We ask Dradis around the fleet, "What is the single most important benefit you're getting out of using Dradis to manage your engagements?" Do you know what the answer is? They get to spend more time testing and less time reporting. Shocking, I know!
Why do so many people insist on handcrafting every single report? Why do they spend the time to rewrite the same issue descriptions and recommendations over and over (or copy/pasting them from an old report, in clear violation of the fleet's Data Protection regulations)?
Don't get me wrong, here at the fleet headquarters, we love our reports. But if I can be honest with you, there are certain sections of the standard security report that are always repetitive in nature. If you ask me, our people shouldn't be spending a single minute working on them.
But, I digress. How can your ship's shiny new Dradis unit help you spend less time reporting and more time testing? That's an excellent question! Out of the box, Dradis can generate reports in three formats for you (after signing into your Dradis instance, click "Export results" in the header):
CSV - I know, we're in the space age, but Excel never goes out of fashion.
HTML - your imagination is the limit, charts, colors, interactive sections, navigation, etc.
PDF - for a more "official looking" feel, you can't go wrong with them.
Project - Dradis also exports your project into ZIP / XML format but we won't cover this today (tomorrow's Lesson 3 deals with XML exports to create project templates, and Lesson 6 of this course is dedicated to the project archiving / backing up topic).
I don't have to remind you that in this day and age, one size rarely fits all. The export modules listed above are also implemented as "add-ons" (just like the connectors used to parse the output of security scanners that we learned about in yesterday's Lesson 1). If your team needs a slightly different output format (e.g. JSON, custom XML, etc.), you can always head to the fleet's code repositories and use the existing add-ons as a source of inspiration to write your own. We even have a step-by-step guide that walks you through the process. Should you go down that route, the Community Forums is where you'll find the other Dradis tinkerers who can help you on your journey.
All the information about Issues and Evidence from your project will be listed in this simple format. Every Issue field will export into a new column of the CSV with a new row for each host and instance of Evidence.
More information about this export add-on can be found on GitHub: dradis-csv
Dradis uses the ERB templating language to mix Ruby logic and HTML code. In a nutshell, you'll need to:
./templates/reports/html_export).You can see a sample ERB template here: default_dradis_template_v3.0.html.erb
More information about this add-on can be found on Github: dradis-html_export repo or in our Guide: Creating HTML reports
You can create high-quality, beautiful deliverables using this reporting add-on. The process is similar to the one outlined above for the HTML reporting engine. But, the catch is that PDF report customization process is not as straightforward as it is for HTML reports.
Instead of using ERB templates, you'll have to use the Prawn Ruby PDF generation library. It's bundled with Dradis and the documentation is so good I wish the Dradis Academy Training Committee could claim to have written it: Prawn Manual (in a meta twist, the PDF for the manual itself is generated using Prawn, and the code is available).
Sample Prawn report generation: exporter.rb
More information about this add-on can be found on GitHub: dradis-pdf_export
The Dradis Academy archives have an in-depth look at the elements of a successful security assessment deliverable, but I'll give you the highlights:
Scope vs Goal: roughly 95% of the reports we see at fleet HQ contain a section describing the Scope of the engagement. Less than 1% of them contain any analysis of the Goal. We recommend including a section explaining why you are looking for security issues and the worst possible outcomes you're trying to uncover. Your reports will immediately stand out from the competition.
Executive summary: try to put your findings in a context that's useful to the reader. Don't just limit yourself to listing the most important findings from a technical point of view. For every sentence and conclusion you draw, ask yourself: "So what?". Why does the reader care? Why is this important in the context of the project's Goal?
Technical details: of course, this is where you'll let Dradis do all of the heavy lifting. Sit back and enjoy some automated report generation goodness!
Appendices: many teams produce opaque deliverables that contain all the technical information about the findings and the conclusions but no information about how those findings were uncovered, who uncovered them, and what tools they used. We have some suggestions for what you should include in your Appendices in today's worksheet.
Today's worksheet is short, but it will help you think about how your clients perceive the deliverable you generate for them:
Your email is kept private. We don't do the spam thing.