One of my favorite subject that I still didn't crack is reporting automation. Building reports automatically is in my opinion really important for the following reasons:
- remediation is often the same for a given findings and can automatically be improved (like putting PHP function for a directory traversal on a PHP website instead of just generic prevention for directory traversal)
- you can prevent some usual mistakes: like bad risk rating of XSS if the HttpOnly flag is set,
- you can create pretty graphs,
- you can keep statistics on your findings,
- and mostly, you can save time.
So far, I found 5 solutions and can't make my mind on which one is the best:
- Latex (known as the masochistic solution). Using Latex to generate a PDF, it's probably the solution that will create the prettiest reports but is also the most painful one... and it's not really easy for people coming on board.
- Markdown -> HTML -> PDF using Webkit, this is what I'm currently using for Pentesterlab's courses. It looks pretty nice and pretty much everything is done by CSS (ie: you can get a web designer to work on it) so you can get the pretty reports.
- Markdown -> HTML -> PDF using Prince, same as above but you have to pay for Prince. However I think the result will be a bit better (Prince's export to PDF is better than Webkit)
- Open Office automation using java/python. Unfortunately, I have really bad memories with Open Office and sometimes the result on Word is not perfect
- Word automation using C#. Probably the best solution since you have a real Word document at the end but I don't really like the tool chain and don't want to spend few days/weeks in Visual Studio/Windows.
Any thoughts/ideas on this?