Jump to content

Proof of pentest execution, not of vulnerabilities's existence


Recommended Posts

Hello,

I'm working as pentester freelancer. The company that hired me has to perform annually at least one external and one internal pentest of its web application (they have an e-commerce service). They have to obey a set of compliance rules to ensure that they will keep a maturity security level. To keep this level of maturity security, an external audit company has to identify and verify if these pentests were executed. Note that this means that the external audit company does not have to know which vulnerabilities were found, but they have to be sure that tests were made.
Pentests's reports that I found on the internet (from SANS, offensive security, PCI) and that I used on my previous works do not serve for this purpose. I say this because they have descriptions about vulnerabilidades, detailed evidences from their existence (with screenshots, network's captures) to prove their existence. Note that these types of reports are not what I need to generate, since I just need to generate a document proving that I executed the pentest.
Would you have any suggestions for me to generate this new kind of document? Is there any auditing tool that could be used for this end? Would you suggests another approach?
Link to comment
Share on other sites

What about giving some non-consequential information about the internal systems of the customer, masking the IP Addresses and other sensible information? The point is to demonstrate that you know something you should not have been able to obtain without having penetrated their system, without disclosing any detail in the process and also without disclosing how you did obtain this information.

Sounds reasonable enough?

Link to comment
Share on other sites

  • 3 weeks later...

This is old enough that the issue has probably passed, but Cooper is right. Ask them what evidence they are expecting. No-one is going to expect you to release potentially sensitive information about the company (that is up to them to release or not) so your evidence will likely be in the form of a signature or confirmation of test on letter header paper.

Link to comment
Share on other sites

  • 4 weeks later...

If this a large test then Security Centre (tennable Nessus big brother) has around 400 templates that are adequate for any company. Otherwise, if this is a smaller test then document using word and mdhash evidence. I hope this helps. If it forensic then encase a tad over kill for audit.

Link to comment
Share on other sites

  • 6 months later...

This is an extremely common request among companies who hire a third party penetration tester.  What they are asking for is called a Letter of Attestation also sometimes referred to as a customer summary letter.

It is usually no more than a one page document on the letter head of the company or individual performing the penetration testing.  It usually says something like.

----------------

Company XYZ has contracted Organization Y to perform a penetration test of their XYZ environment in accordance with security best practices and XYZ compliance.  Our testing activities were conducted between date 1 and date 2 blah blah blah..  We adhered to the follow approved testing methdologoy

- hyperlink to some pentest standard and/or framework

During the testing Organization Y concluded that company XYZ as implemented adequate security controls to protect against commonly exploited vulnerability including:

* bullet list of OWASP Top 10 or something...

----------

You get the idea, its just something light and fluffy that they can show to their customers/auditors/investors or anyone else asking to "prove" that they did a pentest.

Hope that helps.

Link to comment
Share on other sites

  • 7 months later...
On 04/10/2016 at 0:53 PM, pentestgeek said:

This is an extremely common request among companies who hire a third party penetration tester.  What they are asking for is called a Letter of Attestation also sometimes referred to as a customer summary letter.

It is usually no more than a one page document on the letter head of the company or individual performing the penetration testing.  It usually says something like.

----------------

Company XYZ has contracted Organization Y to perform a penetration test of their XYZ environment in accordance with security best practices and XYZ compliance.  Our testing activities were conducted between date 1 and date 2 blah blah blah..  We adhered to the follow approved testing methdologoy

- hyperlink to some pentest standard and/or framework

During the testing Organization Y concluded that company XYZ as implemented adequate security controls to protect against commonly exploited vulnerability including:

* bullet list of OWASP Top 10 or something...

----------

You get the idea, its just something light and fluffy that they can show to their customers/auditors/investors or anyone else asking to "prove" that they did a pentest.

Hope that helps.

Couldn't of said it better myself. 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...