Pen Test Documentation Strikes Back!

Filed under Penetration Testing

<%image(20080421-documentation.jpg|132|102|who wants to do documentation?)%>

John Sawyer over at Dark Reading put out a post about the importance of documentation as it relates to your pen test’s. I couldn’t agree more as documenting your methodology, testing it, and even having it reviewed by your peers are very important. I wrote a post a few months back about the importance of documentation and what some of the best practices are around how a team documents a pen test in progress. Even more important is having your basic methodology for testing well documented.

Your testing methodology should be the cornerstone of any pen test. Without a sound, repeatable methodology it would be very difficult to provide your client or organization with the systematic approach you used to conduct your testing and how you achieved your results. Most penetration testers follow some form of the ISSAF or OSSTMM methodologies and it’s ok to deviate slightly since every company and organization does things differently.

The hard part, as John points out, is that no one wants to do documentation! It’s time consuming and boring. Sure, we would all rather be out exploiting systems but you really need to think of the bigger picture here. Here are some basic suggestions:

– Talk about your methodology after each and every pen test with your team (make this part of the last phase of the pen test even). What went wrong? What went well? You can always make on-the-fly adjustments to your documentation if you need to and it will foster better communication between your team members.

– Rotate the documentation review process from one team member to another. That way not one person is stuck updating and maintaining your documentation. Also, if you have a system where one person does all the reports for your pen tests…make sure this isn’t the same person! That can lead to serious burn out (writing the reports can cause burn out as well but that’s another post entirely!).

– Schedule “documentation and tool review” sessions several times a year with your team. This is a great way for everyone on the team to provide feedback on the current testing process and methodology and make changes if necessary. Also because tools are always being updated and new ones are being released, you should talk about adding/removing these tools from your team’s toolkit based on the needs of team.

One Comment

  1. pete says:

    In addition to the quality control efforts you mention, ISECOM has a companion report to the OSSTMM 3 called the Security Test Audit Report (STAR) and the new OSSTMM also includes a new self-diagnostic called the Test Error Risk Margin (TERM) which is for teams to assess themselves and errors they encountered.

Post a Comment

Your email is never published nor shared. Required fields are marked *