I have just noticed that I have replied directly to Matt, instead of replying
to the list...
So, here is my reply:
----------------------------------------------
I do not fully agree with you. There are usually 3 types of information I
deliver, based on indeed more than the output of a one single tool.
First a hand-made management report, which is usually very textual with a few
high level graphs, mainly stats
Second, I deliver technical reports, coming directly from the tools. The
audience of these are infrastructure, network, security people, who understand
bits and bytes. This is the item I want to improve
Lastly, I also deliver recommendations, based on the findings. This is also
essentially a hand made report.
I use to present all the information in one single binder: management,
technical and recommendations in one document.
The advantage of doing this is that everyone in the audience knows what his
expected actions are.
If 34 patches need to be installed (which is a technical info), this needs to
be tested, and has a cost, therefore this information is also needed by the
management.
This is exacly why I want to improve by integrating all the deliverable into
one document.
Patrick Derwael
---------------------------------
From: Matt Jonkman [mailto:mjonkman@infotex.com]
Sent: Fri 2005-11-18 23:13
To: Patrick Derwael
Cc: nessus@list.nessus.org
Subject: Re: Reports
I would highly recommend NOT getting into the business of presenting
scan output to your customers. You'll not have very satisfied customers,
and you'll probably not get much repeat business. (just my opinion of
course)
A pen test, vulnerability assessment, etc, is not running a scanner and
printing off the results. It involves looking at a net with many tools,
and using your gray matter and experience to interpret those results,
verify those are valid or not.
The report should be a human written analysis of what you found, what
the network's strengths and weaknesses are, and what you recommend to
remedy those. Included somewhere in that report should be a list of the
specific vulnerabilities that you found and verified by hand.
In short, if you've ever been given the results of a scanner as a report
for an assessment, you've been robbed. :)
If you're in the business of giving reports from scanners as
vulnerability assessments, you'd better make sure you have very good E&O
insurance. :) Cause it's going to come back to get you.
I'll get off my soapbox. But to answer the original question: There
don't exist a lot of tools to make scan results look pretty, because
that's not what scan results are for. Scan results are for the security
professional to read and interpret, the charts and graphs should be
generated by the security professional in your favorite spreadsheet
program, based on your interpreted data.
Matt
---------------------------------
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
Téléchargez le ici ! _______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
