- Mutual NDA: A Non-Disclosure Agreement (NDA) signed by both parties to protect confidential information.
- Master Service Agreement (MSA): Outlines the performance objectives and responsibilities of each party. For reference, see an example here.
- Statement of Work (SOW): Details the specific activities, deliverables, deadlines, and budget for the project.
- Other Documents: This may include sample reports, recommendation letters, and other related materials.
- Rules of Engagement (RoE): Defines the specifics of the testing (e.g., IP ranges) and outlines what you are permitted and not permitted to do, such as prohibiting social engineering or denial-of-service (DoS) attacks. This document is crucial for liability protection.
- Findings Report: A comprehensive report that includes both high-level summaries and detailed technical findings of the security assessment.
Example Report: Demo Company - Security Assessment Findings Report
-
Disclaimer: Clarify that the report represents a snapshot in time, focusing on what was targeted during the limited assessment period.
-
Overview: Provide an overview of the various phases of the assessment, outlining the approach and methodology used.
-
Finding Severity Ratings: Classify findings based on their severity, ranging from informational to critical.
-
Define Scope and Exclusions: Clearly define the scope of the assessment, including any scope exclusions.
-
Executive Summary: Tailored for C-level executives, this section should include actionable recommendations. Highlight both security strengths (give kudos where due) and weaknesses. Include a graph illustrating vulnerabilities by their impact.
-
Technical Findings:
- Description: Detailed explanation of each finding.
- Severity Level: Specify the severity level of each finding.
- NIST References: Include references to National Institute of Standards and Technology guidelines for compliance.
- Exploitation Proof of Concept: Provide proof of concept for exploitation, including screenshots.
- Remediation Table: Include a table specifying who should remediate each issue, the attack vector used, and how to address the issue, with a detailed list of remediation steps.
-
Additional Scans: Attach extra scans as spreadsheets or PDFs. If there are numerous critical vulnerabilities, focus on them and leave moderate and low-priority issues for future assessments. This allows the client to address the most urgent vulnerabilities first and revisit less critical ones later.
Example Report: TCMS - Demo Corp - Findings Report - Example 2
- Bigger Assessment: This report covers a more extensive assessment (10 days, 5000 IPs), making it significantly more detailed and comprehensive.
- Tester Notes and Recommendations: Includes patterns observed during the assessment, along with specific recommendations from the tester.
- Key Strengths and Weaknesses: Highlights the main strengths and weaknesses identified at a high level.
- Vulnerability Summary & Report Card: A summarized section that lists each finding, its severity, and the associated recommendations.
- Technical Findings: Focuses on issues like weak password policies, outdated software, and end-of-life hardware. It lists all critical vulnerabilities related to the outdated infrastructure, emphasizing the importance of updates. Ensure that you provide clean screenshots with borders and reverse colors so that the background is light, making them easier to read and interpret.