2021

Audit Report of
Cybersecurity

SUBTITLE OF THE DOCUMENT

AUTHOR NAME.

[COMPANY NAME]
 Detailed Customized Report | Cybersecurity

CONTENT
1. INTRODUCTION

1.1.OBJECTIVE

2. SCOPE

2.1.ASSETS

2.2.PROJECTS

3. EXECUTIVE SUMMARY

3.1.DETECTED OCCURRENCES

4.DETAIL OF OCCURRENCES

4.1.APPLICATION VULNERABILITIES

4.2.CONFIGURATION VULNERABILITIES

4.3.PRODUCT VERSION VULNERABILITIES

4.4.RECOMMENDATIONS

5.ANNEXES

5.1.REFERENCES

5.2.Nomenclature

XX/XX/20XX 1
 Detailed Customized Report | Cybersecurity

1. INTRODUCTION
1.1OBJECTIVE
The security tests carried out have focused on the asset 'XXXXX' in Black Box mode, so it is worth noting
After the vulnerabilities were corrected, a review was conducted confirming that they have been fixed.
correctly.

Security tests have been conducted following the recommendations of the OWASP guidelines to assess the security of
the different provided assets, that is, OWASP guide v4 and Top Ten OWASP.

Initially, information is collected and analyzed.

The following points of the OWASP methodology

Determine existing services and versions on the machine Analysis of vulnerabilities according to service and version

Collection and Analysis of Metadata Fuzzing and Crawling

Search for domains, subdomains, and virtual hosts
Check the HTTP methods (OPTIONS, TRACE…) of each of the servers Location of 'Login Entry' (Passwords
avenue)
Search for old versions and bad configurations Information leak detection
Indexed information search by search engines Unindexed information search by search engines Analysis of
source code of the applications

With the data obtained during the Audit, we will proceed in this phase to a more thorough analysis in 'Box xxx' mode.
of the servers, with the aim of determining possible vulnerabilities on the Operating System, its applications and services

Analysis

Analyze the SSL version

Check the available encryption algorithms for SSL Check the validation of digital certificates
Verify that resources cannot be accessed through insecure channels (SSL skip) Parameter manipulation
Explotación de vulnerabilidades SQL Explotación de vulnerabilidades Xpath Explotación de vulnerabilidades LDAP
Exploitation of CSPP vulnerabilities
Exploitation of XSS (Cross-Site Scripting) vulnerabilities Remote command injection
Modification of parameters
Local and remote file inclusion (LFI and RFI)
Search and exploitation of Path disclosure and Path Traversal Access to unauthorized directories/files
File upload systems
Dictionary attacks against 'Login entries' in search of weak passwords Web services analysis

XX/XX/20XX 2
 Customized Detailed Report | Cybersecurity

2. SCOPE
2.1 ASSETS
SUMMARY

Type Number

Servers 1

Web Applications 1

Total 2

Table 1. Summary of assets

SCOPE

The following are the assets within the scope of the audit.

Name Type Address

audit Host

Web Application Web Application

Table 2. Assets within the scope of the report

XX/XX/20XX 3
 Detailed Customized Report | Cybersecurity

2.2PROJECTS
The following are the selected audit projects, as well as the enabled time windows for the
carrying out the tests.

No projects have been selected.

XX/XX/20XX 4
 Customized Detailed Report | Cybersecurity

3. EXECUTIVE SUMMARY
CURRENT STATE

Below are two pie charts that represent the severity of all occurrences in percentage.
detected in this audit and the risk to the assets defined in this project.

No occurrences found.

Graph 1. Percentage of Occurrences by Severity

No occurrences found.

Graph 2. Percentage of Occurrences by Type and Scope

XX/XX/20XX 5
 Detailed Customized Report | Cybersecurity

3.1DETECTED OCCURRENCES
The following table shows the number of occurrences by severity found in the audit for each of the assets.

No occurrences were found.

XX/XX/20XX 6
 Detailed Customized Report | Cybersecurity

The following table shows the vulnerabilities found by type and groups them by vulnerability and asset, detailing the
severity.

No occurrences found.

XX/XX/20XX 7
 Detailed Customized Report | Cybersecurity

Below is a summary table of how many recommendations have been found in this project and the list
of assets affected by them.

No recommendations found.

XX/XX/20XX 8
 Detailed Customized Report | Cybersecurity

4.DETAIL OF OCCURRENCES
4.1APPLICATION VULNERABILITIES
No occurrences found.

XX/XX/20XX 9
 Detailed Customized Report | Cybersecurity

4.2CONFIGURATION VULNERABILITIES
No occurrences have been found.

XX/XX/20XX 10
 Customized Detailed Report | Cybersecurity

4.3PRODUCT VERSION VULNERABILITIES

No occurrences found.

XX/XX/20XX 11
 Detailed Customized Report | Cybersecurity

RECOMMENDATIONS
No occurrences found.

