Prepare Your Presentation
A 30-minute subway ride to the client’s venue is just enough time to prepare the presentation for the closing meeting! Just kidding. It takes a little longer than that to write the presentation. But who knows, maybe when it’s your hundredth?
Okay, but what do you actually include in the presentation slides? Vulnerabilities? Recommendations? What else?
Both of these for sure, but that’s not all—far from it!
Like any other deliverable, the presentation must stand on its own. In other words, it must contain all the information needed to understand it. What we say only supports and presents the information in the slides, adding a little content or clarifying certain points.
Step 1: Remind Everyone of the Context
Before we start waxing lyrical about our wonderful findings, it’s a good idea to review the context. This ensures that everyone is on the same page.
Step 2: Summarize the Positive Points and Areas for Improvement
Some people will be particularly busy and will only briefly pop into the meeting. For these people, it’s a good idea to summarize the positive aspects of the application and the areas for improvement early on in the presentation.
Step 3: Present the Vulnerabilities in Order of Criticality
This is where you present:
The vulnerabilities you found.
The risk or exploitation scenarios.
The associated recommendations.
Just like everyone else, clients have a limited attention span. It’s better to take advantage of when they’re completely focused to get the important messages across, and leave the less critical stuff for when they’re likely to switch off.
By the way, you don’t necessarily have to include the less important vulnerabilities in your presentation if you already have a lot to cover.
Over to You!
Instructions
In the example.com application, we found a nice CSRF vulnerability in the feature that allows doctors to issue prescriptions.
If an attacker knows the name of the drug, the prescription, and the patient information, they can get a doctor to prescribe drugs without the doctor ever knowing! For example, the attacker could prescribe controlled drugs, such as morphine or narcotics. And since the application sends the prescriptions to the patient by email, the attacker can retrieve the prescription from the patient’s inbox. Obviously, that’s not a great scenario. Can you explain this rather unusual vulnerability in a diagram to use at the closing meeting?
Solution
Present Your Work
Are your slides ready? Let the show begin! You’re all set for your one-hour presentation. Be aware that the time will pass really quickly.
Whether you found vulnerability after vulnerability or you found none, each closing meeting comes with its own set of challenges that you’ll need to overcome.
The closing meeting should never be a witch hunt to find out who made what mistake.
Sometimes, clients will have a specific idea about what they want to achieve from the meeting, such as approving a budget, decommissioning an application, or getting the business teams involved in a security initiative. If these objectives are compatible with your stance, there’s nothing to stop you from shaping your message or some of your recommendations to suit the client’s needs.
It’s therefore a good idea to restate these objectives at the start of the closing meeting. You can then carry on with the presentation as you’ve planned it.
It’s best not to rush through the summary or the positive points. Team members will be just as eager to know which areas they’ve done a good job in!
Take the time to:
introduce complicated topics (or topics that spark debate).
listen to objections, if there are any. Address them without trying to come across as being right no matter what and imposing your own view. Instead, try to find common ground.
If one of the meeting attendees disputes one of the vulnerabilities, you have two options:
Either you have the technical evidence and refer to it during the discussion.
Or you don’t have the technical evidence, or it’s not strong enough. In this case, you should suggest to the client that you can retest the vulnerability. It’s better to verify your claims than to stick to your guns without being able to prove what you’re claiming.
Before we go any further, I’d like to share with you some tips and tricks from our two experts on how to ensure that a closing meeting runs smoothly.
Collect Feedback From Your Audience
And just like that, we’ve come to the end of the assignment. Everything went well from your perspective, but what does the client think?
Ask them!
What was the experience like for them?
Was everything clear during the closing meeting?
Do they think they have everything they need to implement the action plan?
We don’t want the client to send us flowers; we just want to make sure that they’re satisfied with our work.
After that, suggest that you check in with them again in three months’ time to see how the action plan is progressing and to nurture the relationship.
Congratulations on completing this course! I hope I’ve taught you everything you need to know to be ready to conduct your first web penetration test.
Take Your Journey Further
You’re at the very start of your journey into the world of penetration testing. I encourage you to further develop your skills by taking our course on cyber threat intelligence and by experimenting on your own.
You can also install these applications as a virtual machine on your own computer by downloading them from the VulnHub website. This lets you practice without having to access the internet.
I also encourage you to take a look at PortSwigger’s Web Security Academy, which provides an excellent knowledge base of web vulnerabilities. Check it out if you want to dig deeper into a particular type of vulnerability.
Finally, the Root Me training platform will really push you to the limit with its challenges. The Web – Client and Web – Server categories both focus on the web—no big surprise there! You can also explore the other categories at your leisure. There are other challenge-based platforms, including overthewire and HackTheBox.
Let’s Recap!
I strongly recommend that you prepare a presentation of your work to use at the closing meeting.
This presentation must stand on its own. In other words, it must contain all the important information on the results of the penetration test you’ve just conducted.
At the very least, your presentation must include:
a reminder of the context.
an executive summary with positive and negative highlights.
the vulnerabilities and exploitation or risk scenarios, together with the associated recommendations.
If you find a very large number of vulnerabilities, you can choose to show and explain only the most important ones at the closing meeting. The less important ones will still be included in the detailed report.
At the closing meeting, work together with the client and their teams to build a mutual understanding. Your role is not to assign blame or find fault.
At the end of the meeting, you should collect immediate feedback on the assignment from the client and their teams. This will help you confirm that you haven’t missed anything. Suggest that you meet with the client in a few weeks or months, to see how the action plan is progressing.
Now that we’ve come to the end of the course, I’ll leave you with a final word from our two experts:
You still have one last quiz to take, and you can feel proud of how far you’ve come!
