Author Archives: Daniel Martin

New in Dradis Pro v2.4

Dradis Professional Edition is a collaboration and automated reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

This month we’re pleased to bring you Dradis Pro v2.4 with some long-requested improvements.

The highlights of Dradis Pro v2.4

  • Project-wide search (see below)
  • UI improvements (see below)
  • Copying of Report Template Properties
  • Word reports
    • Better file extension handling in Windows
  • Minor bug fixing.

A quick video summary of what’s new in this release:

Project search

It is now possible to perform a project-wide full-text search against Evidence, Issues, Nodes and Notes:

A screenshot showing the "All" tab with results for a "DNS" search

A screenshot from the Search results page showing only Node matches

UI improvements

Dradis is used by over 270 teams in 33 countries around the world. When people are using your platform to edit and generate content in languages as varied as Simplified Chinese, Slovenian or Turkish, it becomes very easy to spot and squash internationalisation and character encoding bugs.

With this release we’ve made sure that Tags fully support names encoded in UTF-8:

A screenshot showing a tag in simplified Chinese

Evidence multi-add

It is not uncommon to need to link the same Issue to a number of hosts in your project. We’ve redesigned the UI to make this task a lot simpler:

  • Select the Evidence template you need (or start with a blank slate).
  • Tick off the relevant items from the Existing Hosts list.
  • If needed, paste list of new IP addresses that will be added to the project and also associated with your Issues.

A screenshot showing the new Add Evidence feature that lets you select existing nodes from a list, or paste a list of IP address.

Validate on save

Teams working with Dradis normally need to use a number of different report templates (e.g. one for vulnerability assessments and one for social engineering). To make it easy for users to remember what information they need to provide on each template we’re now validating the contents supplied by the user against the individual template requirements so we can present a warning if the content doesn’t match the template’s expectations:

A screenshot showing warnings about missing fields and mismatched values in a recently created issue.

Optimistic locking

Have you ever been in a situation where just after updating an Issue or Note, you find out that one of your team mates was also editing that feature? From now on, Dradis will warn you when someone else has been modifying the content you were busy with, so you have the peace of mind to know you’re always working on the latest version of the content:

A screenshot showing how Dradis detects a modification to the content you were just trying to edit.

Still not using Dradis in your team?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the the 1-page summary.

New in Dradis Pro v2.3

Dradis Professional Edition is a collaboration and automated reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

This month we’re pleased to bring you Dradis Pro v2.3 with some interesting additions.

The highlights of Dradis Pro v2.3

  • Smart issues table (see below):
    • Filter / search contents
    • Custom columns
    • Show / hide columns
  • Tabbed view for: Issues, Notes and Evidence (see below)
  • Admin > Templates > Reports improvements
  • Admin > Templates > Projects improvements
  • Redesign of empty views: project, issues, methodologies
  • Add-on enhancements
    • Acunetix: better code / syntax parsing
    • OpenVAS: bug fixing
    • – Project export: improve SQL efficiency
  • Methodologies module
    • Fix task status handler (tasks w/ special chars)
    • Progressive design enhancements
  • REST/JSON API:
    • New coverage: Notes, Evidence
    • Track API actions in Activity Feed
  • Word reports
    • Image captions (see below)
    • Fix bug w/ special chars in Node labels
  • Security fixes
  • Bugs fixed: #324, #325

Smart issues table

Dradis is used by over 270 teams in 33 countries around the world. Each team has a very different way of structuring their findings. With the new smart issues table, each user can decide what information should be presented on the screen for each project:

UI improvements

A few screenshots of the recent redesigns:

A screenshot of an Issue showing tabs for Information, Evidence and Activity

A screenshot showing the All Issues table with the new controls for filtering and showing/hiding columns.

A screenshot showing the Web Application Hacker's Handbook methodology

Word image captions in action

You can now specify the caption associated with your screenshots so it appears in your reports:

A screenshot showing how to specify the caption for an image

Hover the image to show the associated caption:

A screenshot showing Dradis rendering an image with a caption.

