How to write a vulnerability report
Reporting is the most important part of the vulnerability assessment process. A vulnerability assessment aims to help the customer understand what potential vulnerabilities potentially exist within their environment and how to address these issues. Even the best vulnerability assessment is of little or no use if the customer can’t understand the results and use them to correct the identity’s weaknesses.
Despite its importance, reporting is often the least-liked part of the vulnerability assessment process. However, to provide high-quality vulnerability assessment services and get repeat business from customers, you need to know how to write a good vulnerability report.
Who am I writing for?
Understanding your audience is an essential part of writing a good vulnerability report. If your customers had your knowledge and skillsets, then the odds are that they wouldn’t be hiring you to perform a vulnerability assessment for them.
A vulnerability report needs to be designed to meet the needs of a few different audiences. You need to write for the executives paying the bills and trying to justify the expense of the assessment. They’re likely non-technical and want to know if their company is secure and that their money was well-spent.
Another big audience is the IT team responsible for fixing the problems you find. While the big picture can be helpful for them, they need the fine-grain details of exactly what has gone wrong and how they can fix the problem.
A report may also have other audiences. For example, a company may undergo a vulnerability assessment for regulatory compliance that they will share with regulators or auditors. A report written for executives and the IT team will likely meet their needs, but they might appreciate a quick listing of the findings that aren’t buried in technical details.
What should a vulnerability report include?
A vulnerability report has several potential audiences that all have different needs and levels of technical knowledge. A good vulnerability report should address all of these needs and should contain several key sections, including:
- Executive summary: the executive summary provides a high-level overview of the assessment for non-technical executives. The goal of this summary should be to help executives gauge their current security posture and highlight any critical issues that might impact corporate cybersecurity or regulatory compliance.
- Overview: the overview section should be geared towards a more technical audience but still provide a high-level assessment summary. For example, it can contain information about the systems scanned, tools used, and the number and severity of discovered vulnerabilities.
- Details: This report section should provide in-depth technical detail about how the vulnerability assessment was performed. This section should build on the overview by describing the exact steps performed at each assessment stage and their results. A reader should be able to replicate the assessment findings from this section.
- Findings: this section of the report provides more details about the assessment findings. Vulnerabilities may be ranked by severity to draw attention to the biggest issues within an organization’s environment. For each potential vulnerability checked, this section should describe the result, affected system(s), severity level, and provide a link to additional information such as a CVE.
- Recommended mitigations: the goal of a vulnerability assessment is to help an organization move towards a better security posture, so providing recommended mitigations can be helpful. In many cases, this can be as simple as recommending an update to the software, a stronger password on a system, or a change to an insecure security setting.
A vulnerability report should contain this key information, including other sections or organizing it differently. Some organizations, such as PurpleSec and PivotPoint Security, have published sample vulnerability reports that show how the results from their assessments are structured within a report.
Writing a vulnerability report
Report writing is not the most fun part of the vulnerability assessment process, but it is arguably the most important. If you can’t clearly describe to the client what vulnerabilities exist on their systems and the risks they pose to their security, they can’t or won’t bother to fix them. A vulnerability assessment that doesn’t result in the vulnerabilities being fixed is one that’s wasted.
Another important reason to write a good vulnerability report is for marketing. Vulnerability assessments provide a snapshot of an organization’s security posture at a certain point in time, meaning that there is a significant opportunity for repeat business or referrals. A professional, easy-to-read, informative report that makes a customer feel like they got their money’s worth is much more likely to generate repeat business than one that shows minimal effort and provides little or no benefit to the company. A well-written report can be valuable for more than just the customer.