At Crossroads, we consider the Delivery and Reporting phase to be the most important and we take great care to ensure we’ve communicated the value of our service and findings thoroughly. The deliverable consists of an electronic report that includes several key components including, but not limited to: Executive Summary, Scope, Findings, Evidence, Tools, and Methodology.
Findings are communicated in a stakeholder meeting and typically presented in-person or virtually via WebEx — whichever medium is most conducive for communicating results effectively. During this time, Crossroads security engineers will walk through the report, in detail, to ensure all findings and their corresponding description, risk rating, impact, likelihood, evidence, and remediation steps are thoroughly understood. While this typically involves a single meeting, there is no limitation to that number. The key underlying message is that all information is clearly understood and that a roadmap toward remediation / mitigation is crystal clear.
Some of the key components to our web application penetration test deliverable include:
· Control Framework (ie: OWASP, PCI, PTES, OSSTMM)
· Executive Summary Narrative
· Technical Summary Narrative
· Report Summary Graphs
· Summary of Findings
· Findings (Description, Business Impact, Recommendation, Evidence, References, CVSS, Risk Rating Calculation)
· Methodology and Approach
· Risk Rating Factors