1. Offsec Recommendations

1. Executive summary

1. Big picture
   1. Scope of engagement
   2. What was tested?
   3. Anything dropped from scope?
   4. Timing issues, eg. insufficient testing time
   5. Refer back to scope
2. Time frame of test
   1. Time spent testing
   2. Dates
   3. (Testing hours)
3. Rules of Engagement (ROE)
   1. Refer to referee on the team if any
   2. State the chosen ROE
4. Supporting infrastructure and accoutns
   1. User accounts given
   2. IP addresses used to attack
   3. Note created accounts
      Example:
      

2. Testing summary

• High level overview of each step of engagement
• Includes:
  • Severity
  • Context
  • Worst-case scenario
• Note any trends observed to provide strategic advice
• Mention things done well
• No absolute claims, eg. don't use "impossible"
• Ending with engagement wrap-up
  Example:
  
  
  
  

3. Technical Summary

Structure:

• User and Privilege Management
• Architecture
• Authorization
• Patch Management
• Integrity and Signatures
• Authentication
• Access Control
• Audit, Log Management and Monitoring
• Traffic and Data Encryption
• Security Misconfigurations
  Example:
  
  Finish with risk heat map based on vulnerability severity adjusted to clients context. Consulate with risk management if possible.

4. Technical Findings and Remediation/Recommendation

• Often presented in a table

1. Describe vulnerability.
2. Why is it dangerous?
3. What can be accomplished using it?
4. Technical details about vulnerability.
   1. Basic explanation of vulnerability and how to exploit it
   2. Proof of exploit, eg. appendix with notes and images
5. Remediation
   1. Practical suggestions
   2. Detailed enough for system and application admins
   3. Clear, concise, thorough
      Example:
      

5. Appendices

• List of compromised users
• Affected areas
• Proof-of-concept code blocks
• Technical write-ups
• Further Information
  • Articles that describe vulnerabilities in-depth
  • Remediation standards