渗透测试报告和文档标准化综述

2019 6th International Conference on Research and Innovation in Information Systems (ICRIIS) Pub Date : 2019-12-01 DOI:10.1109/ICRIIS48246.2019.9073393

Mohd Zaidi Zakaria, Poon Ai Phin, Nurfarahin Mohmad, Saiful Adli Ismail, M. Kama, O. Yusop

{"title":"渗透测试报告和文档标准化综述","authors":"Mohd Zaidi Zakaria, Poon Ai Phin, Nurfarahin Mohmad, Saiful Adli Ismail, M. Kama, O. Yusop","doi":"10.1109/ICRIIS48246.2019.9073393","DOIUrl":null,"url":null,"abstract":"Penetration testing or pen test is a simulated cyber-attack conducted to find the vulnerabilities and weaknesses in a computer system. The test is conducted by professionals hired by the organization that produces a report to the organization for further actions. However, the report produce varies according to the different tester. This is because there is no standardized format of a pen test report approved by any security organization or bodies. Each tester would submit a report based on the findings on their company’s policy. We analyse eight pen test report available online to find any similarities or pattern so that we can come out with a standardized format which comprises of components we think is needed in the report. The proposed format will also cater to the understanding of both security system personnel and the upper management of the organization. This is due to the fact that technicality of the report may not be clear to the top management, which results in them taking less consideration upon the issues of vulnerabilities in their system. This standardized report will cater to the needs of both system security personnel and the upper management by taking further actions upon improving the security of their network, servers, computers, firewalls and all of the access channels of their system.","PeriodicalId":294556,"journal":{"name":"2019 6th International Conference on Research and Innovation in Information Systems (ICRIIS)","volume":"88 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":"{\"title\":\"A Review of Standardization for Penetration Testing Reports and Documents\",\"authors\":\"Mohd Zaidi Zakaria, Poon Ai Phin, Nurfarahin Mohmad, Saiful Adli Ismail, M. Kama, O. Yusop\",\"doi\":\"10.1109/ICRIIS48246.2019.9073393\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Penetration testing or pen test is a simulated cyber-attack conducted to find the vulnerabilities and weaknesses in a computer system. The test is conducted by professionals hired by the organization that produces a report to the organization for further actions. However, the report produce varies according to the different tester. This is because there is no standardized format of a pen test report approved by any security organization or bodies. Each tester would submit a report based on the findings on their company’s policy. We analyse eight pen test report available online to find any similarities or pattern so that we can come out with a standardized format which comprises of components we think is needed in the report. The proposed format will also cater to the understanding of both security system personnel and the upper management of the organization. This is due to the fact that technicality of the report may not be clear to the top management, which results in them taking less consideration upon the issues of vulnerabilities in their system. This standardized report will cater to the needs of both system security personnel and the upper management by taking further actions upon improving the security of their network, servers, computers, firewalls and all of the access channels of their system.\",\"PeriodicalId\":294556,\"journal\":{\"name\":\"2019 6th International Conference on Research and Innovation in Information Systems (ICRIIS)\",\"volume\":\"88 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-12-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2019 6th International Conference on Research and Innovation in Information Systems (ICRIIS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICRIIS48246.2019.9073393\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 6th International Conference on Research and Innovation in Information Systems (ICRIIS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICRIIS48246.2019.9073393","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

摘要

渗透测试或渗透测试是一种模拟网络攻击，旨在发现计算机系统中的漏洞和弱点。测试由组织雇用的专业人员进行，并向组织提交报告，以便采取进一步行动。然而，根据不同的测试人员，生成的报告是不同的。这是因为没有任何安全组织或机构认可的渗透测试报告的标准化格式。每个测试人员将根据他们公司政策的发现提交一份报告。我们分析了八个在线可用的渗透测试报告，以找到任何相似之处或模式，以便我们可以提出一个标准化的格式，其中包括我们认为报告中需要的组件。拟议的格式也将符合保安系统人员和该组织高层管理人员的理解。这是由于报告的技术性可能对最高管理层不清楚，这导致他们较少考虑系统中的漏洞问题。此标准化报告将会配合系统保安人员及上层管理人员的需要，进一步改善其网络、伺服器、电脑、防火墙及所有系统接驳通道的安全。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

A Review of Standardization for Penetration Testing Reports and Documents

Penetration testing or pen test is a simulated cyber-attack conducted to find the vulnerabilities and weaknesses in a computer system. The test is conducted by professionals hired by the organization that produces a report to the organization for further actions. However, the report produce varies according to the different tester. This is because there is no standardized format of a pen test report approved by any security organization or bodies. Each tester would submit a report based on the findings on their company’s policy. We analyse eight pen test report available online to find any similarities or pattern so that we can come out with a standardized format which comprises of components we think is needed in the report. The proposed format will also cater to the understanding of both security system personnel and the upper management of the organization. This is due to the fact that technicality of the report may not be clear to the top management, which results in them taking less consideration upon the issues of vulnerabilities in their system. This standardized report will cater to the needs of both system security personnel and the upper management by taking further actions upon improving the security of their network, servers, computers, firewalls and all of the access channels of their system.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2019 6th International Conference on Research and Innovation in Information Systems (ICRIIS)

自引率

0.00%

发文量