XX/XX/20XX 12
 Detailed Customized Report | Cybersecurity

5. ANNEXES
5.1 REFERENCES
OWASP. http://www.owasp.org/
OWASP is an open community dedicated to helping organizations develop, acquire, maintain, and
operate secure applications.
OWASP Guide. Guide for designing, developing, and deploying secure web applications and systems
OWASP Testing Guide. A guide that defines a methodology for testing the security of web applications not only
focused on penetration testing but also on the software development life cycle, definition of models
risk and source code review.
Open Source Security Testing Methodology Manual (OSSTMM). http://www.isecom.org/
Open Security Testing Methodology that combines various security tests and metrics used by the
professionals during the Security Audits developed by Institute for Security and Open Methodologies
(ISECOM)
SANS Institute References. http://www.sans.org
The SANS Institute's main objectives are to gather information on all matters related to cybersecurity and
offer training and certification in the field of cybersecurity.
CVSS - Common Vulnerability Scoring System. http://nvd.nist.gov/cvss.cfm
Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and
the impact of vulnerabilities in Information Technologies. It is a scoring system of the
standardized vulnerabilities to classify IT vulnerabilities. It helps prioritize and coordinate a response
jointly to security vulnerabilities through the communication of base, temporal and properties
environmental vulnerabilities.
CVE - Common Vulnerability and Exposures http://www.cve.mitre.org/
Provide a common nomenclature for information systems vulnerabilities. This system is maintained
by MITRE. The information and nomenclature of this list is used in the National Vulnerability Database, the repository of
the United States of America information about vulnerabilities
CAPEC - Common Attack Pattern Enumeration and Classification http://capec.mitre.org/
Provide a list of common attack patterns according to a comprehensive scheme and a classification taxonomy. This
information allows for a solid understanding of the attacker's perspective and the methods used to exploit the
software systems. CAPEC provides this information in order to help improve security throughout the cycle of
software development life and support the needs of developers, testers, and educators.
CWE - Common Weakness Enumeration http://cwe.mitre.org/
CWE provides a unified and measurable set of software weaknesses. It allows for better understanding and management of
the weak points related to the architecture and design of software.

XX/XX/20XX 13
 Customized Detailed Report | Cybersecurity

5.2 NOMENCLATURE
Vulnerability
An error, failure, weakness, or exposure of an application, system, device, or service that could compromise the
confidentiality, integrity or availability of the system or information it handles.

Recommendation
They are not vulnerabilities, but they allow for obtaining information about a possible attack that exploits one or more.
vulnerability(-ies) detected. They help improve the level of security of digital systems and assets, and are
considered best practices to protect the organization from threats.

Occurrence
A concept that Vamps uses is that of occurrence. An occurrence is the concrete instance of a vulnerability of the
dictionary of Vamps that affects an asset of the organization, thus facilitating the absence of repetitions and
homogenizing the definitions regardless of the module that detected them.

Active
Resource of value used in a company or organization.

Threat
These are circumstances or events that have a probability of causing harm to an information resource when exploited.
the vulnerabilities that it has.

Risk
It is the probability that a threat will exploit a vulnerability and cause potential damage to assets.
of the organization.

N.I.D.
NID is the Nessus ID corresponding to the Nessus NASL script.

B.I.D.
Bugtrack ID is an identifier for the results of vulnerabilities found by tracking programs.
vulnerabilities.

O.S.V.D.B.
It is an independent, open-source database created by a group of specialists in the field of security.

C.V.E.
Provide a common nomenclature for information system vulnerabilities. This system is maintained by
MITRE. The information and nomenclature of this list is used in the National Vulnerability Database, the repository of the
United States of America information on vulnerabilities.

XX/XX/20XX 14
Common Vulnerability Scoring System or C.V.S.S.
It is a set of standard values for measuring the severity of a vulnerability in the security of a computer system.
Set a series of comparative parameters to establish priorities in the treatment of a vulnerability.
The CVSS Base vector has the following format:

(AV:[L,A,N]/AC:[H,M,L]/Au:[N,S,M]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C])

The letters in parentheses represent the possible values of a CVSS metric.

You must select one option from each set of brackets. The letters that appear outside the brackets are
mandatory and must be included to create a valid CVSS vector. Each letter or pair of letters is an abbreviation for a value of
metric in CVSS value. These abbreviations are defined below.

Metrics: AV = Access Vector (Related to the range of

exploitation) Possible values: L = local access, A = Network
adjacent, N = Internet
Metrics
complejidad) Posibles valores: H = Alta, M = Mediano, L = Bajo
Métricas: Au = Autenticación (Nivel de autenticación necesarios para explotar)
Posibles valores: N = No se requiere, S = Requiere única instancia, M = Requiere varias
ConfImpact (Impact on Confidentiality)
Possible values: N = No, P = Partial, C =
Complete Metrics: I = IntegImpact (Impact to the
Integrity
Possible values: N = No, P = Partial, C =
Complete Metrics: A = AvailImpact (Impact to the
Availability
Posibles valores: N=No, P=Parcial, C=Completa

NVD Vulnerability Severity Rating

The NVD, National Vulnerability Database of the United States of America, provides classifications of the
severity of vulnerabilities:

The vulnerability labeled as 'Low' severity has a base CVSS score of

0.0-3.9. The vulnerability labeled as 'Medium' severity has a base CVSS of
Score of 4.0-6.9. The vulnerability labeled as 'High' severity has a CVSS
score base of 7.0-10.0.

CPE
Common Platform Enumeration (CPE) It is a structured naming scheme for computer systems,
platforms and packages. Based on the general usage syntax 'Uniform Resource Identifiers' (URI). CPE includes a format
for the definition of names, a language that allows describing complex platforms and a method that allows searching
systems based on name.