Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JJordan
Newcomer I
‎10-29-2017 10:40 AM
‎10-29-2017 10:40 AM

Vulnerability Assessment/Reports

Would anyone out there have a vulnerability assessment/report they could provide to me so I can get a better understanding of what information, format and the length one should contain?

Thank you,
Justin Jordan
Reply
0 Kudos
12 Replies
Anonymous
Not applicable
‎10-29-2017 10:46 AM
‎10-29-2017 10:46 AM

i think maybe you can find a good information in google about it and can find good samples

take a look at this one and you can find many others:

https://www.giac.org/paper/gcux/241/public-servers-vulnerability-assessment-report/101868

Reply
Wvipersg
Newcomer I
‎10-29-2017 11:03 AM
‎10-29-2017 11:03 AM

Honestly there are many formats, but one things to keep in mind is what scoring type you use or want. My advice is to use one that matches what you use in your risk management program. Using government NIST for example then use CVSS model. Many of the main line vulnerability scanning softwares out there allow you to set preferences on reporting and provide different types of report formats, PDF, CSV, and excel as examples . Hope that helps?
Wes D, CISSP
Reply
robinfoprotech
Newcomer I
‎10-29-2017 11:04 AM
‎10-29-2017 11:04 AM

I've found it useful to have a go with one of the scanners as this will give you an actual live report.  Openvas is a free one that you can download and will just require a virtual machine to get started.  GFI Languard and Nessus offer 30 day + evaluations to have a go with a paid product.  The report results differ with the type of device and scan you perform.  What are you wanting to do a report on?

Reply
chuckers
Viewer
‎10-29-2017 11:05 AM
‎10-29-2017 11:05 AM

Appendix K of the NIST Guide for Conducting Risk Assessments provides with a list of potentially all the information that your report should include. The length of the report is dependent on your writing style but should be long enough to cover the requirements that you are seeking to fulfill and with enough detail to show that you know what you are talking about.

Reply
ciphercodes
Viewer II
‎10-29-2017 11:17 AM
‎10-29-2017 11:17 AM

If you are looking for a scan report then these are some the items the report should have.

 

  1. Executive Summary (This should list the findings based off risk rating usually 1-5 - 5 being most severe)
  2. Discovered Assets/Hosts
  3. Open Ports
  4. Threat Summary and Mitigation per host
  5. Differential Report (If you want to compare the report to a previous report)
Reply
BloomingOnion
Viewer
‎10-29-2017 11:59 AM
‎10-29-2017 11:59 AM

You can run one using Qualys on an IP that you own and see the type of information provided. Not sure if you were referring to a completed report with risk assessment. That would depend on risk profile and business as others have eluded.
Reply
Mdevaraj
Newcomer I
‎10-29-2017 12:01 PM
‎10-29-2017 12:01 PM

I am assuming its a VA/PT report , not VA alone . I suggest to refer to some sample reports from EC-Council , OWASP & SANS.org .

 

Please refer to link below .

 

https://www.offensive-security.com/reports/sample-penetration-testing-report.pdf

 

 

Thanks 

 

With Regards ,

Mdevaraj

 

 

Reply
Mdevaraj
Newcomer I
‎10-29-2017 12:02 PM
‎10-29-2017 12:02 PM

PT is a next or further step to VA , other way to explain is , VA is the first step to PT . 

Reply
JJordan
Newcomer I
‎10-29-2017 02:46 PM
‎10-29-2017 02:46 PM

Thank you for your help!

Reply
0 Kudos