Does anyone else find this report extremely verbose for what it is? Technically, I think there are some excellent findings, but… so much writing for a non-narrative report.
I didn’t really think it was too verbose, but perhaps that’s because I’m so used to reading verbose documents (the joys of enterprise software implementations…). Even if you’re not that interested in security audits, the report makes for a good read, IMHO.
I actually work in information security for large banks, government, & similar organizations; writing these sorts of reports is what puts bread on my family’s table. Even for a large international bank, I couldn’t imagine delivering a report that was this verbose in the discussion of vulnerabilities… I think my report out would mostly consist of “could you give me the gist of what’s going on?” and “so what you’re really saying is…”
In terms of technical details, this is 100% great, but the writing struck me as… long winded.
Maybe that’s the idea however; it’s really long, and most people just get the “tl;dr”. I mean, I’ve seen reports from competitors (Cigital, Gotham Digital, FishNet, &c.) and they don’t seem to be this long either…
edit: fixed a missing ‘)’
edit 2: Also, I apologize if I come off as boorish, that wasn’t the intent! I’m just running around cooking & cleaning atm for Thanksgiving.
Perhaps the fact that they knew this report would be available to the public played a role here?
A good and detailed report of solid work like this is rather great advertisement.
I definitely agree, and the technical detail is some of the best I’ve seen, but it feels like there’s just too much… “fluff”… writing in there. I tend towards the minimalist side internally to my company too, so it may just be that (and indeed, no one has agreed with me here! :D)