The course is part of this learning path
Reporting and verification
Although reporting comes at the end of the testing process, it can also be the springboard for your next step.
Learning lessons from your reports can enable you to innovate going forward, as well as correct any mistakes and strengthen any areas of weakness you find, that’s why it’s so important to create reports that are honest and concise.
Reporting: The basics
As you know, it’s important to get your reports right, so here are some considerations you should make when setting them up:
- Be sure that your reports are able to capture all of your findings from the testing assessment. Attempts to hide or downplay the significance of vulnerabilities can lead to unnecessary exposure to attack.
- Reports should be balanced between technical and non-technical summaries. A traffic light system is a useful key to implement and describe the impact, and likelihood of a vulnerability being exploited.
- Because a report contains sensitive information, you should be sure that the distribution of your reports is protected with passwords and keyholders, etc. If your report got into the wrong hands, it would be the perfect blueprint for how to hack your system. You can mark your test reports with the highest classification of data and treat them as strictly ‘need-to-know.’
So how can you ensure you’ve covered all your bases when setting up your reports and verifying your system?
The Deming cycle
Verification and the Deming cycle
The Deming cycle is an iterative improvement loop based on ‘Plan-do-check-act’ that ensures you’ve completed all the relevant steps. Verification is part of the ‘check’ phase, which is used to verify that the original design specification and security requirements have been met, and that the processes for design and development have been properly followed.
Once it’s clear that those requirements have been met, it’s time to conduct ‘verification linkage.’ This refers to the need for rigorous system testing of both the system and any proposed administration processes that support the application. This confirms the requirements built into the system can be achieved in live operation.
After a successful live operation test, it’s important to consider the creation of user instructions and system operating procedures. These are types of administrative processes that could support a new or updated system. Remember, where a system has an impact on administration process, the testing must be end-to-end and involve real users.
If, during the testing phase, it becomes evident that a process created for the developers to follow is almost always being circumvented, then the process itself should be re-evaluated to see if it’s flawed.
The principles of effective auditing
Before you watch the next video on auditing and digital forensics, it’s good to be aware of the basic principles of creating an auditing solution. These are:
- Collect relevant security data from all relevant endpoints on the network
- Normalise the data so that searches can include event logs from different sources
- Ensure all security enforcing capabilities, such as anti-virus software, firewalls, content checkers and authentication and authorisation solutions, feed into the event management system
- Raise alerts when events which indicate a security incident are received
- Use specialised staff to analyse the data and conduct investigations
- Ensure that there are procedures in place to manage audit information as digital evidence
- Ensure a system-wide accurate time source
Up next, you’ll be watching a video on auditing and digital forensics. This is linked to reporting in that it documents the usage of a system, but for a slightly varied outcome. You’ll learn about the principles that can support you when creating a successful auditing process and hear about how your data can support forensic evidence.
In this module you’ll be continuing with the information life cycle by following the process onto Test strategies and approaches through to reporting and verification and finally concluding with auditing and digital forensics.
A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.