And select a custom Caption style for your Word image captions:

A screenshot showing a Word document with an image and a caption

Still not using Dradis in your team?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the the 1-page summary.

New in Dradis Pro v2.2

Dradis Professional Edition is a collaboration and automated reporting tool for information security teams that will cut your reporting time in half.

Two short months after the release of Dradis Pro v2.1 in February we’re pleased to bring you Dradis Pro v2.2 which is focused around connectivity and performance.

The highlights of Dradis Pro v2.2

  • Full REST/JSON API coverage (documentation)
  • Performance improvements: Rails 4.2, Ruby 2.2, memory monitoring.
  • Fix bug in Activity Feed of project templates.
  • Add-on enhancements:
    • CSV: export evidence data, fix CLI integration
    • HTML: fix CLI integration
  • Bugs fixed: #204, #319

The REST API

Through the new HTTP JSON APPI you can securely access all of the application entities including:

Screenshot showing a GET request to the /clients endpoint

Perform CRUD operations on all application objects through an easy-to-use JSON interface.

Screenshot showing a POST request to the /issues endpoint

Use your favorite language to interact with the data contained in your Dradis environment.

Performance boost: faster, more responsive interface

Dradis Pro v2.2 also comes with a new version of the Rails framework and a modern version of Ruby. Both of these upgrades should have a significant impact in the overall performance and snappiness of the app and also bring some interesting security features out of the box. Strong parameters and DB performance come to mind on the Rails front and garbage collection (GC) of symbols on the Ruby front are some of the notable changes.

For the nitty gritty details please see the Rails 4.2 release notes and the Ruby 2.2 announcements.

Still not a Dradis user?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the the 1-page summary.

New in Dradis Pro v2.1

Dradis Professional Edition is a collaboration and automated reporting tool for information security teams that will cut your reporting time in half.

Throughout 2016 we’re aiming to shorten our release cycle, and we’re pleased to bring you Dradis Pro v2.1 with a collection of enhancements that will make your day-to-day life a little bit easier.

The highlights:

  • DB performance improvements.
  • Session timeouts.
  • New add-ons
    • CVSSv3 score calculator.
    • DREAD score calculator.
  • Add-on enhancements:
    • Nessus: add support for compliance checks.
    • Nessus: use Node properties.
    • IssueLibrary: tagging of findings + UI improvements.
    • Rules Engine: rule sorting + UI improvements.

A few screenshots of the release

Screenshot showing the IssueLibrary entries with a badge showing their tags

Tag entries in your IssueLibrary

A screenshot showing each rule with handle bars for easy dragging / moving.

Drag and drop rules to re-order them

A screenshot showing the interface of the new calculator that lets you generate CVSSv3 by choosing the value for each subscore.

Calculate CVSSv3 scores and vectors from within Dradis

A screenshot of a piece of Evidence in Dradis with the Policy Value, the Actual Value and the Compliance Status of the check.

We can parse and export to your report Nessus’ compliance data.

How to upgrade to Dradis Pro v2.1?

Just head over to the release page and follow the instructions:

https://portal.securityroots.com/releases/latest

Still not a Dradis user?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the the 1-page summary.

New in Dradis Pro v2.0

Dradis Professional Edition is a collaboration and automated reporting tool for information security teams.

Just in time for the new year a fresh release of Dradis Pro is out of the oven. We’re really excited about Dradis Pro v2.0 as it is going to allow you to have a much better understanding of what is going on in all your security assessments.

The highlights:

  • Activity Feed: see what others are doing (see below)
  • Content revisions: track and *diff* edits (see below)
  • REST API: Clients and Projects
  • New Change Value action for the Rules Engine
  • Open support ticket from the app
  • Better issue Tagging support
  • Scheduled DB cleanup
  • DB performance enhancements
  • New add-ons
    • Brakeman Rails security
    • Metasploit Framework
  • Word reports
    • Better handling of screenshots
    • Pre-export validator (see below)
    • Add .docx / .docm support CLI generation
    • Report template properties (see below)
  • Plugin enhancements:
    • Acunetix issue identification accuracy
    • LDAP integration
    • NMap CLI bug fixed
    • NTOSpider additional data gathering
    • NTOSpider Plugin Manager bug fix
    • Qualys port and protocol information
  • Security fixes

Bugs fixed: #223, #301, #303, #307b

Dradis v2.0 video summary

The most juicy features in a 1m32s video:

The Activity Feed

The new Activity Feed is displayed on every view of the project. It lets you see who has been working on what (and when).

