To expand on the previously shared “offensive security” example report, I had a search for some other example reports that have been shared online over the years. Some are a little outdated, but we’ll just call them “classic” as regardless of date, there are some good points we can take from them.
- NII Consulting (report PDF)
Although this example report was created back in 2005 (it seems) I like the way the Web Application Vulnerabilities are communicated (page 16). I would have liked to have seen more detail on each issue however… Still, the matrix like list gives the reader the ability to easily see what the issues are and what the recommended fix is.
- FooBar Security Inc (report PDF)
Again, and older report (2004). The format is a little sparse for my tastes and the lack of colour makes for bland reading. It’s also hard to see where the real issues are due to lack of risk ratings.
Personally I would avoid using the appendix for listing tool output unless it adds to the findings or is needed to clear up any questions (proof of exploit?). I would also stay clear of listing usernames and passwords in a report unless it was specifically required by a client. Simply showing proof that they could be broken and that they were insecurely stored/generated is usually enough. If you need more, stats on length, complexity is probably a good middle point.
- Cynergi Solutions (report PDF)
I’m not really sure about the 3D effect and cover art on this one, then again, that’s a personal choice really. Over half of the report is made up of charts it seems. Although some of the network layouts (zenmap output?) are interesting, if a little inaccurate probably, the number of charts is a little over the top IMHO.
Again, the layout on page 25 is easy to read and see where the issues are (similar to the previous report discussed). I particularly like the addition of the “fix” column that has keywords on what the fix entails (involved, quick, planned, …). This allows customers to get in the quick wins that don’t need much work.
- Fireworks (report PDF)
This report has a good mix, not too many charts etc… but it lacks some of the useful tables found in the other reports. Without the ability to quickly see where the issues are, the report lends itself to more technical readers. The technical summary is brief and contains more info about the way the test was run than anything else.
In the technical report section there’s good use of graphics to explain the issues, but a lack of screenshots in some findings. I know there’s a fine line between too many and not enough, but I feel that some of the findings could be better explained with the addition of a screenshot.
Note: These are just my quick thoughts on these example reports… I encourage you to take a look and tell me what you think are the good and bad points!