Writing Technical Documentation

-
Often in infosec we get caught up on CVEs, the latest breach, or ransomware. Unfortunately, the other half of the job (project management, documentation, etc) can sometimes get less attention. Admittedly, they don't make movies about completing the paperwork after most action films. But in the real world it's what can lose court cases or certify a company as compliant with a government regulation. 

We all wish documentation was clearer when reading it but very few enjoy writing it. I'm going to paint a broad brush here and put them all into two categories:
  1. Formal technical documentation
    • E.g. SOC reports, company policies, SIG assessments, etc.
  2. Informal technical documentation
    • E,g, the internal (or even customer facing) documentation explaining a concept or how to complete a technical task such as updating the OS version on a firewall.
I'm not a Technical Writer, but I don't find writing documentation as painful as some, and I appreciate coming across what I find to be well-written documents. Here are my thoughts on writing good documentation.

Formal Technical Documentation

Some quick tips if you're writing formal documentation (some of these are personal preference, some are fairly standard):
  • Justify text.
  • Use page numbers.
  • Use a header with a company logo when appropriate.
  • Include a title page and table of contents.
  • Use italics to introduce new terms.
  • Spell out any acronyms upon introduction with the acronym following in parenthesis if used again later in the text.
  • Be mindful of the type of document you're writing and include relevant content. For example, policies should be general in nature and procedures should include specific steps. Besides, if you have to change the steps in your procedure at any point at least you only have to update one piece of documentation!
I actually like the NSA's Cybersecurity Advisories & Guidance docs as an example (here is their 2022 Network Infrastructure Guidance), though they contain some low-level steps that would be more fitting under my definition of "information technical documentation."

Informal Technical Documentation

First, there's nothing wrong with taking all the advice from the Formal Technical Documentation section and applying it to less formal documents. But my focus here will be more on getting across technical concepts to the reader.

One of my favorite things to do is get familiar with style guides. Read through a few from prominent companies and get a feel for how they write their informal documentation. This is a good starting place and these style guides are something I often revisit. While I don't agree with everything in theirs, Microsoft has a great one that introduces a variety of ideas for writing. A couple other examples of good documentation but that have different "flows" are GitHub's API documentation and AWS's documentation.

There are no rules you have to follow, so pick a style that you like best and stick with it throughout the document (and establish it up front or in an appendix to the document if it differs from the norm). This establishes consistency in your writing. The most frequent example I see of this is in writing commands or instructing a user to perform an action. For example:

Example 1
  1. Open command prompt.
  2. Type appwiz.cpl and press enter.
  3. Choose an application to uninstall.
  4. Select uninstall.
Example 2
  1. Open Command Prompt.
  2. Type appwiz.cpl and press Enter.
  3. In Control Panel choose an application to uninstall.
  4. Select Uninstall.
Example 3
  1. Open Command Prompt.
  2. Type appwiz.cpl and press Enter.
  3. In Control Panel choose an application to uninstall.
  4. Select Uninstall.
These are three different ways of writing the same set of instructions. Example 3 provides, in my opinion, the clearest steps to follow. It capitalizes the names of applications, uses a monospace font for commands the user should input, and emphasizes other required actions using bold font.

Some other practices that help in a similar fashion:
  • If the text in a command is a placeholder it should be italicized or placed in angle brackets:
    • robocopy source destination
    • robocopy <source> <destination>
  • Optional parts of a command should be placed in square brackets:
    • robocopy source destination [/e]
Also, in informal documentation screenshots are great, but they should be used only when there may be confusion about a particular step. There is no need to take a screenshot of every single prompt, etc. Not to mention the problem with updating documentation with new screenshots when the UI of the application changes.

Diagrams, flow charts, and other visual illustrations of a concept are also great additions to technical documentation. Sometimes even with the best practices followed, a wall of text instructions will never be clearer than a visual illustration.

Final Thoughts

You can probably go through the rest of my blog and find that I haven't followed my own rules at times. But I hope what I have followed makes it easier on those in the future that read what I write.

I didn't touch on topics like making writing accessible (things like adding descriptions to screenshots or captions to videos) or styles of writing (passive vs active voice) among other things. All important topics and I encourage reading more about them.

I will take a moment here to advocate for the Oxford comma and to mention that double-spaces after a period are not necessary in any formal writing (even APA took it out of the requirements a few years ago) but shouldn't get as much hate as they do in informal writing.

Let me know if you have examples of great documentation, or maybe a practice you follow when writing documents that I haven't touched on here.




Comments

Post a Comment

Popular Posts

Hashcat - Cracking MD5 and NTLM Hashes

-
Image
Today we'll be exploring Hashcat -- "the world’s fastest and most advanced password recovery utility". This, along with similar tools, should be used only for password recovery, pentest engagements, CTFs, etc and never for illegal purposes. I could write an entire series about the capabilities Hashcat provides, but we will cover a few basic examples for now ( besides, Hashcat does a pretty good job of that themselves ): Crack MD5 hashes using the rockyou.txt wordlist. Crack NTLM hashes using the rockyou.txt wordlist. Crack NTLM hashes using a mask attack (modified brute force). I'll be using Kali Linux as Hashcat comes pre-installed, but Hashcat can run on Windows, macOS, and other Linux distributions as well. As you'll see, I'll be using some lists of hashes I made previously. Tools to generate hashes using dozens of algorithms are available online -- just save the output as a text file if you want to follow along. Cracking MD5 Hashes Using rockyou.txt Wordl
Read more

Configuring Secure Ciphers Suites and TLS

-
Image
Hey everyone, today we're back on cipher suites. If you want a refresher of TLS and secure cipher suites overall, check out my previous post . There are many instances in which you'll need to edit cipher suites on a system -- compliance efforts, CIS benchmarks, or simply ensuring your system doesn't use insecure suites. There are a few ways to go about this and I'll detail two of them now: IIS Crypto and the Windows registry. IIS Crypto My favorite way of editing TLS versions and cipher suites is using IIS Crypto . IIS Crypto allows you to select your desired TLS/SSL version, cipher suites, and backup the registry, all with a few mouse clicks. Only downside is that it's Windows only (even the command line version). This is what IIS Crypto will look like on an unmodified Windows 10 system. Note the separate  Server Protocols  and  Client Protocols  sections. These are important to keep straight depending on what system is listening for connections and what system is
Read more

Configuring SSH Key Based Authentication

-
Image
Overview Most personal computers and many organizations running Linux servers utilize password-based authentication. This is what most of us are used to -- you enter a username and password in order to authenticate your account and gain access to a system. While straightforward and commonplace, this isn't the best solution in most cases. Today I'll be explaining why key based authentication is more convenient, more secure, and allows for automation of tasks without saving credentials in plain-text in a text file. Key based authentication involves the use of private and public keys ( public-key cryptography ). The private key is stored on the client and the public key is stored on the server in a special file ( ~/.ssh/authorized_keys ). This allows any system with the corresponding private key to login to the server where we just stored the public key. Our steps are: Generate key pair (public / private key). Transfer public key and add it to the authorized_keys file on the remot
Read more