Infosec_Reference/Draft/Docs_and_Reports.md

Documentation & Reporting

---

Table of Contents

• Writing
  • Other materials
  • Writing a Paper
  • Technical Writing
  • Writing RFCs
  • Software Design Documentation/Functional Specifications
  • Writing a Blogpost
  • Language
  • Taking Notes
  • Tools
  • Note Taking/Management Software
    • Text Sharing
    • Diagramming Tools
    • Manual Publishing
    • Documentation Browsers
  • Writing Reports
    • report Examples/Samples
    • Writing a Penetration Test Report
    • Writing an Request for Proposal
    • Templates
  • Writing Technical Documentation
  • Writing a Playbook
  • Meta
    • Latex
    • Markdown
    • Tools
  • [Poc - Documentation
  • Import/Export from Tools(Dumping data from tools into more readable/usable formats
  • Graphing/Visualization Tools
• [De/Briefing & Presenting
  • 101
  • General
  • Talks
  • Tools
• Penetration Testing Collaboration
• Video Documentation
• Disclosure

---

To Do: * Add Note taking methods

---

Start Here

• How I read a research paper
• Writing
  • Start with the first two links, and go from there. They’re both great resources to writing technical documentation, the first being a beginners guide and the second being a general guide that beginners can understand.
    • A beginners guide to writing documentation
    • Teach, Don’t Tell
    • How to Write Papers So People Can Read Them - Derek Dreyer
  • Other Materials
    • Politics and the English Language - George Orwell
    • Tips for Writing Better Infosec Job Descriptions
    • Learning the Ropes 101: Stay Beautiful, Stay Verbose
    • Three parter from jacobian.org:
      • What to write
      • Technical Style
      • Editors
    • The Ultimate Workflow for Writers Obsessed with Quality - Rob Hardy
    • A Few 80/20 Tips for Writing - syften.com
    • How To Write Like It’s Your Job - Bria Hughes(BSidesSF2020)
      • Good presentation on increasing your general writing ability.
    • Reporting And Writing Basics - Reuters Handbook of Journalism(2018)
    • Subjectivity in writing and evaluating writing - jakeseliger.com
  • Writing a Paper
    • How to write a great research paper - Simon Peyton Jones
  • Technical Writing
    • Writing Types of User Documentation
    • The 7 Rules for Writing World Class Technical Documentation
    • Teach Technical Writing in Two Hours per Week
    • Learn Technical Writing in Two Hours per Week - Norman Ramsey
    • writingfordevelopers
    • Microsoft Writing Style Guide
    • Notes on Technical Writing - Marcus Kazmierczak
    • SANS 10 Cybersecurity Writing Mistakes(Videos)
    • Writing Tips for IT Professionals - Lenny Zeltser
    • Tech Writing Handbook - Kyle Wiens, Julia Bluff(iFixit)
      • This handbook will teach you how to create everything from manuals to work instructions. We’ll help you avoid the most common pitfalls of tech writing, from poor planning to outdated publishing.
    • Technical Writing Courses - Google
      • "This collection of courses and learning resources aims to improve your technical documentation. Learn how to plan and author technical documents. You can also learn about the role of technical writers at Google."
    • Learning Technical Writing Using the Engineering Method - Norman Ramsey(2016)
      • "This booklet explains how to study technical writing in the context of a weekly group. If nothing else, a group will show you that you are not alone in your difficulties. Problems you may have are problems that others also have, and you can find similar problems even in published papers. But we do not emphasize problems; instead we emphasize useful principles and practices—engineering heuristics—that you can learn to apply to your own manuscripts."
    • Technical Writing Courses - Google
      • "This collection of courses and learning resources aims to improve your technical documentation. Learn how to plan and author technical documents. You can also learn about the role of technical writers at Google."
  • Writing RFCs
    • RFC 3552: Guidelines for Writing RFC Text on Security Considerations
  • Software Design Documentation/Functional Specifications
    • How to Write an Analysis & Design Document for a Software - Jackie Lohrey
    • Islandora Software Design Documents
    • Painless Functional Specifications – Part 1: Why Bother? - JoelonSoftware
      • Part 2: What’s a Spec? - JoelonSoftware
      • Part 3: But… How? - JoelonSoftware
      • Part 4: Tips - JoelonSoftware
    • whattimeisit.com - JoelonSoftware
      • Functional Specification Example
    • Controlling Your Environment Makes You Happy - JoelonSoftware
      • Should be read in conjunction with the above link.
    • Design Docs at Google - Malte Ubi(2020)
    • Why Writing Software Design Documents Matters - Chris Fox
    • How to Write an Effective Design Document - Scott Hackett
    • How to write a good software design doc - Angela Zhang
      • Be sure to read the first comment by John Rote
    • Creating A Great Design Document - Tvzi Freeman(1997)
    • A beginner’s guide to writing documentation - writethedocs.org
    • How To Write Software Design Documents - Syed Ahmed
  • Writing a Blogposts
    • Your Boss Wants You to Write Pentest Blog Posts... Now What? - Daniel Sandau
• Language
  • Bishop Fox Cybersecurity Style Guide
• Taking Notes
  • My Forensic and Incident Response Note Taking Methodology - IronMoon
• Tools
