Penetration TestingDecisions on Findings

Decisions on Findings

After receiving the penetration test report, there are several steps you can take, such as remediation, accepting the risk, or rejecting the findings.

Here’s a brief overview of actions you can take once the penetration test report is ready.

Analyze

When deciding to address a vulnerability, the first and most crucial step is to allocate sufficient time to analyze and interpret the report. Your employees responsible for the penetration test should consider the following questions:

  • Does this vulnerability meet the risk threshold we have agreed upon internally?
  • What is the actual (business) impact of a possible vulnerability exploitation, considering factors that may not be known to the penetration tester?
  • Who will be responsible for remediating each finding?

Remediate

Before taking any further actions, it’s crucial to verify that the vulnerability is reproducible. This not only enhances your understanding of the issue but also helps identify the systems at risk and different intrusion techniques.

To initiate the remediation phase, it’s essential to comprehend the scope of what needs to be fixed. While technical fixes may be necessary, there could also be underlying causes, such as:

  • Management practices that require improvements;
  • Alternative approaches;
  • Ineffective or overly permissive security policies;
  • Communication issues within or between departments.

Nevertheless, in most cases, a technical fix must be implemented. We advise remediating the findings as soon as possible, as the chances of the penetration tester still being intimately familiar with the vulnerability are higher, and the probability of an exploitation is lower.

Retest

At Oneleet, we are committed to safeguarding your company. We provide free retesting for a year after the penetration test is delivered, giving you ample time to address vulnerabilities and improve your company’s security posture. However, it’s crucial to adhere to your internal policy regarding vulnerability remediation, particularly in light of compliance requirements such as SOC 2, PCI, or ISO 27001.

Accepting the risk

Marking vulnerabilities as Accepted Risk on our platform is entirely at your discretion. We recognize that each client may have a higher or lower internal risk threshold for remediation, and we respect your decision if the analyzed impact is deemed too low to warrant action.

However, we advise against accepting vulnerabilities with a Medium or higher risk. As these vulnerabilities pose a growing business risk, they are not a matter of if but when they will impact your organization. Therefore, ensure that you allocate sufficient time and effort to remediate these risks effectively.

Our recommendation is to always provide a clear reason for accepting a risk. This rationale will be included in the penetration test report, allowing you to offer additional context to internal and external stakeholders regarding the acceptability of the risk.

OfferingsFrequently Asked Questions