Category Archives: Business of Software

You’ll find posts in this category that are about the business of creating software and running a software business. Not strictly related with information security, not strictly related with one of our tools.

On being human.

Leave a reply

Our team has grown slowly and deliberately from a single person at the start to a nine-person team in 2021. Some things that work well enough on a small team need more thought as the group expands. With that in mind, we are encouraged and continuously reminded from the day we are hired to challenge our status quo and enabled to suggest and adopt changes.

Embracing that opportunity means our internal processes and approaches evolve as each new person joins the team and adds unique perspectives. As a global team, our views are as varied and diverse as the individuals providing them.

We have internal core values and guidelines for working together as a fully remote and distributed team that might be worth sharing in future posts. We have a clear mission, which I’ll share here to save you a few clicks. 

We help information security teams focus on making systems more secure by reducing the overhead of managing and discussing the outcome of the security assessments they perform for their clients (whether these are inside their organisation or outside of it).

Not too long ago, we realized that there is a bunch of info about Dradis out there – how it works, what it does and doesn’t do, how to use it, etc. Still, not much is available to help the community understand the people and company behind the tool. Taking inspiration from companies like Balsamiq, we decided to do something about that gap. Now, we’ve put into words what we believe to share with you and the ideas that give us a yardstick to measure our decisions against. Without further ado:

We are here for the humans. At the end of the day, the work done in infosec is for and about humans. And as messy as humans are, that can make this work frustratingly complicated. Sure, scanning tools and blinking boxes can handle some of it – but pulling everything together requires a human. We are here to make it simpler for you to be human by getting the time sucks out of your way.

Infosec is a team sport. Just like information systems are interconnected, so are the different folks involved in securing them. Sharing clear information and thinking creatively together is often critical to solving the problem at hand, so let’s do more of that well.

Customers + Vision = Roadmap. We don’t have an official roadmap, but that’s not to say we don’t have plans. We’ve got big ideas on how this industry will continue to evolve and how we can best serve you and your customers. That’s why we reach out to our customers and invite your feedback.

It’s your data. You keep it. Whatever data you put in Dradis, is yours, and we like it that way. We respect your privacy and that of your customers like we value our own. We trust that you will let us know how we can improve and make a better product.

These declarations of what we believe are posted on our website so you can revisit them, and new users can easily find them. These beliefs may change as we grow as a team and new voices are added, and as this industry faces new challenges. I hope you’ll help us stay accountable to these beliefs and call us out if you see us not operating consistently to them.

We are human, after all.

The humans behind Dradis

Hands on Hacking

Leave a reply

The team over at Hacker House has recently released their first book, Hands on Hacking. The book is an incredibly accessible guide for learning pentesting and purple teaming and includes often-overlooked subjects like building a business case for hacking, ethical guidelines, and report writing. 

Report writing, you say?

Needless to say, when authors Matthew Hickey and Jennifer Arcuri reached out to let us know they were featuring Dradis in the chapter on reporting, we were delighted. Since the book’s release, I’ve been able to chat with Matthew to ask about writing this book, his start in hacking and growing a career in the industry, and his favorite reads. 

You can read the full interview with Matthew Hickey at the Dradis Academy.

Hands on Hacking takes a holistic approach to hacking appropriate for those just getting started as well as for management and sysadmins wanting a deeper understanding of the attacks their organization and systems face. 

Want to win a copy of Hands on Hacking?

The team over at Wiley sent us a few copies to giveaway. To enter, share your email address with us below. Winners will be selected at random on October 9, 2020 and contacted at the email address provided to collect shipping information.

The contest is now over, thanks for entering!

Dradis Framework Founder’s Letter – 2017

Leave a reply

Good Software Takes Ten Years. I didn’t know that when we started back in 2007, but I’ve come to terms with that rule since then. A lot can change in 9 years. You can go from the first commit of an internal project released as open-source to a small, independent, self-funded software team that is making a difference for 300+ teams in 34 countries around the world.

