In this tutorial, I explained the importance of penetration testing reports.
A penetration test or pentest is a typical security assessment which is the process to gain access to specific information assets (eq. computer systems, network infrastructure, or application). Penetration test simulates the attack performed internally or externally by the attackers which have the intention to find security weaknesses or vulnerabilities and validate the potential impacts and risks should those vulnerabilities being exploited.
Security issues found through penetration test are presented to the system’s owner, data owner or risk owner. An effective penetration test will support this information with an accurate assessment of the potential impacts on the organization and range of technical and procedural safeguards should be planned and executed to mitigate risks.
Many penetration testers are in fact very good in technical since they have skills needed to perform all of the tests, but they are lack of report writing methodology and approach which create a very big gap in penetration testing cycle. A penetration test is useless without something tangible to give to a client or senior management. Report writing is a crucial part of any service providers (eq. IT service/advisory). A report should detail the outcome of the test and, if you are making recommendations, document the recommendations to secure any high-risk systems.
The target audience of a penetration testing report will vary, the technical report will be read by IT or any responsible information security people while the executive summary will definitely be read by the senior management.
Writing an effective penetration testing report is an art that needs to be learned and to make sure that the report will deliver the right information to the targeted audience.
Download my book (community edition) and sample reports here: http://tiny.cc/6bub8y