The Penetration Testing Findings Repository is a collection of Active Directory, phishing, mobile technology, system, service, web application, and wireless technology weaknesses that may be discovered during a penetration test. Weaknesses that are identified and validated become findings in an engagement report.
The repository contains default names, descriptions, recommendations for remediation, references, mappings to various frameworks, and severities for each finding.
The repository consists of three layers:
- Finding Category layer lists the overarching categories
- General Finding layer lists high-level findings
- Specific Finding layer lists low-level findings
To make the Penetration Testing Findings Repository easy to navigate through findings are grouped by the overarching categories. Assessors can report on both general and specific findings when creating reports.
The repository and its structure serve four primary purposes:
- Standardization: The repository standardizes the reporting and trend analysis processes by limiting assessors to a pool of findings rather than allowing them to enter custom findings that could include inconsistent attributes.
- Streamlined Reporting: Providing pre-populated attributes saves significant time during the reporting process, allowing assessors to focus on operations.
- Comprehensiveness: The layered structure gives assessors more flexibility in how they present their findings as the vulnerability landscape evolves. When possible, assessors select a specific finding, but if none of them accurately describe what was discovered, they can select a general finding and tailor it accordingly.
- Ease of Navigation: Because of its layered structure, the repository is easy to navigate, which enables assessors to focus on specific groups of findings.
The Penetration Testing Findings Repository and the RVA Reporting Engine are integrated, enabling assessors to generate a final report at the end of an engagement.