I do not profess to have the absolute grasp on the English language but I was schooled and I use tools to review my grammar and spelling. I try to not use run-on sentences and keep my inherent verbosity to a minimum while sticking to the main points. Let’s get this out of the way first. I am not the best at it but when I read CNN articles with blatant spelling and other errors I have to laugh. This causes me to try harder when I reach out to the IT penetration testing community and when I write my own reports!
- As one mentor of mine once told me, “Tell them what you are going to say, tell them, and then tell them what you said”. Our attention span is somewhat governed by the time between TV commercials, unfortunately.
- Speak to the audience at hand.
- If there are going to be multiple audiences then speak to the non-technical folks first, midlevel IT folks and then the in-the-trenches engineers, testers, developers and the like last.
- Formatting is very important. How does it read in DOC format if you have exported it from WordPad, Google Drive > Docs, OpenOffice or LibreOffice Writer?
- Do you employ really nice looking charts that show the prioritization and severity of the issues found?
- Does your introductory statement make clear the scope, breadth and span of the security test, along with pertinent details, so that a company who is focused on making money does not just have margins in the forefront of their minds? That they build security into their work as an intrinsic part of their development process?
Here are some suggestions before issuing a report:
- Run a couple of spell checks on it.
- Run a grammar spell check on it.
- Drive the key points home. A “Highlights of Findings” might be a good idea after the “Summary” section.
- Bullet point the findings. Be sure to include the URL or IP address involved.
- Be sure to include the steps to reproduce, if necessary.
- We can say, yes, TRACE and TRACK are turned on, but we need to say a lot more about other vulnerabilities. An example is this: why move to TLS from SSL? Nice acronyms but what do they represent?
- Include a high-quality image of your company’s logo, not just something copied and pasted off the internet.
- Include a high-quality image of the client to which you are issuing the report.
- Include a concise conclusion to the report that, again, highlights the major issues.
- Include a comprehensive addendum that may include common vulnerabilities and exposures (CVE) references.
- Include raw data that shows exactly what steps were taken to cause this possible/probable/likely/actual infiltration,
When the report is generated check it twice or thrice to ensure that it can be opened in Micorosft Word, OpenOffice, LibreOffice and other tools that generate rtf, doc, docx or other formats. If you save it in PDF, open it and review it carefully. Formatting can be skewed and nothing should detract from your hard work in producing penetration results in 2015; a year where we all need to brace for increased unethical hacking activity.
Again, I am not a professional novelist nor am I Hemingway. But I do know a polished report when I see one and I can appreciate the effort and elbow grease that has gone into it to get results and producing reports that can benefit the client. The client just needs to be able to digest the findings in a meaningful and logical manner.
And. Then. Fix. (Hemingway would likely not have liked the previous sentences).
I hope this helps!