Sale!

Web Application Penetration Test Reporting (W48)

$249.00 $199.00

3 in stock


Get the access to all our courses via Subscription

Subscribe

Categories: ,

Penetration Testing deliverables include a final report showing services provided, methodology, findings, and recommendations to remediate or correct issues discovered during the test. This course will show you how to use tools in Kali to help with reporting and to learn about methodologies. A penetration testing methodology is required to conduct the pen test in a consistent and standardized way for repeatable results.

One of the main questions a client will ask a pentester is what methodology is used for testing their assets. It is important to learn this to help clients understand how testing is conducted and to provide them with a deliverable that supports the findings. It is important to understand the basics of reporting prior to starting a pentest because findings need to be conveyed to a client in a way they can understand and then correct the issues.

By the end of the course, you will have materials that can be used on pentesting engagements. This includes a report template, reading materials for reference, and an understanding of various methodologies and ways to fit a methodology to a client’s requirement for a pentest.


Course benefits:

What skills will you gain?

  • You will understand what documents need to be exchanged between clients and testers.
  • You will be able to deliver a professional penetration test report.
  • Learn to use reporting tools, such as Faraday and Dradis, for issues discovered during testing.
  • Skills gained include:
    • The ability to distinguish between vulnerability assessment, compliance reporting and pentest reporting.
    • Understand the typical documents provided between clients and testers, such as NDAs.
    • Learn a reporting format, use a reporting template, and understand how to choose the best pentest methodology for the client.
  • After taking the course, you will be able to communicate about how they test a client’s assets, what deliverables are expected between the client and tester, and will be able to describe the testing methodology and what is included in a final report.

What will you learn about?

Learn how to use tools like Faraday, Dradis or Magic Tree to take results from vulnerability scanners, such as Zap and Burp to create a final report.

What tools will you use?

OWASP ZAP, Burp, Kali Linux, Dradis, Magic Tree, and Nmap.


Course general information: 

DURATION: 18 hours

CPE POINTS: On completion you get a certificate granting you 18 CPE points. 

COURSE LAUNCH: September 19th 2019

Course format: 

  • Self-paced
  • Pre-recorded
  • Accessible even after you finish the course
  • No preset deadlines
  • Materials are video, labs, and text
  • All videos captioned

What will you need?

Laptop or desktop. For the operating system, use Kali Linux as a virtual machine, or installed on the HDD, SD card, or USB flash drive. It’s preferred to use a recent Kali Linux distro (2018.4). We will use free tools included in the Kali Linux distribution. We will need MS Word or another free documentation tool, such as LibreOffice or OpenOffice to make a report.

What should you know before you join?

  • You should already know how to install and configure Kali.
  • Have familiarity with setup and configuration of Burp and Zap and have a basic understanding of penetration testing.
  • Define the different report types (vulnerability, compliance and pentesting reporting) and explain best practices in reporting. Define methodologies. APA guidelines and format for reporting.

These materials will help put your expertise in a written format so that people without the same knowledge can understand what you are trying to communicate. The goal is to use effective communication to help organizations grow and to keep them safe from unwanted intrusions.

Reading materials:

Resources:



Your instructor: Chrissa Constantine

Chrissa is a web application pentester and has a Master of Science in Information Security, CISSP and CE|H certifications. She held positions as a consultant at Apple and for a Silicon Valley start-up as a penetration tester. Chrissa enjoys hacking competitions, meeting new people, and learning new things.

 

 

 

 

 


Course Syllabus


Module 1: Methodologies and Best Practices

This module defines a methodology and introduces the foundation of reporting including best practices. A primary question asked by a client is what methodology will be used during the pentest.

Methodologies define rules and practices that the tester implements during the course of the test. The methodology is a roadmap that helps the tester assess the security posture of the web application.

After this module, you'll be able to:

  • Customize a methodology from one of the industry-accepted standards.
  • Overview of OWASP Testing Guide, PCI Pentest Guide, Penetration Testing Execution Standard and NIST 800-115.
  • Introduction to the typical documents exchanged between clients and testers

Module 1 Exercises:

  • You will pick a methodology based upon the testing scenario
    • Evaluate relevant standards
    • Pick a methodology
    • Create the report outline
  • The initial module provides information about the various standards and helps a student pick a methodology to use in testing.
  • The paper will be checked for complete sections of the outline, grammar, and spelling, along with use of a methodology discussed in class.

Workload: 4 hours 30 minutes


Module 2: Introduction of tools

This module introduces the tools used to create reports. Learn about Dradis, Faraday and other reporting tools that are part of Kali. Start the process of adding the other tool results (Burp, Nmap, etc.) to the report. Have a methodology in place to help with writing.

After this module, you'll be able to:

  • Use and configuration of tools for generating a report.
  • Integrate the methodology into a suitable report format.
  • Use of a template for report format in either Word or a free reporting tool.

Module 2 exercises:

  • Students scan a host from a vulnerable app
    • Requires configuration of tools, and launching a scan
  • Scan data is used to populate vulnerabilities in the report
  • The next phase of the outline will be provided for review
  • The report will be checked to ensure it conforms with the methodology and contains test data in the form of vulnerabilities
  • Grammar, spelling and formatting will be checked to ensure they are consistent across the report

Workload: 4 hours 30 minutes


Module 3: Pentesting vs. Vulnerability Scanning

Learn how to break down testing into phases to aid in documentation.

After this module, you'll be able to:

  • Understand the differences between pentesting and vulnerability scanning.
  • Document and verify results
  • Differentiate between pentesting and vulnerability scanning.
  • Learn results verification. Learn how to document findings.

Module 3 exercises:

  • You will document additional findings and write up a conclusion
  • Findings will be checked to ensure they are accurate (verification)
  • Short quiz to test validation skills

Workload: 4 hours 30 minutes


Module 4: Report Types and Final Reporting

This module will go over how to combine tool results into a systematic and structured report.

We will learn about Executive, Managerial and Technical Reporting. The final report will be compiled and generated by the end of this module.

After this module, you'll be skilled in:

  • Executive Reporting
  • Managerial Reporting
  • Technical Reporting
  • Final Report
  • Risk Matrix, Vulnerability and Exploit Mapping, Testing Methodology and how to use them in reporting

Module 4 exercises:

  • You will have the opportunity to provide the final report based up earlier modules.
  • The executive, managerial and technical reporting aspects will be rolled up into the front matter of the final report. This will give students an opportunity to understand the various styles of writing used for various client needs.

Workload: 4 hours 30 minutes


Final Exam:

  • Thirty question exam on the theoretical aspects of report writing for penetration testing

QUESTIONS? 

If you have any questions,  please contact our eLearning Manager Marta at [email protected]

Reviews

There are no reviews yet.

Be the first to review “Web Application Penetration Test Reporting (W48)”

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013