We have learned several security testing techniques and automation frameworks. After all the security testing is done, we will need to consolidate the security testing findings to present into a dashboard or a document to share with stakeholders. In addition to Robot Framework, which we have demonstrated, there are also other tools that can help us to do the reporting consolidation.
The screenshot shows the integration of security findings from different testing tools:
We will introduce three typical tools to achieve consolidation of security findings:
Tools | RapidScan | OWASP DefectDojo | Serpico |
Characteristics |
It's a Python script that will execute several security testing tools and present the results. |
It can import several open source and commercial security testing tools' reports, and present security issues in one dashboard. It can also generate a testing report document based on selected information.
|
It provides a list of security findings templates (security issues and mitigation suggestions). You may apply the security findings to generate a professional document.
|
Generate a document |
No, output to console only |
Yes, PDF or ASCII |
Yes, DOC |
Execution |
Python script: $ python rapidscan.py |
Web service: http://localhost:8000 |
Web service: https://localhost:8443/ |
Import testing results from tools | No | Yes | No |
Manage multiple projects | No | Yes | Yes |
License | GNU General Public License v2.0 | BSD 3-Clause | BSD 3-Clause |
In addition to OWASP Defect Dojo, the following penetration testing reporting tools may also be considered. These reporting tools allow penetration testers to import the security testing output (XML) from various security testing tools:
- FaradaySEC
- Jackhammer
- Dradis Framework
- ArcherySec
- Dradis Framework