Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Exchanging and sharing of assessment results - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Exchanging and sharing of assessment results

Penetration tests and vulnerability assessments are becoming more common across the whole industry as organizations found that it is necessary to prove a certain level of security for infrastructure/application. The need to exchange test result information is also increasing substantially. External parties ranging from business partners, clients to regulators may ask for prove of tests being done and also results of the test (aka. Clean bill of health).

The sharing of pentest information can create a huge debate, just how much do you want to share? There are at least a couple ways to get this done. The most seemingly easy way to do this is to share the whole report including the summary and also the detailed findings. While this seems easy, the party sharing out the report may be exposing too much information. Pentest reports can be like treasure map to attack an infrastructure and/or application. The detailed report usually include ways to reproduce the attack and effectively documenting a potential attack path in a step by step manner. It is true that vulnerabilities should be fixed as soon as possible after the pentest is done. Consider this scenario, the day after pentest is done, the regulators shows up and ask for the most recent test result. If you are not above the law, you should be yielding the latest report that is full of unfixed flaws.

Another way to share pentest result is to only share the executive summary portion. This portion of the test report usually gives a good overall view to what was done in the test and what sort of overall security posture the test subject is in. While this protects the party sharing out the test result, this may not grant the reviewer the right kind of information.  Some executive summary does not contain sufficient information especially those ones done by less competent testers. Aside from that, one of the trend I am noticing is the less experience the receiver of test result, the more him/her want to see the whole report, they just don’t know how to determine the security posture based on the executive summary alone.

There is no current industry standard for this kind of communication, it seems that all the exchange and sharing currently done are on ad-hoc basis. Some like it one way and others like it another way. I consider the current baseline for this kind of communication to be a well written executive summary containing actual summary information of the test with the methodologies used and also the high level view of the vulnerabilities that was found to be sufficient for giving a decent view into overall security posture. This obviously can escalate into a full report sharing if the quality of the executive summary just isn’t there.

If you have any opinions or tips on how to communicate this kind of information, let us know.

Jason

93 Posts
ISC Handler
My take has always been to not volunteer anything to auditors/regulators. Give them exactly what they ask for and no more. Your concept of giving them an executive summary is a good idea. But I would not worry about whether I have given them enough. If they want more, they will ask for it, and I will give it to them. The only downside with this tack is your extra work in manually giving them extra information. One solution then would be to give them the entire technical report. I think that after you have given them those 250 pages of single-spaced text, they will never ask you for anything more again ;)

Curt
Anonymous
I'd like to highlight another point:

If you're using an external company to perform the assessment, be sure to discuss your report sharing options in advance, and incorporate the shared understanding into the contract. Providers of penetration testing services may be careful about how their brand is used to "vouch" for security, and may restrict the client from revealing the name of the assessment company when sharing the report.

-- Lenny (blog.zeltser.com)
Lenny

216 Posts
ISC Handler
A scheme exists in a related area; BITS (http://www.bitsinfo.org/ ) enables members to share security-related information on suppliers. RFI / RFP responses, customer audits, that sort of thing. This seems an excellent development. Ideally, all such information will ultimately be freely available to all. (Disclosure - my employer has customers who participate in BITS. I don't speak for my employer of course, yadda yadda blah blah personal opinion only.)

http://www.bankinfosecurity.com/articles.php?art_id=969
Lenny
4 Posts

Sign Up for Free or Log In to start participating in the conversation!