Did I have a clue about where we’d get in 9 years when I pushed that first commit? Most definitely not. Was I confident that we’d be working with 1,000s of InfoSec experts every day when I quit my security consulting job over 2 years ago to concentrate my efforts on Dradis Pro full time? Not even close. Do we have a clue about where we’re heading over the next 2 years? We have clues but most likely, we really don’t know. But that’s fine, we’re not alone in this journey. We’re bringing our entire community along with us. And most importantly, we have the freedom to choose where we’re heading.

We don’t have investors so we can keep our users front and center. Were trying to grow as slowly as possible. By focusing on the fundamentals, we’ve managed to get this far. And, we’re sticking to the same approach going forwards: do the work, keep our users happy, and care about their long term success.

A brief history of our project

Just to put things into perspective, here is what working on the same piece of software every single day for 9 years did:

  • Dec 2007: Start working on an internal tool for pentest collaboration.
  • Jan 2008: Release Dradis Framework as open-source.
  • …3,000 code commits.
  • Jul 2011: Launch a side-business offering additional functionality and official support (Dradis Professional announcement).
  • …work with 140 teams, 17 new releases, 2,967 commits.
  • Feb 2014: Make the side-business our main business.
  • …7 new releases, 782 commits.
  • Mar 2015: Welcome Rachael, our second full-time member of the team
  • …13 new releases, 2,503 commits…

The last 12 months

With the growth in the Dradis Pro side of things, we have been able to reinvest a lot of man-hours in Dradis Community Edition. It’s our way to give back to the community that helped us along the way. The code was refreshed and updated. Many of the enhancements that were created for the Pro edition were backported to CE. Plus, the documentation was rewritten, step-by-step guides were created, and screencasts were recorded. We also created and released OWASP, PTES, HIPAA and OSCP compliance packages with testing checklists, report templates and more.

Dradis Community edition GitHub repo commits in 2016

The activity in the Dradis CE repo shows how a lot of this effort was concentrated earlier in the year to sync the CE and Pro code bases (kudos to the GitLab team for the inspiration).

Our community is growing stronger than ever. We’re averaging 400 git clones each week. Plus, we have a thriving Slack channel and dozens of new threads in our community forums.

Dradis community edition is being downloaded an average of 400 times per weekWhat we are going to be focusing on over the next 12 months

Over the last 12 months, we’ve pushed 11 new releases of Dradis Pro. From performance and interface to functionality and stability, we’ve noticeably improved every single aspect of the app. The product today is in a completely different category from where it was 12 months ago. And still,  there is so much room to grow, refine, and improve!

2017 is exciting for us in many ways. We’re now working with over 300+ teams. This is a challenge, but we wouldn’t have it any other way. Plus, this the first time that we have a small team of very talented people working full time on taking care of product development and user experience.

I’m sure that the speed at which we’ll be making progress is going to feel break-neck. I can’t wait to see the things that we’re going to be able to build with you and for you and the rest our community.

To our best year ever,

Daniel

Software quality: creating a software product you can live with

Leave a reply

When creating a software business there are a lot of things to consider and many decisions to be made. One of the most important ones, especially if you are by yourself, is: how high are you going to put the software quality bar?

Giving the day-to-day pressures to build up the business (do you have a business or do you just think you do?), the multiple feature requests by your users, the support requests you have to tend to, the pile of ideas you’ve got in the roadmap and the limited time in each day, it is clear that some compromises must be made. You’ve got to strike a balance between having enough features that your tool is compelling and making sure that what you have actually works (otherwise people that you worked so hard to convince of using your tool will be frustrated and abandon it).

In the early stages

Remember the classic essay by Joel Spolsky Good Software Takes Ten Years. Get Used To it, yes it takes time to create a great product, but you need to make sure that your company is going to survive long enough to get there and you need to make sure you’re still enjoying what you are doing years down the line 🙂

During the early stages, not every feature we’ve pushed in a release of Dradis Pro was as polished as I’d have liked, but at the time we thought it was the right choice: push the feature out and let our users start benefiting from it. However we’re not in the early stages any more. We’ve been two years in business, with a growing client base and heathy amount of new sign ups every month. Now it’s the time to take two steps back and look at the big picture, to prepare ourselves for the next ten years.

