Monthly Archives: August 2013

New in Dradis Pro v1.8

Today we have pushed a new version of Dradis Professional Edition: Dradis Pro v1.8.

This is a shorter release cycle than usual, but we are publishing some significant improvements that we couldn’t wait to share. This is tied to the ideas on product quality we shared a few days ago. Expect a big push of improvements and fixes over the coming weeks.

Changes:

  • Fine-grained project permissions (read more)
  • New Export Manager interface (see below)
  • Bugs fixed and enhancements:
    • Updated to Rails 3.2.14
    • Fix attachment preview scale in Firefox
    • Assign name to screenshot when using Ctrl+v to upload
    • Fix project import/export to work with Issues/Evidence
    • More reliable MediaWiki import (#17)
    • Give more room to every text editor window (#9)
    • Keep the alphabetical sort after errors in the issue list (#2)
    • Fix issues rendering problem in New Notes tab (#6)

The new Export Manager

The Export Manager was one of the modules that needed a refresh after the important changes we pushed in v1.7 (read v1.7 release notes).

Before, there was no easy way to export the same project into the different formats we supported (like HTML or Word), this was because you’d have to assign your notes to different categories depending on what export plugin you wanted to use.

This is no longer the case. With the new Export Manager you can export into any format from a single screen:

Screenshot showing the 1st step of the Export Manager where you choose the export plugin you want to use

First you choose what export plugin you want to use. If the plugin provides different options as the Advanced Word Export plugin or the Project export plugin do you can select which one you want at this stage.

Next you choose the template you want to use, click on Export and you are ready to go:

Screenshot showing the second step of the Export Manager where the template is chosen

This is great for people that have different templates for different project types (e.g. Application vs. Infrastructure templates; Wireless Assessment template; etc.). It also lets you create and test a new template while the team is still using the current version.

The new Export Manager is more flexible and powerful than any of the alternatives we had before, we hope you enjoy it!

Still not a Dradis Pro user?

These are some of the benefits you are missing out:

Read more about Dradis Pro’s time-saving features.

Going Freelance

Thinking of going freelance but not sure if it’s for you? Here are a few things that I think are worth considering before you take the plunge.

First, are you sure you actually want to go freelance? Is it that you want to be your own boss and manage your own work/life balance or is it just the lure of what, on the surface, appears to be good money and short hours?

I’ve been working for myself on and off for the last eight years so have quite a bit of experience of the advantages, disadvantages and things to consider when making the jump and in this article I’ll cover some of these. I hope they will be helpful to those of you thinking of making the jump or who have recently made it. A short disclaimer though, these are my experiences and opinions, they may not work for everyone and others may disagree but they will at least give you one point of view.

First off, back to the original question, do you really want to work for yourself? On the face of it, freelancers have a great life, the money is good, you can chose when to work, pick your clients and generally have a great time. The reality is that all this can be true but it takes effort, you have to put a lot of work in to get there and to stay there. Clients do not simply come banging on your door and while the daily rate can be very good you are unlikely to be working 5 days a week every week so don’t forget, you have to average that rate out over the month and year.

Here are some other things worth thinking about.

Hours

I find that I work a lot more hours working for myself than I ever did working for someone else. There are lots of reasons for this:

  • You are now running a business so have to do “business stuff” as well as the actual client work – Things like bank reconciliation, marketing/adverting and VAT returns all take time that isn’t billable so ends up being fitted in around jobs, usually in the evenings or weekends during busy periods.
  • Quality of work/reputation – Not that I didn’t care about the quality of work when I was employed but now the business is just me and the next job with a client is likely to be based on the deliverables from this job, I feel an extra pressure to do the best job possible, even if that means putting in a few extra hours. I also end up knowing the client at a more personal level as I’ve often been involved with the whole process from initial contact to final delivery and so want to deliver a higher quality product.
  • There is often no one there to stop you doing the extra hours – When working in an office the end of the day is obvious as everyone else is packing up and leaving but working on your own it is easy to get sucked into a job and lose track of time. This applies to employed people who work from home as well so not just freelancers.

Clients

Unless you are really lucky and are well known or have very specialist skills, it is unlikely that clients will simply come to you and so you’ll need to go out and win them in some way. When starting out you need to be careful how you do this. Most companies have a clause in their contract that stops you approaching any of their clients if you leave so don’t assume that if you are friendly with some of the company’s clients that you will be able to lure them away. You may also have to be careful signing up your own clients while still employed, this may breach your contract. If this is the case you may start your freelance career without any fully signed up clients which isn’t a good position to be in.

