !
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
