How do you document?

Filed under General Security

Interesting post over on Slashdot yesterday on what the best practices are for documenting processes and procedures. While this is a general problem in IT, I thought that it would be worth to note that documentation is a major part of what pen testers and security professionals do.

From the pen testing side I require the testing team to document everything in at least some kind of document format like a text file to include time stamps to track when and what they did. Others find saving all the command shell activity to a file works just as well. It can be a pain when consolidating this data but having this documentation is better then tracking down who did what and when. As for process and procedure documentation I have just put everything in a centrally stored office document that the team can access. We can then track the revisions to this document by keeping it in this one location. Not a very sexy solution but it works for the team. One idea the team and I started to think about was putting together a Wiki (MediaWiki based) accessible to the team so each member could make updates and upload screen shots “on-the-fly”. I have used SharePoint, LiveLink, and Wiki’s for documentation in the past. The Wiki format seems to be the easiest to use and update.

One other thing to consider is how do you “securely” store all of this data (Wiki or not)? Our team stores this information on a encrypted file store (it was a strange third-party solution, nothing standard like TrueCrypt) but it can be difficult to access at times and tough to maintain the access control when team members come and go.

So how do others handle documentation as a pen test and/or security professional? Are you using a Wiki or other CMS type solution? What are some best practices regarding handling security documentation? Please add your comments and ideas…

Post a Comment

Your email is never published nor shared. Required fields are marked *