Application Security Assessment Template

Application Security Assessment Template

This is a sample reporting template. I find this format useful. There are several other examples included that may be helpful. My notes and suggestions are in this gray font and should be delete from your final report. This template can be used and shared freely.

Executive Summary

1. Reason for your test and under whose authority
2. Any specific goals you were given (“overall assessment” is a fine answer)
3. Timeframe for test
4. Brief description of the application
5. Summary of findings
6. Overall risk rating (high/medium/low)
7. Graph of number of findings
8. Summary of recommendations

Methodology

1. Interviews

List of people and job titles interviewed

1. Documents Reviewed

List of documents and their version numbers reviewed. Optionally these documents can be attached in the appendix

1. Tools Utilized

List all of the scanners and other test tools that you ran

1. List of Applications and URL’s Tested

Outline the applications and URL’s here

Results

Scan Findings Matrix

(It is advisable to delete any scanner you did not use. You will be documenting the specific findings later in this section). Delete the rows for tools that you did not use.

Scanner / High Findings / Medium Findings / Low Findings / Info Findings
Acunetix WVS
Burp Suite
Ceznic Hailstorm
HP WebInspect
IBM AppScan
Netsparker
Nikto
NTOSpider
OWASP ZAP
SkipFish
Vega
W3AF
Wapiti
Websecurify
Nexpose
Nessus
nmap
SQLMap
Other Scanner

Individual Findings

(Example. Use one table for each finding. )

Finding NameSQL Injection
Severity: / High
CWE or OSVDB: / CWE-89: Improper Neutralization of Special Elements used in an SQL Command
Found by: / Vega vulnerability scanner and verified with SQLmap
Description:
The phone number text entry box on the data entry page appears to have the user input directly concatenated to a SQL query. Because of this, the user was able run SQL commands directly against the database viewing the data from other users as well as specific information about the database.
Potential Impact:
An attacker can potentially add, modify, view or delete the data in your database as well as view specific information about the database and its metadata.
Affected Files/Code:
(/registration/entry.php
How to Remediate
Please see the OWASP “SQL Injection Prevention Cheat Sheet” at
Finding Name(I.e.: SQL Injection)
Severity: / (H/M/L/I)
CWE or OSVDB: / I.e.: CWE-676: Use of Potentially Dangerous Function
Found by: / (Tool or activity name)
Description:
Potential Impact:
Affected Files/Code:
(List all of the occurrences here. Can also include screen captures, code snippets, etc. Just be sure to reference the file name)
How to Remediate
Can be copied from most scan reports or point to the appropriate OWASP page at owasp.org
Finding Name(I.e.: SQL Injection)
Severity: / (H/M/L/I)
CWE or OSVDB: / I.e.: CWE-676: Use of Potentially Dangerous Function
Found by: / (Tool or activity name)
Description:
Potential Impact:
Affected Files/Code:
(List all of the occurrences here. Can also include screen captures, code snippets, etc. Just be sure to reference the file name)
How to Remediate
Can be copied from most scan reports or point to the appropriate OWASP page at owasp.org
Finding Name(I.e.: SQL Injection)
Severity: / (H/M/L/I)
CWE or OSVDB: / I.e.: CWE-676: Use of Potentially Dangerous Function
Found by: / (Tool or activity name)
Description:
Potential Impact:
Affected Files/Code:
(List all of the occurrences here. Can also include screen captures, code snippets, etc. Just be sure to reference the file name)
How to Remediate
Can be copied from most scan reports or point to the appropriate OWASP page at owasp.org
Finding Name(I.e.: SQL Injection)
Severity: / (H/M/L/I)
CWE or OSVDB: / I.e.: CWE-676: Use of Potentially Dangerous Function
Found by: / (Tool or activity name)
Description:
Potential Impact:
Affected Files/Code:
(List all of the occurrences here. Can also include screen captures, code snippets, etc. Just be sure to reference the file name)
How to Remediate
Can be copied from most scan reports or point to the appropriate OWASP page at owasp.org

Conclusion

Summarize your findings, recommendations and risk rating here. Should be only one or two paragraphs unless your findings were unusually complex.

APPENDIX
Attach your scan results and any OWASP cheat sheets you referenced. Optionally you can attach any of the organization’s documentation you reviewed if you do not believe that it is effectively managed or tracked.