Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Databases

CyberSecology Reporting Template

advertisement 
Application Security Assessment Template
This is a sample reporting template. I find this format useful. There are several other examples included
that may be helpful. My notes and suggestions are in this gray font and should be delete from your final
report. This template can be used and shared freely.
Executive Summary
1.
2.
3.
4.
5.
6.
7.
8.
Reason for your test and under whose authority
Any specific goals you were given (“overall assessment” is a fine answer)
Timeframe for test
Brief description of the application
Summary of findings
Overall risk rating (high/medium/low)
Graph of number of findings
Summary of recommendations
CONFIDENTIAL
1
Methodology
1. Interviews
List of people and job titles interviewed
2. Documents Reviewed
List of documents and their version numbers reviewed. Optionally these documents can
be attached in the appendix
3. Tools Utilized
List all of the scanners and other test tools that you ran
4. List of Applications and URL’s Tested
Outline the applications and URL’s here
CONFIDENTIAL
2
Results
Scan Findings Matrix
(It is advisable to delete any scanner you did not use. You will be documenting the specific findings
later in this section). Delete the rows for tools that you did not use.
Scanner
High
Findings
Medium
Findings
Low
Findings
Info
Findings
Acunetix WVS
Burp Suite
Ceznic Hailstorm
HP WebInspect
IBM AppScan
Netsparker
Nikto
NTOSpider
OWASP ZAP
SkipFish
Vega
W3AF
Wapiti
Websecurify
Nexpose
Nessus
nmap
SQLMap
Other Scanner
CONFIDENTIAL
3
Individual Findings
(Example. Use one table for each finding. )
Finding Name SQL Injection
Severity:
CWE or OSVDB:
Found by:
High
CWE-89: Improper Neutralization of Special Elements used in an SQL Command
Vega vulnerability scanner and verified with SQLmap
Description:
The phone number text entry box on the data entry page appears to have the user input directly
concatenated to a SQL query. Because of this, the user was able run SQL commands directly against the
database viewing the data from other users as well as specific information about the database.
Potential Impact:
An attacker can potentially add, modify, view or delete the data in your database as well as view specific
information about the database and its metadata.
Affected Files/Code:
(/registration/entry.php
How to Remediate
Please see the OWASP “SQL Injection Prevention Cheat Sheet” at
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
CONFIDENTIAL
4
Finding Name (I.e.: SQL Injection)
Severity:
CWE or OSVDB:
Found by:
(H/M/L/I)
I.e.: CWE-676: Use of Potentially Dangerous Function
(Tool or activity name)
Description:
Potential Impact:
Affected
Files/Code:
(List all of the occurrences here. Can also include screen captures, code snippets, etc. Just be sure to
reference the file name)
How to Remediate
Can be copied from most scan reports or point to the appropriate OWASP page at owasp.org
Finding Name (I.e.: SQL Injection)
Severity:
CWE or OSVDB:
Found by:
(H/M/L/I)
I.e.: CWE-676: Use of Potentially Dangerous Function
(Tool or activity name)
Description:
Potential Impact:
CONFIDENTIAL
5
Affected
Files/Code:
(List all of the occurrences here. Can also include screen captures, code snippets, etc. Just be sure to
reference the file name)
How to Remediate
Can be copied from most scan reports or point to the appropriate OWASP page at owasp.org
Finding Name (I.e.: SQL Injection)
Severity:
CWE or OSVDB:
Found by:
(H/M/L/I)
I.e.: CWE-676: Use of Potentially Dangerous Function
(Tool or activity name)
Description:
Potential Impact:
Affected
Files/Code:
(List all of the occurrences here. Can also include screen captures, code snippets, etc. Just be sure to
reference the file name)
How to Remediate
Can be copied from most scan reports or point to the appropriate OWASP page at owasp.org
CONFIDENTIAL
6
Finding Name (I.e.: SQL Injection)
Severity:
CWE or OSVDB:
Found by:
(H/M/L/I)
I.e.: CWE-676: Use of Potentially Dangerous Function
(Tool or activity name)
Description:
Potential Impact:
Affected
Files/Code:
(List all of the occurrences here. Can also include screen captures, code snippets, etc. Just be sure to
reference the file name)
How to Remediate
Can be copied from most scan reports or point to the appropriate OWASP page at owasp.org
CONFIDENTIAL
7
Conclusion
Summarize your findings, recommendations and risk rating here. Should be only one or two paragraphs
unless your findings were unusually complex.
CONFIDENTIAL
8
APPENDIX
Attach your scan results and any OWASP cheat sheets you referenced. Optionally you can
attach any of the organization’s documentation you reviewed if you do not believe that it is
effectively managed or tracked.
CONFIDENTIAL
9
Related documents
Dangerous Wi-Fi Access Point: Attacks to Benign Smartphone
Dangerous Wi-Fi Access Point: Attacks to Benign Smartphone
Common Web Vulnerabilities
Common Web Vulnerabilities
Origins, Cookies and Security * Oh My!
Origins, Cookies and Security * Oh My!
PROPOSED ADVERTISEMENT
PROPOSED ADVERTISEMENT
Web Application Security Seminar - AppCheck-NG
Web Application Security Seminar - AppCheck-NG
OWASP Plan
OWASP Plan
Advanced SQL Injection
Advanced SQL Injection
Download
advertisement