Saturday, 19 May 2012

Reporting automation

I'm a big fan of automation... computers have been created to process automatic/annoying tasks...

One of my favorite subject that I still didn't crack is reporting automation. Building reports automatically is in my opinion really important for the following reasons:
  •  remediation is often the same for a given findings and can automatically be improved (like putting PHP function for a directory traversal on a PHP website instead of just generic prevention for directory traversal)
  •  you can prevent some usual mistakes: like bad risk rating of XSS if the HttpOnly flag is set,
  •  you can create pretty graphs,
  •  you can keep statistics on your findings,
  •  and mostly, you can save time.

So far, I found 5 solutions and can't make my mind on which one is the best:

  •  Latex (known as the masochistic solution). Using Latex to generate a PDF, it's probably the solution that will create the prettiest reports but is also the most painful one... and it's not really easy for people coming on board.
  •  Markdown -> HTML -> PDF using Webkit, this is what I'm currently using for Pentesterlab's courses. It looks pretty nice and pretty much everything is done by CSS (ie: you can get a web designer to work on it) so you can get the pretty reports.
  •  Markdown -> HTML -> PDF using Prince, same as above but you have to pay for Prince. However I think the result will be a bit better (Prince's export to PDF is better than Webkit)
  •  Open Office automation using java/python. Unfortunately, I have really bad memories with Open Office and sometimes the result on Word is not perfect
  •  Word automation using C#. Probably the best solution since you have a real Word document at the end but I don't really like the tool chain and don't want to spend few days/weeks in Visual Studio/Windows.
Even if they seem more annoying, the first three solutions have a really big advantage in my opinion: you can easily keep tracks of changes using git/svn/... since you don't handle binary files. However, you need to use aspell instead of Word/Open Office spell check.

Any thoughts/ideas on this?


Anna Polina said...

Markdown -> LaTeX -> PDF using Multimarkdown.

PDF example:

You can use original markdown syntax or more complete multimarkdown syntax. What do you think about that?

Louis Nyffenegger said...

It seems to be a really cool project and to be honest I think Latex creates the prettiest report.

However, doing Markdown -> HTML -> PDF allows people to modify the HTML before the rendering of the PDF. You can do the same with Latex but I think HTML is way easier to modify than Latex for the average human ;)
Another thing is that it's easier to ask a designer to do a pretty template for HTML reports than for a Latex report.

Still an amazing project, and I will use it for my submission to some conferences asking for a Latex paper ;)