The Dradis Academy Training Committee and I would like to personally thank you for the time you're taking to make the most of your ship's shiny new Dradis unit. If more vessels around the fleet took their mission as seriously as you do, we'd be in a much better position.
Today, we're exploring the concepts that always trip up your colleagues when working out there in the field: missing steps, forgetting checks, and lacking standardization of the basic mission protocols.
We're not advocating that you run your assignments like a Cylon robot - following the checklist to the letter and doing nothing else. Quite the opposite! Here at the Academy, we're firm believers that having a checklist outlining the basic standard procedures for each engagement type increases your chances of engaging in creative hacking. And why are we all doing what we're doing if it is not to find more opportunities to engage in creative hacking?
The idea is simple: bring checklists to your project workflow. Pilots have pre-flight checklists, CIC operators have checklists, the engineers that repair our ships have checklists, so why shouldn't we?
The main benefit of a checklist is that it removes the burden of having to remember every task and check you want to perform for every technology and for every project type you and your crew engage in. Once you get the information listed out in checklist form, you don't have to think about the process, just follow the list.
Getting the checklist out of your head and into your Dradis unit has several benefits:
You can improve the checklist over time, adding great new ideas and pruning the items that are no longer relevant.
You can refine and expand what originally seemed to be simple checks once you gain a better understanding of the underlying technologies or once nuances become apparent.
You can quickly cover all the bases without second-guessing yourself or fearing that you've missed a critical step.
And what better way to drive consistency than by having a checklist of the tasks you want to perform in the same interface you're using to take your notes?
Download some of the testing methodologies linked at the bottom of the Dispatch or create your own checklists. This will be a huge step in the right direction to: a) ensure you never forget any steps; b) increase the consistency and quality of every single project you deliver.
./templates/methodologies/
Click over to the "Methodologies" section in the sidebar. There you'll see the list of methodologies loaded into your Dradis instance and you'll be able to add / edit / delete checklists associated with your current project.
Methodologies can be high-level (e.g. Project Management methodology
with tasks like: 1. Gather scope; 2. Verify access to environment; 3. Send
start-of-day email; ...) or very tactical (e.g. on a Ruby code review,
look for instances of #constantize() throughout the code base).
You can also combine multiple checklists in a single project. For example, on a typical webapp assessment you'd usually have at least:
An infrastructure configuration review checklist (doing basic port scanning, SSL certificate and configuration checks, etc.).
A webapp checklist (e.g. OWASP, Web Application Hacker's Handbook, SANS SWAT, etc.)
For an infrastructure assessment, you can start with a general checklist like PTES and as you progress during the Discovery phase you can add technology and service specific checklists (e.g. VPN assessment, Oracle database testing, etc.).
Finally, do you remember how we learned about Project templates in Lesson 3? Good news! You can include methodologies in a project template so that they are waiting for you when you start your assignment.
After this, our fourth lesson, you should have a clear understanding of the mindset shifts that you can make once you have a powerful platform like Dradis helping you spend less time on busywork and more time on the important bits.
Today's homework:
Your email is kept private. We don't do the spam thing.