1. Reporting
- A strong report consists of the following sections:
1) Executive Summary
- It is intended to be readable by an executive who needs a high-level overview of the details and what is the most important items to fix immediately, depending on the severity.
- you can also include a graphical view of the number of vulnerabilities basded on the severity here.
2) Overview of Assessment
- This section should include any methodology leveraged during the assessment.
3) Scope and Duration
- This should include everything the client authorized for the assessment, including the target scope and the testing period
4) Vulnerabilities and Recommendations
- This should detail the findings discovered during the assessment once you've eliminated any false positives by manually testing them.
- It is best to group findings that relate to each other based on the type of issues or their severity
- Each issue should have the following elements:
(1) Vulnerability Name
(2) CVE
(3) CVSS
(4) Description of Issue
(5) References
(6) Remediation Steps
(7) Proof of Concept
(8) Affected Systems
