08 November 2022

Reporting Can Be the Hero or Villain of Your Cybersecurity Pentesting

Synack

Reporting is a critical but often-overlooked component of cybersecurity testing

The overall goals of nearly any technology can be summed up by the title of a song by the popular French music duo Daft Punk: “Harder, Better, Faster, Stronger.” New technologies are commonly judged against two or more of these characteristics. Applying this to cybersecurity tools, does it harden my attack resistance? Can it do the job better with less cost or resources? Does it do the job faster? And ultimately are my defenses stronger?

But in the urgency to design and implement the features that will achieve these goals, there is one component that is often overlooked. Reporting. Can I get the right information into the hands of the right people in a form that they can use?   

Original cybersecurity pentest reports were descriptions of what was done, what was found and what might be done about it. They were composed for the security team paying for the test and were usually in the form of a data dump. Three or four hundred page reports were commonplace, and why not? What better way to show all the work that you have done, even if the pentests didn’t actually produce any viable results.  

Further, those reports were created once for each pentest resulting in a fossilized memento of what was done, usually destined to occupy a few MB of storage on a hard drive, and eventually forgotten in an archive.

Synack decided there had to be a better way to communicate pentesting results. They focused on three key innovations: customizability, scheduling and human components.

Customizability:

In this information age, too much information can be as punishing or painful as too little. Not everyone cares about every component of a pentest. For example, a painstaking regurgitation of the scope of the test may matter to an auditor, but not a developer tasked with patching found vulnerabilities. Synack reports are highly customizable, allowing for purpose-built, audience-customized reports to be created on the fly. Each person can get the report they need, without unnecessary information. And this sort of reporting uses less resources than generating a single report for everyone. 

Scheduling:

People throughout an organization have different appetites for information. We’ve seen organizations that want weekly reports on Continuous tests, but only for host and network assets. Others want a fresh report every time their web app has a new feature ship, coinciding with the 14-day sprint schedule that drives their CI/CD. Synack can handle all of those scenarios with reporting customization AND a robust role-based access control (RBAC) system. Synack’s RBAC customizable reporting also allows security teams to implement Least Privilege Access so various information needs can be met without the risk of testing data being seen or modified accidentally or by anyone without proper authorization. So testing results get in peoples’ hands without delay.

Human Components:

The most important question you need to ask about any cybersecurity test is, “Why do I care and what do I need to do?” Ultimately, with the thousands of discrete tests performed and vulnerabilities found, Synack decided that a human-written summary was usually what helped customers the most. Every Synack pentest comes with a human-written summary, written by people separate from the actual testing, triage or service delivery to gain maximum benefits from independent thinking. Customers get the actionable information they need to strengthen their cybersecurity defenses. And they get it in a form that is to the point and easy for them to digest.

To see our reporting feature in action, watch this short video.