├── Penetration Testing Findings Repository 1.0.xlsx ├── README.md └── LICENSE.txt /Penetration Testing Findings Repository 1.0.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cisagov/pen-testing-findings/HEAD/Penetration Testing Findings Repository 1.0.xlsx -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Penetration Testing Findings Repository 2 | 3 | The Penetration Testing Findings Repository is a collection of Active Directory, phishing, mobile technology, system, service, web application, and wireless technology weaknesses that may be discovered during a penetration test. Weaknesses that are identified and validated become findings in an engagement report. 4 | 5 | The repository contains default names, descriptions, recommendations for remediation, references, mappings to various frameworks, and severities for each finding. 6 | 7 | The repository consists of three layers: 8 | 1. Finding Category layer lists the overarching categories 9 | 2. General Finding layer lists high-level findings 10 | 3. Specific Finding layer lists low-level findings 11 | 12 | To make the Penetration Testing Findings Repository easy to navigate through findings are grouped by the overarching categories. Assessors can report on both general and specific findings when creating reports. 13 | 14 | The repository and its structure serve four primary purposes: 15 | 1. Standardization: The repository standardizes the reporting and trend analysis processes by limiting assessors to a pool of findings rather than allowing them to enter custom findings that could include inconsistent attributes. 16 | 2. Streamlined Reporting: Providing pre-populated attributes saves significant time during the reporting process, allowing assessors to focus on operations. 17 | 3. Comprehensiveness: The layered structure gives assessors more flexibility in how they present their findings as the vulnerability landscape evolves. When possible, assessors select a specific finding, but if none of them accurately describe what was discovered, they can select a general finding and tailor it accordingly. 18 | 4. Ease of Navigation: Because of its layered structure, the repository is easy to navigate, which enables assessors to focus on specific groups of findings. 19 | 20 | The Penetration Testing Findings Repository and the RVA Reporting Engine are integrated, enabling assessors to generate a final report at the end of an engagement. 21 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Copyright 2022 Carnegie Mellon University. 2 | This material is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is based upon work funded and supported by the Department of Homeland Security under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense. 3 | The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation. 4 | The display of the CISA logo or other CISA visual identities shall not be interpreted to provide any person or organization the authorization to use the official logo, insignia or other visual identities of the Cybersecurity and Infrastructure Security Agency. 5 | CISA does not endorse any commercial product or service. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA. 6 | NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. 7 | Penetration Testing Findings Repository v1.0 includes, references, and/or makes use of certain third party software and/or materials ("Third Party Materials"). By using Penetration Testing Findings Repository v1.0, You agree to comply with any and all relevant Third Party Materials terms and conditions contained in any such Third Party Materials or separate license file distributed with such Third Party Materials. The parties who own the Third Party Materials ("Third Party Licensors") are intended third party beneficiaries to this License with respect to the terms applicable to their Third Party Materials. Third Party Materials licenses only apply to the Third Party Materials and not any other portion of Penetration Testing Findings Repository v1.0 as a whole. 8 | 9 | The Penetration Testing Findings Repository v1.0 specifically references the following Standards and Frameworks: 10 | NIST SP 800-53 Rev. 5 11 | Developed by National Institute of Standards and Technology (NIST) to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST SP 800-53 Rev. 5 is not subject to copyright in the United States. NIST SP 800-53 Rev. 5 is available free of charge from: https://doi.org/10.6028/NIST.SP.800-53r5 12 | 13 | NIST CSF 1.1 14 | NIST CSF 1.1 is the result of an ongoing collaborative effort involving industry, academia, and government. NIST launched the project by convening private- and public-sector organizations and individuals in 2013. Published in 2014 and revised during 2017 and 2018, this Framework for Improving Critical Infrastructure Cybersecurity has relied upon eight public workshops, multiple Requests for Comment or Information, and thousands of direct interactions with stakeholders from across all sectors of the United States along with many sectors from around the world. NIST CSF 1.1 is available free of charge from: https://doi.org/10.6028/NIST.CSWP.04162018 15 | 16 | CIS CSC v8 17 | CIS Critical Security Controls® Version 8 (CIS CSC v8) is published by the Center for Internet Security® (CIS®). CIS CSC v8 is a prioritized set of actions to protect organizations and data from cyber-attack vectors. Please visit http://www.cisecurity.org/controls/ to ensure access to the most up-to-date guidance. 18 | CIS CSC v8 is licensed under a Creative Commons Attribution-NonCommercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode). 19 | 20 | [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. DM21-0999 --------------------------------------------------------------------------------