In the Project Summary page, the feed looks like this:

creenshot showing different activities with the associated user, and data (e.g. Rachel created a note), along with a link to the activity.

The project activity stream.

There is an Activity Feed for issues, evidence, notes and nodes, so nothing will slip through the cracks.

Versioned content

In addition to knowing who did what and when, we’ve taken it one step further: it is now possible to view and compare the changes that were introduced in any piece of content during the lifetime of the project:

A screenshot showing the view comparing the differences between two revisions of the same content.

The Activity Feed view from the Project Summary page.

Report template properties and pre-export validator

Finally a handy feature on the reporting front. Since Dradis doesn’t force you to change the way you write your report, we don’t make any assumptions about how you want to work (trivia fact: Dradis has been used by over 200 teams in 32 countries and dozens of languages). As a result some times there is a small discrepancy between the content in your Dradis project and what your report template is expecting.

For example, say you use High, Medium and Low for risk rating. Maybe in one of the issues somebody made a typo and used Hihg instead of the appropriate spelling. Or say that your template is expecting you to define properties for Project name and Client point of contact but your forgot? Fear not, the new pre-export validator is here to help!

A screenshot showing the different checks the validator is making.

The pre-export validator in action.

So far we’ve got the following checks, but we’re already working in the next batch:

How to upgrade to Dradis Pro v2.0?

Just head over to the release page and follow the instructions:

https://portal.securityroots.com/releases/latest

Still not a Dradis user?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the the 1-page summary.

New in Dradis Pro v1.12

Today we’re happy to announce a new release of Dradis Professional Edition: Dradis Pro v1.12. Dradis is a collaboration and automated reporting tool for information security teams.

The highlights:

  • New Accunetix and NTOSpider connectors
  • Updated Burp and OpenVAS connectors
  • Business Intelligence add-on (see below)
  • Rules Engine add-on (see below)
  • Reporting engine enhancements:
    • Pre-export validator
    • Native support for .docx and .docm
    • IssueCounter control
    • Concurrency enhancements
  • Bugs fixed and feature requests: #128, #131, #141, #145, #152, #184, #189, #197, #201, #205, #207, #212, #216, #232, #238, #239, #254

Rules Engine add-on

Define rules that kick in when you upload the output of a scanner. Akin to your email client processing rules, the Rules Engine allows you, among other actions, to:

  • Tag findings based on their fields (e.g. tag as Critical if CVSSv2 is > 9)
  • Merge several findings into a single one (e.g. group all those pesky “missing patches” entries under a single finding)
  • Replace the default description with your own. That’s right, every time Burp finds XSS, you will get a finding with your team’s custom Description / Recommendation for this vulnerability class.
A screenshot showing the list of configured rules in this Dradis Pro instance.

Define the rules that will kick in when you upload the output of a scanner.

A screenshot showing a rule definition where two findings (one from Nessus and one from Qualys) will be replaced with the team's own description of the problem.

Sample rule: de-duplicate findings.

A screenshot showing a rule definition where any finding coming from a scanner is replaced with the team's own description in the IssueLibrary

Sample rule: use your own descriptions.

Business Intelligence add-on

Most likely you’re running 100s of projects each year. The Business Intelligence add-on helps you make sense of the wealth of information that is at your fingertips but that most likely you haven’t been tracking. These are some of the questions you will be able to start answering:

  • What do you know about the types of projects you’re running (what percentage is webapps vs infrastructure)?
  • What types of clients are you serving? In what industry?
  • How are the most profitable client types?
  • What percentage of your projects is under-scoped or over-scoped?
A screenshot showing the Business Intelligence view with: a list of custom properties for Clients, for Projects and a search facility.

The Business Intelligence dashboard. Define custom properties for Clients and Projects to track business metrics.