  • I Highly, Highly(!), recommend using a git system for note storage/usage. Versionioning, date checkins, history of edits, can have multiple versions split across different areas and merge them nicely without conflict... Pretty sweet stuff.
  • Mark
    • tool for syncing your markdown documentation with Atlassian Confluence pages.
  • Note Taking/Management Software
    • leaps - shared text editing in Golang
      • Leaps is a service for hosting collaboratively edited documents using operational transforms to ensure zero-collision synchronization across any number of editing clients.
    • Anno
      • Anno is a local, browser-based user interface on top of Markdown files in a given directory. It makes writing, organizing, and searching through those files easy. That's it. There are many benefits to this approach:
    • Zim(Desktop Wiki)
      • Zim is a graphical text editor used to maintain a collection of wiki pages. Each page can contain links to other pages, simple formatting and images. Pages are stored in a folder structure, like in an outliner, and can have attachments. Creating a new page is as easy as linking to a nonexistent page. All data is stored in plain text files with wiki formatting. Various plugins provide additional functionality, like a task list manager, an equation editor, a tray icon, and support for version control.
    • Dnote
      • Dnote is a lightweight personal knowledge base. The main design goal is to keep you focused by providing a way of swiftly capturing new information without having to switch environment. To that end, you can use Dnote as a command line interface, browser extension, web client, or an IDE plugin.
    • cherrytree
      • A hierarchical note taking application, featuring rich text and syntax highlighting, storing data in a single xml or sqlite file.
    • Joplin
      • Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. The notes are searchable, can be copied, tagged and modified either from the applications directly or from your own text editor. The notes are in Markdown format.
    • Trilium Notes
      • Trilium Notes is a hierarchical note taking application with focus on building large personal knowledge bases.
    • mdBook
      • mdBook is a utility to create modern online books from Markdown files.
    • Notable
      • The Markdown-based note-taking app that doesn't suck.
  • Text Sharing
    • Published
      • BookStack
        • BookStack is a simple, self-hosted, easy-to-use platform for organising and storing information.
    • Live
      • Cryptpad
        • CryptPad is the Zero Knowledge realtime collaborative editor.
      • codimd
        • CodiMD lets you collaborate in real-time with markdown. Built on HackMD source code, CodiMD lets you host and control your team's content with speed and ease.
    • Pastes
      • PrivateBin
        • PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data.
  • Diagramming Tools
    • Mermaid
      • Generation of diagram and flowchart from text in a similar manner as markdown
    • PlantUML
      • PlantUML is used to draw UML diagrams, using a simple and human readable text description.
  • Manual Publishing
    • Ronn
      • Ronn builds manuals. It converts simple, human readable textfiles to roff for terminal display, and also to HTML for the web. The source format includes all of Markdown but has a more rigid structure and syntax extensions for features commonly found in manpages (definition lists, link notation, etc.). The ronn-format(7) manual page defines the format in detail.
  • Documentation Browsers
    • Zeal
      • Zeal is a simple offline documentation browser inspired by Dash.
• Writing Reports
  • Report Examples/Samples
    • Public penetration testing reports
      • Curated list of public penetration test reports released by several consulting firms and academic security groups
    • Penetration tests done by cure53, good examples of how a report should be done.
    • Offensive Security 2013 Demo report
    • Project TJ-JPT
      • "This repo contains my pentesting template that I have used in PWK and for current assessments. The template has been formatted to be used in Joplin"
  • Writing a Penetration Test Report
    • Articles
      • Writing a Penetration Testing Report by SANS
      • Penetration Testing Execution Standard section on Reporting
      • Tips for Creating an Information Security Assessment Report Cheat Sheet
      • HowTo: Write pentest reports the easy way
      • The Penetration Testing Report - websecuritywatch
      • Excellent blog post breaking down the various parts, a must read
      • Your Reporting Matters: How to Improve Pen Test Reporting - Brian B. King
        • Video Presentation
      • LTR101: Writing or Receiving Your First Pentest Report - Andy Gill
      • Security Assessment Report as a Critique, Not Criticism - Lenny Zeltser(2019)
    • Talks
      • Hack for Show, Report for Dough - Brian B. King(WWHF 2018)
        • The fun part of pentesting is the hacking. But the part that makes it a viable career is the report. You can develop the most amazing exploit for the most surprising vulnerability, but if you can't document it clearly for the people who need to fix it, then you're just having fun. Which is fine! But if you want to make a career out of it, your reports need to be as clear and useful as your hacks are awesome. This talk shows simple techniques you can use to make your reports clear, useful, and brief. You'll see some before-and-after examples of a bad report made good, with clear explanations of what makes the difference. Those things will be useful no matter what tools you use to create reports. Then, if we have time, we'll look at some Microsoft Word hacks that will save you time and improve consistency.
