6.4 Analyze test output and generate report

  • Remediation
  • Exception handling
  • Ethical disclosure

Once we have received our report (vulnerability scan, audit, penetration test results, etc.) we need to take action.

The audit report will have some of the following parts

  • A summary of the contents

  • Assumptions

    • What did the auditor assume when conducting the audit?  Assumptions are always necessary because the auditor can’t possibly know everything about our system, but assumptions must be reasonable.

    • Are the assumptions accurate.  If they are not, then the audit will not be accurate.

  • Scope

    • What areas and systems does the audit cover?

    • How was the audit conducted?

    • We should make sure that the audit was thorough enough

  • Findings

    • What did the auditor discover?

  • Recommendations

    • What does the auditor recommend to correct the deficiencies found in the audit

    • The auditor might not skilled enough to conduct the audit and identify vulnerabilities, but not skilled enough to determine the best course of action to correct any or all of them.  In other words, you might be smart enough to know that you are sick, but not smart enough to know what medication to take. 

    • Thus, we need to determine the best response to each deficiency, and prioritize them according to cost, severity, and need.

  • Appendixes

    • The Appendixes to the report might contain raw data such as outputs from scanning tools.

Once we have reviewed the report, we put together a plan to correct the issues.  We must consider

  • Which vulnerabilities are the most severe?

  • Which vulnerabilities are known by hackers?

  • Which vulnerabilities are we required to correct by law or by contractual obligations?

  • What is the cost of correcting each vulnerability?

  • How much time will it take to correct each vulnerability?

  • Are vulnerabilities present on systems that will be replaced in the near future, or that are not used?

Exceptions

We might make an exception.  Management might decide not to correct the vulnerability.  They might choose to accept the risk if the harm from the exploitation risk is less than the cost of correcting the vulnerability.

Ethical Disclosure

If we discover a flaw in somebody else’s system, we should report it to them.  And we should do it without the expectation of monetary gain (being paid a bug bounty). 

We should report the flaw to the vendor.  We should give the vendor time to correct the vulnerability and release a patch before reporting our discovery to the public.  This way, hackers won’t have time to exploit the flaw.

There are a few exceptions

  • We might have a non-disclosure agreement that prevents us from reporting the flaw to the public

  • We might be dealing with a hostile vendor who refuses to accept our disclosure or take measures to secure its product.

  • We might be required by law to report the flaw to the public or to the government.

  • The disclosure may be necessary to prevent severe harm or death to an individual.  For example, we might detect a flaw in the braking system of a vehicle model.  We might want to tell the public so that they will stop driving the vehicle until a repair is available.