I have to agree with Matt. We include all tool data (for the company's techs
to sift through) with our report, but they are in the appendix. Management
could care less about your vuln scanner's output, but the tech's may need it.
The meat of the report should be written using your grey matter...
-Mike
-----Original Message-----
From: nessus-bounces@list.nessus.org [mailto:nessus-bounces@list.nessus.org] On
Behalf Of Matt Jonkman
Sent: Friday, November 18, 2005 5:14 PM
To: Patrick Derwael
Cc: nessus@list.nessus.org
Subject: Re: Reports
I would highly recommend NOT getting into the business of presenting
scan output to your customers. You'll not have very satisfied customers,
and you'll probably not get much repeat business. (just my opinion of
course)
A pen test, vulnerability assessment, etc, is not running a scanner and
printing off the results. It involves looking at a net with many tools,
and using your gray matter and experience to interpret those results,
verify those are valid or not.
The report should be a human written analysis of what you found, what
the network's strengths and weaknesses are, and what you recommend to
remedy those. Included somewhere in that report should be a list of the
specific vulnerabilities that you found and verified by hand.
In short, if you've ever been given the results of a scanner as a report
for an assessment, you've been robbed. :)
If you're in the business of giving reports from scanners as
vulnerability assessments, you'd better make sure you have very good E&O
insurance. :) Cause it's going to come back to get you.
I'll get off my soapbox. But to answer the original question: There
don't exist a lot of tools to make scan results look pretty, because
that's not what scan results are for. Scan results are for the security
professional to read and interpret, the charts and graphs should be
generated by the security professional in your favorite spreadsheet
program, based on your interpreted data.
Matt
On Fri, 2005-11-18 at 15:34 +0100, Patrick Derwael wrote:
Gentlemen,
I have been comparing a few scanners, and I must say that I find that
Nessus is of high technical quality, but the reporting part is rather
poor.
I cannot use the standard Nessus 'report' to present the scan results
to my customers.
Would womeone know of any reporting tool that could be used to format
and print the data generated by Nessus ?
Thank you
______________________________________________________________________
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo!
Messenger
Téléchargez le ici !
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
www.infotex.com
my.infotex.com
www.bleedingsnort.com
--------------------------------------------
NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