New admin layout

Yes, we finally have a layout like it’s 2015 (well maybe 2013), but a great improvement over our bare-bones previous one. Here are just a couple of quick examples:

A screenshot showing the project selection view inside Dradis Pro.

Project section view.

A screenshot showing the list of users registered in a Dradis Pro instance.

All users registered in the Dradis Pro instance.

How to upgrade to Dradis Pro v1.12?

Just head over to the release page and follow the instructions:

https://portal.securityroots.com/releases/1.12.0

Still not a Dradis user?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features. Or if you want to start from the beginning, read the the 1-page summary.

New in Dradis Pro v1.11

Today we’re happy to announce a new release of Dradis Professional Edition: Dradis Pro v1.11. Dradis is a collaboration and report generation tool for information security teams.

The community of Dradis users is very passionate about their craft and they rely on us to run their infosec practice. We live to make their lives better by moving out of their lives as much of the grudge work and repetition involved in delivering each project. Part of that effort also consists on creating great documentation to make the most out of Dradis, and we have two new manuals:

  • Working with projects: covering every module you will use on a day-to-day basis when running a project with Dradis.
  • Custom Word reports: showing you how our flexible reporting engine can be used to adapt your existing report template.

As promised a few months ago, we keep our focus on software quality and continuously raising the bar for ourselves. As a result this release is more about stability, performance, and enhancing existing functionality than it is about introducing flashy new features (not that we’re not working on flashy new features, of course we are, and they’ll blow your socks off when you see them, but they are not part of this release ;)).

Without further ado, the highlights of this release:

  • Performance improvements for really large projects. Running internal assessments with 100s of hosts and 1000s of vulnerabilities is completely painless.
  • Enhancements to the reporting engine:
    • Filter Issues by tag
    • Better screenshot support
    • Better paragraph / text styling detection
    • Better internal formatting (when inside Word tables)
    • Background report generation
  • Onboarding Tour for new users
  • In-project methodology editor
  • Drop old interface support
  • Bugs fixed: #20, #24, #50, #52, #55, #74, #142, #143, #146, #147, #151, #159

How to upgrade to Dradis Pro v1.11?

Just head over to the release page and follow the instructions:

https://portal.securityroots.com/releases/1.11.0

Still not a Dradis user?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features and pricing. Or if you want to start from the beginning, read the the 1-page summary.

Dradis Pro is sponsoring BSides London 2014

Dradis Professional is sponsoring the next edition of the B-Sides London security conference:

http://www.securitybsides.org.uk/

B-Sides London 2014 will be held at the Kensington and Chelsea Town Hall on April 28, 2014 in London, UK.

We’ve put together a page for the event and are raffling a Dradis Pro license, read more at:

http://securityroots.com/dradispro/events/bsideslondon2014.html

Are you planing to attend or want to get in touch? Contact us or ping us on Twitter: @dradispro

New in Dradis Pro v1.10

Today we’re happy to announce a new release of Dradis Professional Edition: Dradis Pro v1.10.

March 2014 has been a great month: first we took part in Corelan Team’s 5th Anniversary party then we attended the first edition of the Rooted Warfare event and now we have a fresh release ready for you (yes, yes, technically we’re not in March any more, but it’s close enough!).

It’s been only 3 months since our last release, but this one is full of action:

  • A more useful Project Summary view (see below).
  • Tag issues and group them by tag.
  • New Project Template manager.
  • Performance improvements to several plugins (Nmap, Word, etc.)
  • Improvements to the management console (see below).
  • Several improvements on the UTF-8 and i18n front.
  • And of course bug fixes, lots of bug fixes
    (#43, #44, #64, #65, #72, #75, #77, #78, #85,… full list)

Lets get a closer look of some of the most significant enhancements…

Interface improvements

This is what the new Project Summary page looks like:

A screenshot showing the new Project Summary view. Includes an issue chart and a methodology progress meter

All in all, the new Project Summary gives you a nice big picture overview of what is going on with the project. This is great for team leaders and technical directors wanting to keep an eye on the projects across the board. And if the client asks for an update, you’ll have all the information you need in a single screen. Nice and easy.