One of the most important things to learn and keep in mind, even more important to those of us coming from an engineering background is that your users don’t care about your product. They don’t want to use your product for the shake of using a product. They want the results they’ll get from using your product, that’s where the focus should be. Let me repeat that again as it is quite important:

Your users don’t want to use your product,
    they want the results they’ll get from using your product.

This means you have to identify what this end results are and focus your efforts in making it ever easier for your users to get there. This often means spending time refining areas of your tool instead of adding new features.

Balancing scope and software quality

In the era of the Lean Startup, the above ties nicely with the concept of minimum viable product: in order to become sustainable, you need to identify several key pieces of functionality that when put together are going to allow your users to get the end results they are looking for. [Note that I’m talking about being sustainable (i.e. generating enough revenue to reinvest in the product to improve it), not just in order to sell or in order to find users for your product. You can sell almost any piece of broken software for a low enough price. But that’s a different discussion for a different time.]

Throwing together those pieces and making sure that they can be made to work together as a coherent application is the very first stage in the lifecycle of the product. This means you’re solving a real problem, for real people, that will pay real money to get their problem solved. However, in the path to this first summit in your journey, you may have to release half-baked solutions or quirky code you are not proud of. You may even do this without being conscious about it (at the end of the day, you’re fighting an uphill battle, and getting results is the only think that counts on a daily basis).

There is a tipping point where you realize that the strategy of knocking together functionality and releasing it is not going to work in the long run. You are accruing too much technical debt. If you are hoping to be developing and maintaining your tool for years to come, you better make sure that you are creating something that you will want to maintain, something that you are proud of.

I saw the light while reading the Designing Web Applications book by Nathan Barry a few months ago. In particular a section discussing the ideas of Ryan Singer, Software designer at 37signals, on product quality:

I like to visualize software. Here’s an intuition that works for me. Feature complexity is like surface area and quality of execution is like height.

A hand-drawn representation of a software product like a surface, with different areas dotted in it and the height of the shape representing the qulity.

I want a base level of quality execution across all features. Whenever I commit to building or expanding a feature, I’m committing to a baseline of effort on the user experience. That way feature complexity — scope — is always the cost multiplier, not user experience. There aren’t debates about experience or how far to take it. The user experience simply has to be up to base standard in order to ship, no matter how trimmed down the feature is.

(Ryan has an article on his blog about the subject: What happens to user experience in a minimum viable product?)

Even though conceptually we’d all agree that it’s desirable to build good quality products, Ryan’s surface/heigh metaphor makes it really easy to understand the end goal we’re striving for and the reasoning behind it. It is a great tool that you can keep on the back of your head and use to drive your development efforts on a daily basis.

Keep your focus

It’s more important to ensure a consistent height across all areas of the product than it is to expand the surface. In fact, it is a trade off, there is no expanding the surface if the heigh isn’t going to be kept consistent.

This helps in narrowing the focus of what you’re trying to build, less surface, more height, build something great. This isn’t new, and there are many ways to phrase this feeling, but I always remember Bill Crosby’s:

I don’t know the key to success, but the key to failure is trying to please everybody.

You product can’t be all things to all people. This is why you’ve seen a multitude of minimalist text editors thrive by focussing on what is important and nothing else (iA Writer, Writeroom, Byword…). Have the basics taken care of before thinking about adding new stuff. As Julie Zhuo, Director of Product Design at Facebook puts it, there is a tax associated with every new feature you introduce that you better understand.

Making this shift, this change of focus towards quality, clarity and purpose has benefits all around. It makes you proud of the work you do and it helps to ensure that you don’t have too many features that you can’t pay attention to.

This is where we are going for the next few releases of Dradis Pro: don’t expect a lot of growth in the surface, we’ll focus on pushing and levelling our height, always keeping an eye on the results our users want to realize.

I’d like to wrap this post with another quote about quality and building a software product, this time by Jason Fried also of 37 signals:

It better be good, because people are depending on it to be good