RE: Reports

I have to agree with Matt.  We include all tool data (for the company's techs to sift through) with our report, but they are in the appendix. Management could care less about your vuln scanner's output, but the tech's may need it. The meat of the report should be written using your grey matter...

-Mike

-----Original Message-----
From: nessus-bounces_at_list.nessus.org [mailto:nessus-bounces_at_list.nessus.org] On Behalf Of Matt Jonkman
Sent: Friday, November 18, 2005 5:14 PM
To: Patrick Derwael
Cc: nessus_at_list.nessus.org
Subject: Re: Reports

I would highly recommend NOT getting into the business of presenting
scan output to your customers. You'll not have very satisfied customers,
and you'll probably not get much repeat business. (just my opinion of
course)

A pen test, vulnerability assessment, etc, is not running a scanner and
printing off the results. It involves looking at a net with many tools,
and using your gray matter and experience to interpret those results,
verify those are valid or not.

The report should be a human written analysis of what you found, what
the network's strengths and weaknesses are, and what you recommend to
remedy those. Included somewhere in that report should be a list of the
specific vulnerabilities that you found and verified by hand.

In short, if you've ever been given the results of a scanner as a report
for an assessment, you've been robbed. :)

If you're in the business of giving reports from scanners as
vulnerability assessments, you'd better make sure you have very good E&O
insurance. :)  Cause it's going to come back to get you.

I'll get off my soapbox. But to answer the original question: There
don't exist a lot of tools to make scan results look pretty, because
that's not what scan results are for. Scan results are for the security
professional to read and interpret, the charts and graphs should be
generated by the security professional in your favorite spreadsheet
program, based on your interpreted data.

Matt


On Fri, 2005-11-18 at 15:34 +0100, Patrick Derwael wrote:
> Gentlemen,
>  
> I have been comparing a few scanners, and I must say that I find that
> Nessus is of high technical quality, but the reporting part is rather
> poor.
>  
> I cannot use the standard Nessus 'report' to present the scan results
> to my customers.
> Would womeone know of any reporting tool that could be used to format
> and print the data generated by Nessus ?
>  
> Thank you 
> 
> ______________________________________________________________________
> Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo!
> Messenger
> Téléchargez le ici ! 
> _______________________________________________
> Nessus mailing list
> Nessus_at_list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
-- 
--------------------------------------------
  Matthew Jonkman, CISSP
  Senior Security Engineer
  Infotex
  765-429-0398 Direct Anytime
  765-448-6847 Office
  866-679-5177 24x7 NOC
  www.infotex.com
  my.infotex.com
  www.bleedingsnort.com
--------------------------------------------

  NOTICE: The information contained in this email is confidential
  and intended solely for the intended recipient. Any use,
  distribution, transmittal or retransmittal of information
  contained in this email by persons who are not intended
  recipients may be a violation of law and is strictly prohibited.
  If you are not the intended recipient, please contact the sender
  and delete all copies.

_______________________________________________
Nessus mailing list
Nessus_at_list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
This archive was generated by a fusion of Pipermail 0.09 (Mailman edition) and MHonArc 2.6.8.