After completing a penetration test, the lead tester is preparing the executive summary. The client's CISO wants to understand the business impact of a critical vulnerability found in the customer-facing web application. Which of the following is the BEST way to convey this in the report?
Trap 1: List the CVSS score and exploitability metrics
CVSS scores are technical and may not effectively communicate business impact to non-technical executives.
Trap 2: Provide the raw log entries showing the exploitation
Raw logs are too detailed for an executive summary and do not directly convey business impact.
Trap 3: Recommend a specific patch version
Patch recommendations belong in the technical remediation section, not the executive summary.
- A
List the CVSS score and exploitability metrics
Why wrong: CVSS scores are technical and may not effectively communicate business impact to non-technical executives.
- B
Describe the attack scenario and potential financial loss
Correct. This explains the real-world consequences in business terms, which is most relevant for an executive summary.
- C
Provide the raw log entries showing the exploitation
Why wrong: Raw logs are too detailed for an executive summary and do not directly convey business impact.
- D
Recommend a specific patch version
Why wrong: Patch recommendations belong in the technical remediation section, not the executive summary.