When working out where to get clients from there are a couple of options, go direct to companies and try to sell them your services or work through middlemen who resell your services for you. Which you choose is up to you and how you would rather work. Going direct to companies can be more lucrative as you get to negotiate for yourself and keep all the cash but doing this requires you to put effort in finding and winning these clients. Back to the hours worked, this isn’t billable work and you have to fit it in around paying clients. Working through a middleman means you don’t have to worry about sales and marketing and all the client schmoozing but means you lose a cut of the final invoice to the middleman.

I personally prefer using a middleman, actually a number of them, as I really don’t like having to do sales work and so am happy to give them their cut to do the work I don’t enjoy. Something I do consider here though is that if the middleman goes on holiday or has a bad month then I’ll not be getting any work that month. That is why I like to have a number of agencies that I work through as one may be on an ebb while the other is on a flow.

Until it has happened once, most freelancers don’t think about clients not paying, you just assume that you’ve done the job so the cash will come in, hopefully on time. I’ve had a couple of clients not pay, the first one hit me so badly that I ended up going back to employment as I couldn’t cover it. Telling friends their response is often “take them to court, sue them”, that is easier said than done when you find out that they haven’t paid because they’ve blown all their cash and have nothing left to pay anyone. Legal action can cost a lot of money and you are unlikely to be high on the list to get cash back if they are going belly up. Make sure you think about this and have reserves in case it happens.

Software/Hardware

As an employee you are most likely provided with all the hardware and software you require to do your job. You’ll get a laptop, Nessus licence, that kind of thing. When you are on your own you have to provide all that yourself. While a lot of security tools are free there are some instances where the commercial versions are really the best ones to choose. Make sure you add all these costs to your budget. Don’t forget the non-security tool software costs as well, a Windows licence (even if just used in a VM), Office and all the other little apps that you used to just install off the main app server without worrying about licences for.

Laptops, phones and other hardware – are you going to share your personal kit with the business or are you going to get it its own dedicated set? Duplicating it all is expensive but means you can do extra hardening on the work equipment and ensure it is only used for work to lessen the risk of exposing client data.

Also consider hardware redundancy, when employed, if your laptop dies the night before a test you might be able to acquire a replacement from a colleague and if not then you can probably hand off to the project manager talking to the client and postponing the job. When you are on your own all that becomes your responsibility. I’ve been a Linux user for over 10 years but my main laptop has been running Windows 7 for over a year because I’ve not had time to take it out of service for long enough to reinstall it. I have a backup machine that I can use if I need to but being older it is a much lower spec so even when I’ve had a few days spare I haven’t risked making the swap just in case.

Legal Issues

The contract

This section could also be called Cover Your Ass and you need to give it close attention. What you need is dependent on your location and the jobs you are doing but here are the basics.

First you really should get a good contract. There are lots of contracts floating around on the net which you could take and either use as is or modify to your own requirements. This is the cheap option but not one that I went for. The reason I chose not to do it is that I wanted to know that my contract matched my business and the jobs I was doing. The contract is the thing that decides who is in the right if things go wrong, I was happy to spend money and time with a good lawyer to make sure mine was as good as I could get.

There are also a number of potential problems with random contracts found on the net:

  • It could be out-of-date – Laws and regulations change
  • Location – The contract may not be for your country/jurisdiction
  • The contract may have flaws or may simply be written by someone who was not a lawyer and just thought the words sounded good

Insurance

In terms of insurance, some may be mandatory, some may be recommended and some may be personal preference. As with contracts, what you need will be based on the kind of work you are doing and where you are doing it. The different types I’d definitely look at are:

  • Professional indemnity – Covers you if you make a mistake while on a job
  • Public liability – In case someone gets hurt as a result of you doing a job
  • Income protection – If for some reason you are unable to work there will be no money coming in, this can help in this kind of situation

When getting insurance, make sure you explain exactly what it is you will be doing to the insurance company or broker. I went through a few companies who turned me down straight till I got annoyed and asked one for an explanation as to why they wouldn’t cover me. After a discussion they realised they didn’t fully understand the job I initially described to them so changed their minds and covered me. This was quite a few years ago and as the industry has grown there are now many more options out there and companies understand the profession better but I’d still make sure you fully explain to them what it is you will be doing just in case.

