cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JJordan
Newcomer I

Vulnerability Assessment/Reports

Would anyone out there have a vulnerability assessment/report they could provide to me so I can get a better understanding of what information, format and the length one should contain?

Thank you,
Justin Jordan
12 Replies
Anonymous
Not applicable

i think maybe you can find a good information in google about it and can find good samples

take a look at this one and you can find many others:

https://www.giac.org/paper/gcux/241/public-servers-vulnerability-assessment-report/101868

Wvipersg
Newcomer I

Honestly there are many formats, but one things to keep in mind is what scoring type you use or want. My advice is to use one that matches what you use in your risk management program. Using government NIST for example then use CVSS model. Many of the main line vulnerability scanning softwares out there allow you to set preferences on reporting and provide different types of report formats, PDF, CSV, and excel as examples . Hope that helps?
Wes D, CISSP
robinfoprotech
Newcomer I

I've found it useful to have a go with one of the scanners as this will give you an actual live report.  Openvas is a free one that you can download and will just require a virtual machine to get started.  GFI Languard and Nessus offer 30 day + evaluations to have a go with a paid product.  The report results differ with the type of device and scan you perform.  What are you wanting to do a report on?

chuckers
Viewer

Appendix K of the NIST Guide for Conducting Risk Assessments provides with a list of potentially all the information that your report should include. The length of the report is dependent on your writing style but should be long enough to cover the requirements that you are seeking to fulfill and with enough detail to show that you know what you are talking about.

ciphercodes
Viewer II

If you are looking for a scan report then these are some the items the report should have.

 

  1. Executive Summary (This should list the findings based off risk rating usually 1-5 - 5 being most severe)
  2. Discovered Assets/Hosts
  3. Open Ports
  4. Threat Summary and Mitigation per host
  5. Differential Report (If you want to compare the report to a previous report)
BloomingOnion
Viewer

You can run one using Qualys on an IP that you own and see the type of information provided. Not sure if you were referring to a completed report with risk assessment. That would depend on risk profile and business as others have eluded.
Mdevaraj
Newcomer I

I am assuming its a VA/PT report , not VA alone . I suggest to refer to some sample reports from EC-Council , OWASP & SANS.org .

 

Please refer to link below .

 

https://www.offensive-security.com/reports/sample-penetration-testing-report.pdf

 

 

Thanks 

 

With Regards ,

Mdevaraj

 

 

Mdevaraj
Newcomer I

PT is a next or further step to VA , other way to explain is , VA is the first step to PT . 

JJordan
Newcomer I

Thank you for your help!