Jump to content
Hak5 Forums
Sign in to follow this  
pfpentester

Proof of pentest execution, not of vulnerabilities's existence

Recommended Posts

Hello,

I'm working as pentester freelancer. The company that hired me has to perform annually at least one external and one internal pentest of its web application (they have an e-commerce service). They have to obey a set of compliance rules to ensure that they will keep a maturity security level. To keep this level of maturity security, an external audit company has to identify and verify if these pentests were executed. Note that this means that the external audit company does not have to know which vulnerabilities were found, but they have to be sure that tests were made.
Pentests's reports that I found on the internet (from SANS, offensive security, PCI) and that I used on my previous works do not serve for this purpose. I say this because they have descriptions about vulnerabilidades, detailed evidences from their existence (with screenshots, network's captures) to prove their existence. Note that these types of reports are not what I need to generate, since I just need to generate a document proving that I executed the pentest.
Would you have any suggestions for me to generate this new kind of document? Is there any auditing tool that could be used for this end? Would you suggests another approach?
  • Upvote 1

Share this post


Link to post
Share on other sites
i8igmac   

I'm no pentester But a hobbyist... a lot of tools have a xml document output format... log all output to at least a text file if other options like xml are not available...

I guess start with nmap output options and go from there...

Share this post


Link to post
Share on other sites
cooper   

I would just ask what it is they want in terms of proof. Your signature should suffice....

Share this post


Link to post
Share on other sites
simonec   

What about giving some non-consequential information about the internal systems of the customer, masking the IP Addresses and other sensible information? The point is to demonstrate that you know something you should not have been able to obtain without having penetrated their system, without disclosing any detail in the process and also without disclosing how you did obtain this information.

Sounds reasonable enough?

Share this post


Link to post
Share on other sites
Dec100   

This is old enough that the issue has probably passed, but Cooper is right. Ask them what evidence they are expecting. No-one is going to expect you to release potentially sensitive information about the company (that is up to them to release or not) so your evidence will likely be in the form of a signature or confirmation of test on letter header paper.

Share this post


Link to post
Share on other sites
Zen   

If this a large test then Security Centre (tennable Nessus big brother) has around 400 templates that are adequate for any company. Otherwise, if this is a smaller test then document using word and mdhash evidence. I hope this helps. If it forensic then encase a tad over kill for audit.

Share this post


Link to post
Share on other sites

This is an extremely common request among companies who hire a third party penetration tester.  What they are asking for is called a Letter of Attestation also sometimes referred to as a customer summary letter.

It is usually no more than a one page document on the letter head of the company or individual performing the penetration testing.  It usually says something like.

----------------

Company XYZ has contracted Organization Y to perform a penetration test of their XYZ environment in accordance with security best practices and XYZ compliance.  Our testing activities were conducted between date 1 and date 2 blah blah blah..  We adhered to the follow approved testing methdologoy

- hyperlink to some pentest standard and/or framework

During the testing Organization Y concluded that company XYZ as implemented adequate security controls to protect against commonly exploited vulnerability including:

* bullet list of OWASP Top 10 or something...

----------

You get the idea, its just something light and fluffy that they can show to their customers/auditors/investors or anyone else asking to "prove" that they did a pentest.

Hope that helps.

  • Upvote 1

Share this post


Link to post
Share on other sites
Primz   
On 04/10/2016 at 0:53 PM, pentestgeek said:

This is an extremely common request among companies who hire a third party penetration tester.  What they are asking for is called a Letter of Attestation also sometimes referred to as a customer summary letter.

It is usually no more than a one page document on the letter head of the company or individual performing the penetration testing.  It usually says something like.

----------------

Company XYZ has contracted Organization Y to perform a penetration test of their XYZ environment in accordance with security best practices and XYZ compliance.  Our testing activities were conducted between date 1 and date 2 blah blah blah..  We adhered to the follow approved testing methdologoy

- hyperlink to some pentest standard and/or framework

During the testing Organization Y concluded that company XYZ as implemented adequate security controls to protect against commonly exploited vulnerability including:

* bullet list of OWASP Top 10 or something...

----------

You get the idea, its just something light and fluffy that they can show to their customers/auditors/investors or anyone else asking to "prove" that they did a pentest.

Hope that helps.

Couldn't of said it better myself. 

Share this post


Link to post
Share on other sites
digip   

199c358f8af797573a7a99caba788a23_zpsamqv

  • Upvote 3

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×