Training

It’s all down to you, if you want training you have to pay for it yourself in time and money. There are a lot of free, or very cheap, courses out there and you can learn a lot from just reading articles but back to hours worked again, it isn’t billable work so you have to fit it in around your paying clients.

Holidays

No holiday pay, if you aren’t working you aren’t earning! You don’t even get paid for bank holidays.

I like to tie training and conferences with holidays, our family holiday last year started in Gent at BruCON then moved on to a more normal holiday.

Money

I can’t lie, the money as a freelancer, on the face of it, is a lot better than as an employee but, when you add in all the extra hours you’ll end up working, the lack of holiday pay, having to provide all your own hardware, software, stationary (I still send letters occasionally) and all the other non-billable things you need to do and buy it doesn’t necessarily work out that much better.

When working out your budgets don’t assume that you’ll set your day rate at X and will get 253 * X (253 is the number of working days 2013). Make realistic assumptions about how much work you think you’ll get on a good and bad month and then decide if it looks as good as it did.

Think about what will happen if you have a couple of bad months back to back, can you survive?

Conclusions

I love being freelance. I much prefer the freedom it gives, especially with two small children at home, but I’m lucky that I have a lot of very good clients and I’m able to sit at my desk from 9-5 (or however long a job takes) without getting distracted. I take regular breaks and will take a day off just to play with the kids if work is quiet but I’ll also get my head down and barely leave my office when work is there.

If you are thinking about it, make sure you look at the unglamorous side of it as well as fun looking public side and if you decide to do it, good luck, I hope you enjoy it as much as I do.

About Robin Wood

Robin is a freelance pen-tester, researcher and developer. Among his projects are Karma, KreiosC2 and Jasager. He is based in the UK.

Find him on Twitter as @digininja or at www.digininja.org

Two years of Dradis Pro

Dradis Pro turned two, but we had our heads down working and we didn’t even notice. A little over two years ago we announced our flagship product: Dradis Professional Edition. Just looking at that URL – /2011/07/ – makes me realise how much work and how many hours have been poured into the project. About 1,000 new commits with new features, bug fixes and improvements. This of course doesn’t take into account the work that goes into the Support site for writing our step-by-step guides and producing the screencasts; or in making sure the website is up to date and still relevant; or in keeping our user base informed through our blog, tending the Twitter feeds or the mailing list (which has grown from 0 to 170 conversations and 700 messages).

The Dradis Pro logo which is based on the icons in the Dradis screen of the Battlestar Galactica tv series

When we started the main goal of Dradis Pro was to provide a convenient way to use the Dradis Framework bundled in a ready to use VM. Since then, and with the feedback from dozens of organisations around the world using Dradis on a day-to-day basis we’ve evolved the tool around four basic pillars:

  • 1-click reporting: time is money and every hour you don’t spend writing a report you can spend doing something else (e.g. finding bugs, researching, updating internal methodologies, etc.).
  • Integrating tool output: with 15 plugins and counting (including Burp, Qualys, Nessus, and Nexpose), Dradis is the easiest way to merge and integrate the output of different tools.
  • Consistent results: your team’s reputation is built on your ability to provide consistent results. Dradis puts the right tools at your finger tips, create custom project templates and testing methodologies (or download the ones we’ve created for you).
  • Collaboration: all changes are automatically pushed to every person working on the project to ensure everyone is on the same page.

At the moment I think we have a good portion of the basics covered, there are still a couple of modules that we will be adding in the near future, but for the most part the functional surface is already there. Now it is the right time to reflect on what we have, what we’ve built and where we want to go from here. I’ve already outlined some of the driving forces that will inspire the future development of Dradis. Identifying and focusing on the core tasks that really make a difference to our users; raising the quality and smoothness of the experience throughout all areas; or making the interface more convenient to use are some of the key improvements we’ve already identified.

Later this year we’ll have the longest stretch ever of Dradis development since we started two years ago (actually since the open-source project started in 2007): the Autumn of Code’13. Starting in September 1st, and all the way through to November 30th, we will have 3 months of Dradis-only focussed work. The list of goals, improvements and enhancements planed for the Autumn of Code is not closed yet as I also want to give a chance to our users to have an input in the process. But there is a lot that can fit in three months of development.

Once the start date gets closer I’ll post an update with more details. But this is definitely an sensational time for the project. I hope that these three months will make a significant change in the shape and quality of the product. Needless to say I’m very excited about the prospect of devoting my full attention to Dradis Pro for such a long stretch of time.

