Join Mike Chapple for an in-depth discussion in this video Report scan results, part of CompTIA CySA+ (CS0-002) Cert Prep: 2 Vulnerability Management.
- [Instructor] Vulnerability scans can only be useful if you communicate the results of those scans to people who actually have the ability to resolve the vulnerabilities that the scan detected. That's where reporting comes into play. The most important thing that you should consider when planning vulnerability scan communication is your target audience. It's likely that you'll want to share the results of scans with several different groups of people. For example, the cybersecurity team is probably interested in the nitty-gritty of scan results. They want details about the systems affected, the specific vulnerabilities uncovered, and remediation steps. Management, on the other hand, is probably less interested in the technical detail and more interested in tracking the highest risk vulnerabilities, and monitoring trends over time. They'll want to be able to answer questions like, "Have we addressed our most serious issues?" And, "How long is it taking us on average "to resolve the most important vulnerabilities?" System and network engineers will also be very interested in scan results, because they bear responsibility for maintaining the security of the devices that were scanned. Engineers are the people in the best position to remediate vulnerabilities, and they'll want information tailored to that purpose. Engineers will generally have a specific scope of interest. They only really care about the devices that they manage, and they'll want specific details on how to fix the issue. Application developers will also be quite interested in scan results, but again, with a limited scope. They'll want to know about vulnerabilities in their applications, such as SQL injection or cross-site scripting. The type of detail that a developer wants will also differ from other groups. They want to know where in the code the vulnerability resides. For example, if you have a SQL injection vulnerability, a developer is going to want to know what web application has the vulnerability, and specifically, which variable is at issue. Better yet, provide them with an example of a specific exploit against their code. Vulnerability scanners make reporting for all of these different audiences easy by providing reporting templates that cater to different groups. Let's take a look at few examples. Here's a report that might be of interest to a system engineer. It describes the POODLE vulnerability that exists on several servers in this organization. You'll see in the vulnerability report we first have a technical description that describes what the issue is and why it's important. This report also provides a solution. In this case it's fairly simple, disable SSL version three. If you scroll down in this report, you can see the specific output. What happened when Nessus performed the scan, and the results that it found, as well as a listing of the hosts that are affected by the vulnerability. This is a great style of report for an engineer who now needs to go and resolve this vulnerability. They have the steps to follow for a resolution, and they have a list of hosts to check off as they go through and resolve each one. Here's another report that might be more suitable for a web developer. This report describes a SQL injection vulnerability in a website. In addition to providing some high-level information about the vulnerability, this report also provides the specific information that a web developer will be interested in. Down here in the Plugin Output section it shows you exactly what input was sent to the web application, and what came back as a result. An application developer can look at these results and read in pretty clear language the following resources may be vulnerable to blind SQL injection. And it provides the name of the application, experience.asp. Then the specific variable in that application that has a SQL injection vulnerability. And then it even provides a string that can be used to replicate the issue. And finally, here's an executive summary report of a scan that might be more suitable for management. This report rolls up the total number of vulnerabilities found in each host in an easy-to-skim report. If an executive is interested in looking at more detail, they can simply click the Show Details button under each host to see the specific vulnerabilities at issue. You'll also need to decide how to distribute vulnerability scan reports. You may choose to grant individuals direct access to the scanner, so that they can go in and read those reports directly, and customize reports to their personal preferences. Or you can set up report distribution that pushes reports into user's inboxes. When you do this you may choose either automated or manual distribution. Reports might arrive automatically after each scan, once a week, or only upon request. You'll want to tailor your reporting to the needs and desires of your audience.
We are a CompTIA Partner. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- Configuring vulnerability scans
- Reporting scan results
- Barriers to vulnerability remediation
- Analyzing scan reports
- Common server, endpoint, and network vulnerabilities
- Software security issues, such as SQL injection
- Access control vulnerabilities