Reporting

Soft skills in information security are critical to being successful in your role. Although vulnerability scanning tools leverage automated tools, there is still a need to transfer the information to a client-ready report. The report should be readable by anyone ranging from a technical person to a non-technical person. A strong report consists of the following sections:

• Executive Summary

• Overview of Assessment

• Scope

• Vulnerabilities and Recommendations

Executive Summary

The Executive Summary of a vulnerability assessment report is intended to be readable by an executive who needs a high-level overview of the details and what is the most important items to fix immediately, depending on the severity. This section allows an executive to look at the report and prioritize remediation's based on the summary.

You can also include a graphical view of the number of vulnerabilities based on the severity here, similar to the graph below:

Overview of Assessment

The Overview of the Assessment should include any methodology leveraged during the assessment. The methodology should detail the execution of the assessment during the testing period, such as discussing the process and tools used for the project (e.g., Nessus).

Scope and Duration

The Scope and Duration section of the report should include everything the client authorized for the assessment, including the target scope and the testing period.

Vulnerabilities and Recommendations

The Vulnerabilities and Recommendations section should detail the findings discovered during the vulnerability assessment once you've eliminated any false positives by manually testing them. It is best to group findings that relate to each other based on the type of issues or their severity.

Each issue should have the following elements:

• Vulnerability Name

• CVE

• CVSS

• Description of Issue

• References

• Remediation Steps

• Proof of Concept

• Affected Systems