All in all, this year has been a pretty good year: we released v1.5, v1.6 and v1.7; we sponsored BSides London; we went to Las Vegas for the summer conferences where we met with lots of users and partners and now we will wrap up the year with the Autumn of Code.

These two years have been full of hard work and challenges, but I wouldn’t have had it any other way. I wonder what the next two will be like, and the two after that. Who knows, maybe we’ll have to change our name (you knew where the Dradis name came from, right?) and maybe we’ll finally get around designing a proper company logo 🙂

In any case, I am really looking forward to what the future holds. When every now and then one of our users says that we are making a real difference for them or that they just cut their reporting time by 70% we know we’re on the right track: helping people to do more of what they want to do and less of what they don’t.

Software quality: creating a software product you can live with

When creating a software business there are a lot of things to consider and many decisions to be made. One of the most important ones, especially if you are by yourself, is: how high are you going to put the software quality bar?

Giving the day-to-day pressures to build up the business (do you have a business or do you just think you do?), the multiple feature requests by your users, the support requests you have to tend to, the pile of ideas you’ve got in the roadmap and the limited time in each day, it is clear that some compromises must be made. You’ve got to strike a balance between having enough features that your tool is compelling and making sure that what you have actually works (otherwise people that you worked so hard to convince of using your tool will be frustrated and abandon it).

In the early stages

Remember the classic essay by Joel Spolsky Good Software Takes Ten Years. Get Used To it, yes it takes time to create a great product, but you need to make sure that your company is going to survive long enough to get there and you need to make sure you’re still enjoying what you are doing years down the line 🙂

During the early stages, not every feature we’ve pushed in a release of Dradis Pro was as polished as I’d have liked, but at the time we thought it was the right choice: push the feature out and let our users start benefiting from it. However we’re not in the early stages any more. We’ve been two years in business, with a growing client base and heathy amount of new sign ups every month. Now it’s the time to take two steps back and look at the big picture, to prepare ourselves for the next ten years.

One of the most important things to learn and keep in mind, even more important to those of us coming from an engineering background is that your users don’t care about your product. They don’t want to use your product for the shake of using a product. They want the results they’ll get from using your product, that’s where the focus should be. Let me repeat that again as it is quite important:

Your users don’t want to use your product,
    they want the results they’ll get from using your product.

This means you have to identify what this end results are and focus your efforts in making it ever easier for your users to get there. This often means spending time refining areas of your tool instead of adding new features.

Balancing scope and software quality

In the era of the Lean Startup, the above ties nicely with the concept of minimum viable product: in order to become sustainable, you need to identify several key pieces of functionality that when put together are going to allow your users to get the end results they are looking for. [Note that I’m talking about being sustainable (i.e. generating enough revenue to reinvest in the product to improve it), not just in order to sell or in order to find users for your product. You can sell almost any piece of broken software for a low enough price. But that’s a different discussion for a different time.]

Throwing together those pieces and making sure that they can be made to work together as a coherent application is the very first stage in the lifecycle of the product. This means you’re solving a real problem, for real people, that will pay real money to get their problem solved. However, in the path to this first summit in your journey, you may have to release half-baked solutions or quirky code you are not proud of. You may even do this without being conscious about it (at the end of the day, you’re fighting an uphill battle, and getting results is the only think that counts on a daily basis).

There is a tipping point where you realize that the strategy of knocking together functionality and releasing it is not going to work in the long run. You are accruing too much technical debt. If you are hoping to be developing and maintaining your tool for years to come, you better make sure that you are creating something that you will want to maintain, something that you are proud of.

I saw the light while reading the Designing Web Applications book by Nathan Barry a few months ago. In particular a section discussing the ideas of Ryan Singer, Software designer at 37signals, on product quality:

I like to visualize software. Here’s an intuition that works for me. Feature complexity is like surface area and quality of execution is like height.

A hand-drawn representation of a software product like a surface, with different areas dotted in it and the height of the shape representing the qulity.

I want a base level of quality execution across all features. Whenever I commit to building or expanding a feature, I’m committing to a baseline of effort on the user experience. That way feature complexity — scope — is always the cost multiplier, not user experience. There aren’t debates about experience or how far to take it. The user experience simply has to be up to base standard in order to ship, no matter how trimmed down the feature is.

(Ryan has an article on his blog about the subject: What happens to user experience in a minimum viable product?)

