Report Writing

Findings Classification

Trail of Bits, for example, uses the below classification:

  • Access Controls: Related to authorization of users and assessment of rights

  • Auditing and Logging: Related to auditing of actions or logging of problems

  • Authentication: Related to the identification of users

  • Configuration: Related to security configurations of servers, devices or software

  • Cryptography: Related to protecting the privacy or integrity of data

  • Data Exposure: Related to unintended exposure of sensitive information

  • Data Validation: Related to improper reliance on the structure or values of data

  • Denial of Service: Related to causing system failure

  • Error Reporting: Related to the reporting of error conditions in a secure fashion

  • Patching: Related to keeping software up to date

  • Session Management: Related to the identification of authenticated users

  • Timing: Related to race conditions, locking or order of operations

  • Undefined Behavior: Related to undefined behavior triggered by the program

Vulnerability Likelihood/Dificulty

Trail of Bits, for example, classifies every finding into four difficulty levels:

  • Undetermined: The difficulty of exploit was not determined during this engagement

  • Low: Commonly exploited, public tools exist or can be scripted that exploit this flaw

  • Medium: Attackers must write an exploit, or need an in-depth knowledge of a complex system

  • High: The attacker must have privileged insider access to the system, may need to know extremely complex technical details or must discover other weaknesses in order to exploit this issue

Findings Impact

  • Low

  • Medium

  • High

Findings Severity

OWASP 3x# Matrix Severity Matrix (Likelihood-Impact = Severity):

Likelhood
Impact
Severity

Low

Low

Note

Low

Med

Low

Low

High

Medium

Med

Low

Low

Med

Med

Med

Med

High

High

High

Low

Med

High

Med

High

High

High

Critical

Trail of Bits uses: 1. Informational: The issue does not pose an immediate risk, but is relevant to security best practices or Defence in Depth 2. Undetermined: The extent of the risk was not determined during this engagement 3. Low: The risk is relatively small or is not a risk the customer has indicated is important 4. Medium: Individual user’s information is at risk, exploitation would be bad for client’s reputation, moderate financial impact, possible legal implications for client 5. High: Large numbers of users, very bad for client’s reputation, or serious legal or financial implications

ConsenSys uses: 1. Minor: issues are subjective in nature. They are typically suggestions around best practices or readability. Code maintainers should use their own judgment as to whether to address such issues. 2. Medium: issues are objective in nature but are not security vulnerabilities. These should be addressed unless there is a clear reason not to. 3. Major: issues are security vulnerabilities that may not be directly exploitable or may require certain conditions in order to be exploited. All major issues should be addressed. 4. Critical: issues are directly exploitable security vulnerabilities that need to be fixed.

PreviousAudit ProcessNextList of Tools

Last updated

Was this helpful?