Trustwave recently launched PenTest Manager 2.0, a major enhancement of the innovative Trustwave reporting tool used by SpiderLabs team member during penetration testing. PenTest Manager 2.0 provides a significant reporting upgrade in the form of Attack Sequences. These allow for a team member to graphically link one or more vulnerabilities to represent the relationships between vulnerabilities.
Other consulting firms often generate a PDF report listing security vulnerabilities but fail to clearly illustrate how multiple findings are related - long lists of bugs don't really tell the full story. SpiderLabs often leverage multiple lower risk security vulnerabilities chained together to compromise a system, gain unauthorized access to credit cards, or escalate permission during security testing.
The new Attack Sequence reporting capabilities allows for SpiderLabs to simplify complex attack scenarios so they can be understood across all levels of the organization, from CEO to developers. Current modeling techniques such as attack and fault trees are too formal, too academic and too expensive to produce and provide high value. How well do you understand the relationship between vulnerabilities from a real-world, attacker's perspective?