Even though conceptually we’d all agree that it’s desirable to build good quality products, Ryan’s surface/heigh metaphor makes it really easy to understand the end goal we’re striving for and the reasoning behind it. It is a great tool that you can keep on the back of your head and use to drive your development efforts on a daily basis.

Keep your focus

It’s more important to ensure a consistent height across all areas of the product than it is to expand the surface. In fact, it is a trade off, there is no expanding the surface if the heigh isn’t going to be kept consistent.

This helps in narrowing the focus of what you’re trying to build, less surface, more height, build something great. This isn’t new, and there are many ways to phrase this feeling, but I always remember Bill Crosby’s:

I don’t know the key to success, but the key to failure is trying to please everybody.

You product can’t be all things to all people. This is why you’ve seen a multitude of minimalist text editors thrive by focussing on what is important and nothing else (iA Writer, Writeroom, Byword…). Have the basics taken care of before thinking about adding new stuff. As Julie Zhuo, Director of Product Design at Facebook puts it, there is a tax associated with every new feature you introduce that you better understand.

Making this shift, this change of focus towards quality, clarity and purpose has benefits all around. It makes you proud of the work you do and it helps to ensure that you don’t have too many features that you can’t pay attention to.

This is where we are going for the next few releases of Dradis Pro: don’t expect a lot of growth in the surface, we’ll focus on pushing and levelling our height, always keeping an eye on the results our users want to realize.

I’d like to wrap this post with another quote about quality and building a software product, this time by Jason Fried also of 37 signals:

It better be good, because people are depending on it to be good

Upcoming in Dradis Pro v1.8: fine-grained project permissions

The next release of Dradis Pro will introduce a long standing feature request: fine-grained project permissions.

From now on, it will be possible to restrict who has access to what projects. We’ll evolve the interface over time but the basics are already here:

A screenshot showing the interface to assign project permissions

Users will only be presented with those projects they have access to in the **Project selection** view:

The Project selection window filters only those projects to which the user has access to

Of course administrators can access any project any time and reassign the permissions:

A screenshot showing the full list of projects for an administrative user

The implementation is almost there, just running the finishing touches. We are hoping to release in the next few days.

Our users have been pushing for project permissions for a while now. Among the use cases where having fine-grained project permissions is going to be a big win are:

  • Restrict access to project that require a specific level of clearance (e.g. government projects, department of defense, etc.).
  • Accommodate requirements by certain clients that only a specific set of pre-approved individuals is allowed to take part and manage their projects.
  • Limit the visibility of the breadth of clients and projects of external contractors or freelancers brought to the organization.
  • Limit the visibility of new joiners that are still in their probation period.

That is on the most pure permission == restriction front. However, having fine-grained project permissions is also going to allow us to do a number of interesting things:

  • Create dashboards in which a users can quickly review all the projects they have been involved in lately.
  • Create dashboards in which Technical Directors can quickly see a breakdown of projects for each team member.
  • Quickly identified who has been working with who, and how long ago (useful for 360-degree feedback and evaluation).

All in all, this is a big step forward in the right direction and while we would normally wait to have a handful of new features before producing a new release we think this is important (and useful) enough to warrant its own version of the tool.

More information

If you are not a Dradis Pro user yet, you can read more about painless 1-click reporting, merging tool output from your favorite tools into a single report and delivering consistent results with our tool. Get a license and start saving yourself some time today.

Follow the OSSTMM v3 methodology with Dradis

You can now follow the OSSTMM v3 (Open Source Security Testing Methodology Manual) in your projects. Today we’ve added a new bundle to our Extras section. Extras is where we post report templates, methodologies and checklists for our community to grab and use.

Not familiar with the OSSTMM yet? From their website:

The OSSTMM is about operational security. It is about knowing and measuring how well security works. This methodology will tell you if what you have does what you want it to do and not just what you were told it does.

What you get from utilizing OSSTMM is a deep understanding of the interconnectedness of things. The people, processes, systems, and software all have some type of relationship.

Included in the OSSTMM bundle

The bundle contains methodologies for all the areas covered by OSSTM:

  • Defining a security test
  • Data networks security testing
  • Human security testing
  • Physical security testing
  • Telecommunications security testing
  • Wireless security testing

Included in the bundle is also a project template with the basic project structure you can use to follow the OSSTMM guidance.

Get the OSSTMM v3 methodology bundle and follow the OSSTMM v3 from today.