    • Tools that can help
      • I <3 Reporting -
        • Reporting Tips for Penetration Testers
  • Writing an Request for Proposal
    • security-assessment-rfp-cheat-sheet
  • Templates
    • Report Template from vulnerabilityassessment.co.uk
    • SANS InfoSec Policy Templates
• Writing Technical Documentation
  • The Elements Of Style: UNIX As Literature - Thomas Scoville
  • What nobody tells you about documentation - Daniele Procida
  • Minimalism - Hans Van Der Meij
    • Writeup on the 'Minimalist' approach to technical documentation
• Writing a Playbook
  • PlayBooks
    • PlayBooks is a project i've build to ease the creation of knowledge playbooks for different scenarios. Create your own Markdown playbooks for whatever scenario you usually encounter, from development tasks to a full RedTeam rundown.
• Meta
  • LaTex
  • Markdown
    • 101
      • What is Markdown?
      • Markdown Syntax
      • Markdown basics
    • Using
      • Markdown For Penetration testers & Bug-bounty hunters - enciphers
      • Using markdown
      • Mastering Markdown
    • Tools
  • Tools
    • vim-wordy
      • wordy is not a grammar checker. Nor is it a guide to proper word usage. Rather, wordy is a lightweight tool to assist you in identifying those words and phrases known for their history of misuse, abuse, and overuse, at least according to usage experts.
    • tldr
      • A collection of simplified and community-driven man pages.
    • CyberSecurity Style Guide Dictionary file(cyber.dic)
      • This is the companion dictionary of the Cybersecurity Style Guide. The cyber.dic dictionary file can be added to your word processor to augment its standard spellcheck list. This is a resource for anyone who regularly writes about tech and is not a fan of the red underline that plagues any highly technical document.
    • Scanning reports to tabular (sr2t)
      • This tool takes a scanning tool's output file, and converts it to a tabular format (CSV, XLSX, or text table). This tool can process output from the following tools: Nmap (XML); Nessus (XML); Nikto (XML); Dirble (XML); Testssl (JSON); Fortify (FPR)
    • Bullets To Table
      • Convert a bullet list into a table
• PoC Documentation
  • CaptureIT
    • CaptureIT can generate GIFs of both the actively selected window or your entire desktop
  • Peek
    • Peek makes it easy to create short screencasts of a screen area. It was built for the specific use case of recording screen areas, e.g. for easily showing UI features of your own apps or for showing a bug in bug reports. With Peek, you simply place the Peek window over the area you want to record and press "Record". Peek is optimized for generating animated GIFs, but you can also directly record to WebM or MP4 if you prefer. Peek is not a general purpose screencast app with extended features but rather focuses on the single task of creating small, silent screencasts of an area of the screen for creating GIF animations or silent WebM or MP4 videos. Peek runs on X11 or inside a GNOME Shell Wayland session using XWayland.
  • flameshot
    • Powerful yet simple to use screenshot software
• Import/Export from Tools(Dumping data from tools into more readable/usable formats
  • Articles/Blogposts/Writeups
    • Exporting Nessus Results into a Database - Eddie Zhang
    • Nessus CSV Parser and Extractor
    • Read .nessus file into Excel (with Power Query)(2016)
      • Read a .nessus file (hosts properties, vulnerability and compliance scan results) into excel.
  • Tools
    • Nessus Professional Database Export
      • Script to export Nessus results to a relational database for use in reports, analysis, or whatever else.
    • nessusporter
      • Easily download entire folders of Nessus scans in the format(s) of your choosing. This script uses provided credentials to connect to a Nessus server and store a session token, which is then used for all subsquent requests.
    • pynessus
      • Python Parser for Nessus Output
    • VULNREPO
      • VULNRΞPO - Free vulnerability report generator and repository end-to-end encrypted, security report maker, vulnerability report builder. Complete templates of issues, CWE, CVE, AES encryption, Nessus/Burp/OpenVAS issues import, Jira export, TXT/HTML/PDF report, attachments, automatic changelog and statistics, vulnerability management.
• Graphing/Visualization Tools
  • Tools
    • markmap
      • Markmap is a javascript component that will visualize your markdown documents as mindmaps. It is useful for better navigation and overview of the content.
      • Example
    • markmap-lib
      • Visualize your Markdown as mindmaps.
    • Graphviz
      • Graphviz is open source graph visualization software. Graph visualization is a way of representing structural information as diagrams of abstract graphs and networks. It has important applications in networking, bioinformatics, software engineering, database and web design, machine learning, and in visual interfaces for other technical domains.
    • Diagram.codes
    • Describe your diagrams with a simple text language and automatically generate an image you can export.
    • REAL WORLD PlantUML

