Although reporting comes at the end of the testing process, it can also be the springboard for your next step.

Learning lessons from your reports can enable you to innovate going forward, as well as correct any mistakes and strengthen any areas of weakness you find, that’s why it’s so important to create reports that are honest and concise.

Reporting: The basics

As you know, it’s important to get your reports right, so here are some considerations you should make when setting them up:

Be sure that your reports are able to capture all of your findings from the testing assessment. Attempts to hide or downplay the significance of vulnerabilities can lead to unnecessary exposure to attack.
Reports should be balanced between technical and non-technical summaries. A traffic light system is a useful key to implement and describe the impact, and likelihood of a vulnerability being exploited.
Because a report contains sensitive information, you should be sure that the distribution of your reports is protected with passwords and keyholders, etc. If your report got into the wrong hands, it would be the perfect blueprint for how to hack your system. You can mark your test reports with the highest classification of data and treat them as strictly ‘need-to-know.’

So how can you ensure you’ve covered all your bases when setting up your reports and verifying your system?

The Deming cycle

Verification and the Deming cycle

The Deming cycle is an iterative improvement loop based on ‘Plan-do-check-act’ that ensures you’ve completed all the relevant steps. Verification is part of the ‘check’ phase, which is used to verify that the original design specification and security requirements have been met, and that the processes for design and development have been properly followed.

Once it’s clear that those requirements have been met, it’s time to conduct ‘verification linkage.’ This refers to the need for rigorous system testing of both the system and any proposed administration processes that support the application. This confirms the requirements built into the system can be achieved in live operation.

After a successful live operation test, it’s important to consider the creation of user instructions and system operating procedures. These are types of administrative processes that could support a new or updated system. Remember, where a system has an impact on administration process, the testing must be end-to-end and involve real users.

Top tip

If, during the testing phase, it becomes evident that a process created for the developers to follow is almost always being circumvented, then the process itself should be re-evaluated to see if it’s flawed.

The principles of effective auditing

Before you watch the next video on auditing and digital forensics, it’s good to be aware of the basic principles of creating an auditing solution. These are:

Collect relevant security data from all relevant endpoints on the network
Normalise the data so that searches can include event logs from different sources
Ensure all security enforcing capabilities, such as anti-virus software, firewalls, content checkers and authentication and authorisation solutions, feed into the event management system
Raise alerts when events which indicate a security incident are received
Use specialised staff to analyse the data and conduct investigations
Ensure that there are procedures in place to manage audit information as digital evidence
Ensure a system-wide accurate time source

Reporting and verification