Lets delve into the key components of this new summary view.

Finding tagging

First of all, it is now possible to group and tag your findings. You can define your own categories and colors or you can use the default ones, up to you.

In terms of doing the real assigning, a nice drag-and-drop interface makes it a very straightforward and intuitive process:

A screenshot showing the interface that allows you to drag issues and drop them into the right category

Track methodology progress

Testing methodology support was introduced some time ago. However in this release we’re making it a lot easier to keep track of how much progress you and your team have made.

A screenshot showing the new graph that keeps track of your progress in the methodologies of the project.

You can of course create your own testing methodologies. But remember that to help you get started there are quite a few already available in the Resources section of our Users Portal:

http://securityroots.com/dradispro/extras.html

Management console improvements

We’ve some good news on the Dradis CIC as well.

There are a few services ticking along in the background to make sure you have a great Dradis Pro experience. Every once in a while however, you may want to restart some of this services (e.g. you developed a new custom plugin, you made a change to your MySQL config, etc.). Before you had to roll up your sleeves and prepare for some good old console goodness. Not any more! From now on, it is possible to check the status of the different services and restart them from the web interface itself:

A screenshot of Dradis' Admin Console showing an interface that lets you re-start the different services the app depends on.

How to upgrade to Dradis Pro v1.10

Just head over to the release page and follow the instructions:

https://portal.securityroots.com/releases/1.10.0

Still not a Dradis user?

These are some of the benefits you will get:

Read more about Dradis Pro’s time-saving features.

New in Dradis Pro v1.9

Today we’re happy to announce a new release of Dradis Professional Edition: Dradis Pro v1.9. Start thinking about what you are going to do in 2014 with all the report-writing hours that Dradis will save you from spending 🙂

This release brings new features and improvements at almost every level:

  • Redesigned interface (see below).
  • New management console and upgrade process (see below).
  • A faster, more reliable stack (see below).
  • Enhancements to reporting engine:
    – Custom Word tables (read more)
    – Mix Issues as Notes throughout the template
  • Drag’n’drop report template manager (read more).
  • Add methodologies and checklists to your project templates.
  • And of course bug fixes, lots of bug fixes (#7, #22, #26, #33, #34, #46, #47, #51, #59,… )

Lets get a closer look of some of the most significant enhancements…

New interface

Throughout 2013 Dradis Pro has been used by dozens of organizations around the world to manage hundreds of security engagements. Each project is a complex mix of tasks: writing up a vulnerability, processing the output of a tool, uploading a screenshot, etc. We have redesigned the Dradis interface to declutter your project workspace and make it easier to perform those tasks that you need to do several times per day.

Without further ado, the new Dradis Pro v1.9 interface:

snowcrash-01

A clean layout that lets you focus on what’s important: your findings. It’s also fluid which will help you make the most of your wide screen.

Here are a few additional close-ups, and yes, you can drag’n’drop your attachments or even paste your screenshots directly, without saving them on a file (if your browser supports it).

snowcrash-02

snowcrash-03

Management console & upgrade process

From now on upgrading your Dradis Pro install will be even easier. We’ve created a new management console that lets you apply updates without leaving your browser window.

cic-01

Apart from the new Dradis CIC, we’ve also made significant changes to the base operating system layer of the Dradis Pro virtual appliance, you should upgrade as soon as possible (review the Exporting, importing and backing up your data step-by-step guide).

New stack: Ruby 2.0, Unicorn, and Nginx goodness

With Dradis Pro v1.9 we’re upgrading the base stack that powers the application.

The new stack is significantly faster and more efficient (it’s the same one that people like Github, Airbnb or ZenDesk are using). From the user’s point of view, you’ll just notice better performance under the hood.

We’ve also made some changes to the internals of the appliance paving the road to more advanced CIC operations (like restarting services from the administration console). We’ve also taken steps to make sure that further tweaking the stack will be a painless process, which will make things easier in the long run.

Still not a Dradis Pro user?

These are some of the benefits you are missing out:

Read more about Dradis Pro’s time-saving features.