---

De/Briefing & Presenting

• 101
  • Debriefing: A Simple Tool to Help Your Team Tackle Tough Problems
  • Sample Debriefing Statement - Albion College
• General
  • Debriefing Facilitation Guide: Leading Groups at Etsy to Learn from Accidents - Etsy
  • Presentation Tips for Technical Talks - SheHacksPurple
  • Make your PowerPoint presentations accessible to people with disabilities - support.office.com
    • This topic gives you step-by-step instructions to make your PowerPoint presentations accessible to people with disabilities.
• Talks
  • ‘Thought Leader’ gives talk that will inspire your thoughts | CBC Radio (Comedy/Satire Skit)
    • Self proclaimed “thought leader,” Pat Kelly gives his talk on “thought leadership” at the annual This Is That Talks in Whistler, B.C. In the seminar, Kelly covers: How to talk with your hands, how to get a standing ovation, and how to inspire people by saying nothing at all.
    • I feel this is valuable for identifying the pattern and flow used. Note the individual does not say anything of value, but is able to capture the audience and not break the flow of his presentation, again, without saying anything of value. A Real Business Proffessional™
  • A presentation or presentations because presenting - Jason Blanchard - Derbycon7
  • How To Speak by Patrick Winston(MIT)
    • Patrick Winston's How to Speak talk has been an MIT tradition for over 40 years. Offered every January, the talk is intended to improve your speaking ability in critical situations by teaching you a few heuristic rules.
• Tools
  • A Project Post Mortem Template - brolik.com
  • Chart.xkcd
    • Chart.xkcd is a chart library that plots “sketchy”, “cartoony” or “hand-drawn” styled charts.

