How should you review the results of information security testing? Which parts of a information security report are essential for management, developers, and other stakeholders? In this blog post, we walk through the structure of our security report, explain the significance of each section, and provide tips to help your company turn findings into an effective action plan.
Why Is the Report Created and Who Is It For?
The end product of information security testing purchased through consulting is typically a security report. The consultant often performs testing remotely, making the report the clearest way to document what was done during the project. Although the report is written by a technical security tester, this doesn’t mean it’s intended only for technical personnel.
The report serves multiple purposes and is aimed at various stakeholders. For example, company management may be most interested in the executive summary, which briefly covers what was found and what actions are recommended next. On the other hand, software developers may get the most value from the more technical aspects of the report—the detailed review of findings.
The report can also be viewed as a tool when creating a software development roadmap and planning future decisions. Companies can also build trust with their customers by conducting regular security testing, and you can request a statement about testing from us at 2NS.
Report Sections
1. Executive Summary
The executive summary provides an overview of the report’s contents. It describes how many vulnerabilities or other observations were found in each tested area. Additionally, it briefly mentions what these findings could cause and what follow-up actions we recommend.
2. Introduction
The introduction covers which systems were included in the security testing and also lists any areas that were not tested. This section also describes the agreed testing timeframe and how findings should be interpreted.
3. Findings
At 2NS, the findings section is divided into vulnerabilities and weaknesses. Vulnerabilities are, as the name suggests, exploitable in some way and can cause more serious damage. Discovered weaknesses, however, are not necessarily directly exploitable but rather represent “best practices” for secure system development.
In the report, vulnerabilities and weaknesses appear quite similar, with the difference being that vulnerabilities include more detail about the severity of the finding. Both types of findings first provide some background information about what the finding relates to, followed by detailed information about how the finding was made and how it can be reproduced. This section is meaningful both for the software developers at the company that commissioned the testing and for any security testers who may later retest the system, so they can reproduce the finding and verify whether it has been fixed.
4. Appendices
The appendices describe what was done during testing and with what tools. This section also briefly explains what different vulnerability classes mean and how we recommend the findings be remediated.
How to Get the Most Out of a Security Report
A security report is meant to provide value to the company that commissioned the testing, but if the report isn’t reviewed thoughtfully, that value may be diminished. By following these tips, you can get the best benefit from the report.
Prepare for the Report Review Meeting
We always review the report with the company that commissioned the work and send the report well in advance of the review meeting. You’ll get the most benefit from the report and its review by familiarizing yourself with the report and its contents beforehand. This way, we can answer any questions about the report or testing during the meeting and ensure that all findings are explained clearly.
Ensure the Report Has an Owner
If no one is responsible for the report, it easily goes underutilized. By ensuring someone takes ownership of moving forward with the matters covered in the report, any recommended fixes will be properly reviewed and the next steps after security testing will be agreed upon.
Prioritize Fixing Findings
Sometimes the report may contain many findings. In such cases, all findings should be reviewed and a decision made about the order in which potential fixes will be implemented—or whether some findings will be fixed at all. As mentioned in the previous section, not all findings are equal in value. It’s the commissioning company’s decision which findings warrant accepting a conscious risk by leaving them unfixed entirely or postponing the fix to a later stage.
Retesting Fixes
Once fixes have been completed, consider retesting the findings. Especially if the report contained even one high-severity finding or several lower-severity findings, it’s good to verify that the findings are no longer exploitable after remediation. This type of testing is usually cheaper than the original testing because time is only spent reviewing previously discovered vulnerabilities, and it can often be completed in 1–2 days./
A Security Report Is More Than Just a List of Threats
A security report isn’t just a technical document—it’s a versatile tool that serves different stakeholders in different ways. Its value lies not only in individual findings but in how the report helps visualize the bigger picture and guides the company toward a more security-conscious culture. The report can serve as an excellent tool for risk management, decision-making, and incorporating security considerations during the system development phase.
Minja Silvennoinen, Information Security Specialist
2NS Cybersecurity Oy
Does your company need security testing?