pfpentester Posted January 22, 2016 Share Posted January 22, 2016 Hello, I'm working as pentester freelancer. The company that hired me has to perform annually at least one external and one internal pentest of its web application (they have an e-commerce service). They have to obey a set of compliance rules to ensure that they will keep a maturity security level. To keep this level of maturity security, an external audit company has to identify and verify if these pentests were executed. Note that this means that the external audit company does not have to know which vulnerabilities were found, but they have to be sure that tests were made. Pentests's reports that I found on the internet (from SANS, offensive security, PCI) and that I used on my previous works do not serve for this purpose. I say this because they have descriptions about vulnerabilidades, detailed evidences from their existence (with screenshots, network's captures) to prove their existence. Note that these types of reports are not what I need to generate, since I just need to generate a document proving that I executed the pentest. Would you have any suggestions for me to generate this new kind of document? Is there any auditing tool that could be used for this end? Would you suggests another approach? Quote Link to comment Share on other sites More sharing options...
i8igmac Posted January 22, 2016 Share Posted January 22, 2016 I'm no pentester But a hobbyist... a lot of tools have a xml document output format... log all output to at least a text file if other options like xml are not available... I guess start with nmap output options and go from there... Quote Link to comment Share on other sites More sharing options...
cooper Posted January 25, 2016 Share Posted January 25, 2016 I would just ask what it is they want in terms of proof. Your signature should suffice.... Quote Link to comment Share on other sites More sharing options...
simonec Posted January 28, 2016 Share Posted January 28, 2016 What about giving some non-consequential information about the internal systems of the customer, masking the IP Addresses and other sensible information? The point is to demonstrate that you know something you should not have been able to obtain without having penetrated their system, without disclosing any detail in the process and also without disclosing how you did obtain this information. Sounds reasonable enough? Quote Link to comment Share on other sites More sharing options...
Laststand Posted February 16, 2016 Share Posted February 16, 2016 You could ask the company to provide the activity from there SEIM (if they employ one) showing the penetration attempts. Quote Link to comment Share on other sites More sharing options...
Dec100 Posted February 19, 2016 Share Posted February 19, 2016 This is old enough that the issue has probably passed, but Cooper is right. Ask them what evidence they are expecting. No-one is going to expect you to release potentially sensitive information about the company (that is up to them to release or not) so your evidence will likely be in the form of a signature or confirmation of test on letter header paper. Quote Link to comment Share on other sites More sharing options...
Zen Posted March 12, 2016 Share Posted March 12, 2016 If this a large test then Security Centre (tennable Nessus big brother) has around 400 templates that are adequate for any company. Otherwise, if this is a smaller test then document using word and mdhash evidence. I hope this helps. If it forensic then encase a tad over kill for audit. Quote Link to comment Share on other sites More sharing options...
pentestgeek Posted October 4, 2016 Share Posted October 4, 2016 This is an extremely common request among companies who hire a third party penetration tester. What they are asking for is called a Letter of Attestation also sometimes referred to as a customer summary letter. It is usually no more than a one page document on the letter head of the company or individual performing the penetration testing. It usually says something like. ---------------- Company XYZ has contracted Organization Y to perform a penetration test of their XYZ environment in accordance with security best practices and XYZ compliance. Our testing activities were conducted between date 1 and date 2 blah blah blah.. We adhered to the follow approved testing methdologoy - hyperlink to some pentest standard and/or framework During the testing Organization Y concluded that company XYZ as implemented adequate security controls to protect against commonly exploited vulnerability including: * bullet list of OWASP Top 10 or something... ---------- You get the idea, its just something light and fluffy that they can show to their customers/auditors/investors or anyone else asking to "prove" that they did a pentest. Hope that helps. Quote Link to comment Share on other sites More sharing options...
Primz Posted May 31, 2017 Share Posted May 31, 2017 On 04/10/2016 at 0:53 PM, pentestgeek said: This is an extremely common request among companies who hire a third party penetration tester. What they are asking for is called a Letter of Attestation also sometimes referred to as a customer summary letter. It is usually no more than a one page document on the letter head of the company or individual performing the penetration testing. It usually says something like. ---------------- Company XYZ has contracted Organization Y to perform a penetration test of their XYZ environment in accordance with security best practices and XYZ compliance. Our testing activities were conducted between date 1 and date 2 blah blah blah.. We adhered to the follow approved testing methdologoy - hyperlink to some pentest standard and/or framework During the testing Organization Y concluded that company XYZ as implemented adequate security controls to protect against commonly exploited vulnerability including: * bullet list of OWASP Top 10 or something... ---------- You get the idea, its just something light and fluffy that they can show to their customers/auditors/investors or anyone else asking to "prove" that they did a pentest. Hope that helps. Couldn't of said it better myself. Quote Link to comment Share on other sites More sharing options...
digip Posted May 31, 2017 Share Posted May 31, 2017 Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted June 1, 2017 Share Posted June 1, 2017 10 hours ago, digip said: Classic. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.