---

Penetration Testing Collaboration

• Collaboration Tools
  • Kvasir
    • Kvasir is a vulnerability / penetration testing data management system designed to help mitigate the issues found when performing team-based assessments. Kvasir does this by homogenizing data sources into a pre-defined structure.
  • Dradis
    • Dradis is an open source collaboration framework, tailored to InfoSec teams.
  • Faraday
    • Faraday introduces a new concept (IPE) Integrated Penetration-Test Environment a multiuser Penetration test IDE. Designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.
  • Lair
    • Lair is a reactive attack collaboration framework and web application built with meteor.
  • envizon
    • "We use envizon for our pentests in order to get an overview of a network and quickly identify the most promising targets. The version 3.0 introduce new features such as screenshotting web services, organizing vulnerabilities or generating reports with custom docx templates."
• Documenation Tools
  • DART
    • DART is a test documentation tool created by the Lockheed Martin Red Team to document and report on penetration tests, especially in isolated network environments.
  • Serpico
    • Serpico is a penetration testing report generation and collaboration tool. It was developed to cut down on the amount of time it takes to write a penetration testing report.
  • Vulnreport
    • Vulnreport is a platform for managing penetration tests and generating well-formatted, actionable findings reports without the normal overhead that takes up security engineer's time. The platform is built to support automation at every stage of the process and allow customization for whatever other systems you use as part of your pentesting process.
  • Ghostwriter
    • Ghostwriter is a Django project written in Python 3.7 and is designed to be used by a team of operators. The platform is made up of several Django apps that own different roles but work together. See the Wiki for more information.
    • Wiki
    • Introducing Ghostwriter - Christopher Maddalena
  • sh00t
    • sh00t is a task manager to let you focus on performing security testing. Provides To Do checklists of test cases and helps to create bug reports with customizable bug templates
• Video Recording/Visual Documentation
  • Open Broadcaster Software OBS
    • Open Broadcaster Software is free and open source software for video recording and live streaming. Cross Platform, Windows/OsX/Linux
  • Cryptoshot
    • This application will make a screenshot of the desktop. If the desktop consists of multiple monitors, it should still work fine. However it has only been tested with a dual monitor setup. The windows project has the added functionality of sending the screenshot to a server of your choosing.
  • Record terminal sessions and have the ability to replay it
  • Pocuito
    • A tiny chrome extension to record and replay your web application proof-of-concepts. Replaying PoCs from bug tracker written steps is a pain most of the time, so just record the poc, distribute and replay it whenever necessary without much hassle.
  • kap * An open-source screen recorder built with web technology
  • CrScreenshotDxe
    • UEFI DXE driver to take screenshots from GOP-compatible graphic console
  • ScreenToGif
    • ScreenToGif allows you to record a selected area of your screen, edit and save it as a gif or video
• Sample/Template Documents
  • Pentest/Red Team Offering Documents - mubix

---

Disclosure

• 101
  • OWASP Vulnerability Disclosure Cheat Sheet
  • NCSAM: Coordinated Vulnerability Disclosure Advice for Researchers
  • Protecting Your Sources When Releasing Sensitive Documents
  • Good comparison of various forms of disclosure
  • Threatbutt irresponsible disclosure policy
  • The CERT Guide to Coordinated Vulnerability Disclosure - Allen Householder
• CVE
  • Request a CVE ID
  • My first CVE-2016-1000329 in BlogPHP
• Dealing with the press/journalists:
  • Hacking the media for fame/profit talk
• History
  • Coordinated Vulnerability Disclosure: Bringing Balance to the Force - blogs.technet
  • Full disclosure (computer security) - Wikipedia
  • Schneier: Full Disclosure of Security Vulnerabilities a 'Damned Good Idea' - Bruce Schneier
  • Responsible Disclosure is Wrong
• How-To
  • How to Disclose or Sell an Exploit - DEF CON 21 - James Denaro
  • How to Disclose an Exploit Without Getting in Trouble DEF CON 22 - Jim Denaro and Tod Beardsley
• Articles/Blogposts/Writeups
  • Ethical dilemmas with responsible disclosure - Ken Munro(2020)
• Talks/Presentations/Videos
  • Selling 0-Days to Governments and Offensive Security Companies - Maor Shwartz(BHUSA2019)
    • Selling 0-days is a fascinating process that not a lot of people are familiar with. This talk will discuss a vulnerability brokerage company called Q-recon and provide a glimpse of how this market works. In the presentation, questions will be answered from three different angles: researcher, broker and client
• Tools
  • Portcullis Computer Security Co-ordinated Disclosure Toolkit
  • Clean writeup of Full-Disclosure release policy that is more similar to Coordinated Disclosure.