Report Writing
Findings Classification
Trail of Bits, for example, uses the below classification:
Access Controls: Related to authorization of users and assessment of rights
Auditing and Logging: Related to auditing of actions or logging of problems
Authentication: Related to the identification of users
Configuration: Related to security configurations of servers, devices or software
Cryptography: Related to protecting the privacy or integrity of data
Data Exposure: Related to unintended exposure of sensitive information
Data Validation: Related to improper reliance on the structure or values of data
Denial of Service: Related to causing system failure
Error Reporting: Related to the reporting of error conditions in a secure fashion
Patching: Related to keeping software up to date
Session Management: Related to the identification of authenticated users
Timing: Related to race conditions, locking or order of operations
Undefined Behavior: Related to undefined behavior triggered by the program
Vulnerability Likelihood/Dificulty
Trail of Bits, for example, classifies every finding into four difficulty levels:
Undetermined: The difficulty of exploit was not determined during this engagement
Low: Commonly exploited, public tools exist or can be scripted that exploit this flaw
Medium: Attackers must write an exploit, or need an in-depth knowledge of a complex system
High: The attacker must have privileged insider access to the system, may need to know extremely complex technical details or must discover other weaknesses in order to exploit this issue
Findings Impact
Low
Medium
High
Findings Severity
OWASP 3x# Matrix Severity Matrix (Likelihood-Impact = Severity):
Low
Low
Note
Low
Med
Low
Low
High
Medium
Med
Low
Low
Med
Med
Med
Med
High
High
High
Low
Med
High
Med
High
High
High
Critical
Trail of Bits uses: 1. Informational: The issue does not pose an immediate risk, but is relevant to security best practices or Defence in Depth 2. Undetermined: The extent of the risk was not determined during this engagement 3. Low: The risk is relatively small or is not a risk the customer has indicated is important 4. Medium: Individual user’s information is at risk, exploitation would be bad for client’s reputation, moderate financial impact, possible legal implications for client 5. High: Large numbers of users, very bad for client’s reputation, or serious legal or financial implications
ConsenSys uses: 1. Minor: issues are subjective in nature. They are typically suggestions around best practices or readability. Code maintainers should use their own judgment as to whether to address such issues. 2. Medium: issues are objective in nature but are not security vulnerabilities. These should be addressed unless there is a clear reason not to. 3. Major: issues are security vulnerabilities that may not be directly exploitable or may require certain conditions in order to be exploited. All major issues should be addressed. 4. Critical: issues are directly exploitable security vulnerabilities that need to be fixed.
Last updated
Was this helpful?