Category Archives: Security Roots

Posts about Security Roots, press, events and announcements.

What I learned attending RailsConf 2023

I was fortunate enough to attend RailsConf Atlanta 2023, and in this post I share some of the thoughts that I gathered while reflecting upon the conference.

What is RailsConf?

RailsConf is a Ruby on Rails developer’s dream. It’s a place where some of the best Rails developers come together once a year to share knowledge and expertise, and meet like-minded individuals. You have the ability to attend workshops from Rails developers that have large YouTube followings, and attend talks that discuss in-depth technical topics. It was an action-packed 3 days, and the best part was how welcoming and diverse the Rails community is!

We’re a small organization, but we have a mighty team!

As the days went on, I began to reflect and compare my experience at Security Roots with what others were sharing about their own working lives. I met developers from all over the USA, Canada and Europe. As we were discussing the different ways that our companies operate, and I was sharing my experience about how we work at Security Roots, it was apparent that we’re doing something special here.

Working asynchronously is no easy feat, but our founder has figured out a formula for making this working model a success.

“How do you get work done if you don’t have meetings?” One developer asked me.

I laughed as this was a common question I was getting.

It was interesting to learn that we had just as many, if not more, releases than most other teams over the past 8 months.

“We have great documentation, and everybody takes ownership of their work. I said. “We find information ourselves, only asking others if we have looked extensively first. We get things done because we know that there isn’t anyone else who’s going to do it for us.

I watched as they stared back at me with confusion, surprise, and undoubtedly one thousand questions running through their mind.

It was eye-opening to learn about other team structures, and what other developers’ day to day work lives look like.

Personal Growth

As a developer relatively early in my career, I am excited by the learning opportunities presented to me each day. Some of them include:

  • Learn the inner workings of virtual machines through debugging with users
  • Interact directly with users to determine what’s working and what’s not working for them, which informs my day-to-day work.
  • Work with a team of people from all over the world, everyone bringing a unique perspective to our work.
  • Take creative freedom in my solutions, and discuss them with my team.

Despite not having meetings, we are a very collaborative and close-knit team, and this is the greatest thing about working at Security Roots.

After coming back, I couldn’t wait to share what I gathered at the conference with my team. Most notably, that what we accomplish with a small team is remarkable. We produce and release more than many other larger teams, without sacrificing quality.

I felt inspired and excited to come back to my team and write beautiful Rails code!

I learned a lot at RailsConf, including:

  • How to contribute to the framework
  • How the inner workings of some of the most abstract parts of the framework function
  • How best to manage incoming Webhooks (from the master himself, Chris Oliver)
  • New command line tools that I can leverage every day
  • New ways of approaching problems.

It was great to be surrounded by so many Ruby on Rails developers who are just as passionate about their craft as I am.

I hope to take more members of the team with me next year!

On being human.

Our team has grown slowly and deliberately from a single person at the start to a nine-person team in 2021. Some things that work well enough on a small team need more thought as the group expands. With that in mind, we are encouraged and continuously reminded from the day we are hired to challenge our status quo and enabled to suggest and adopt changes.

Embracing that opportunity means our internal processes and approaches evolve as each new person joins the team and adds unique perspectives. As a global team, our views are as varied and diverse as the individuals providing them.

We have internal core values and guidelines for working together as a fully remote and distributed team that might be worth sharing in future posts. We have a clear mission, which I’ll share here to save you a few clicks. 

We help information security teams focus on making systems more secure by reducing the overhead of managing and discussing the outcome of the security assessments they perform for their clients (whether these are inside their organisation or outside of it).

Not too long ago, we realized that there is a bunch of info about Dradis out there – how it works, what it does and doesn’t do, how to use it, etc. Still, not much is available to help the community understand the people and company behind the tool. Taking inspiration from companies like Balsamiq, we decided to do something about that gap. Now, we’ve put into words what we believe to share with you and the ideas that give us a yardstick to measure our decisions against. Without further ado:

We are here for the humans. At the end of the day, the work done in infosec is for and about humans. And as messy as humans are, that can make this work frustratingly complicated. Sure, scanning tools and blinking boxes can handle some of it – but pulling everything together requires a human. We are here to make it simpler for you to be human by getting the time sucks out of your way.

Infosec is a team sport. Just like information systems are interconnected, so are the different folks involved in securing them. Sharing clear information and thinking creatively together is often critical to solving the problem at hand, so let’s do more of that well.

Customers + Vision = Roadmap. We don’t have an official roadmap, but that’s not to say we don’t have plans. We’ve got big ideas on how this industry will continue to evolve and how we can best serve you and your customers. That’s why we reach out to our customers and invite your feedback.

It’s your data. You keep it. Whatever data you put in Dradis, is yours, and we like it that way. We respect your privacy and that of your customers like we value our own. We trust that you will let us know how we can improve and make a better product.

These declarations of what we believe are posted on our website so you can revisit them, and new users can easily find them. These beliefs may change as we grow as a team and new voices are added, and as this industry faces new challenges. I hope you’ll help us stay accountable to these beliefs and call us out if you see us not operating consistently to them.

We are human, after all.

The humans behind Dradis
Badges from security summer camp

Hacker Summer Camp 2019

Another Hacker Summer Camp is in the books. As always, there was a lot to see and do – more than any single human could hope to fit into a month, much less a week. Even so, I made it to Black Hat Tools Arsenal, BSides Las Vegas, DEF CON, and volunteered for the Diana Initiative. After a year and a half of working on the Security Roots team, I met Daniel in person and we promptly started talking shop in the middle of a Mandalay Bay hallway. I took a few hours to celebrate a milestone with a fantastic dinner and show. All of that in six days and though it was exhausting, I can’t wait to return.

Daniel and Tabatha snuck into this photo late. Photo credit to the Black Hat Tools Arsenal team.

My introduction to the hacker community was at BSides Orlando a few years back. Initially, I admit that was a bit intimidated to attend a hacker conference. Portrayed in the media as egotistical superbrains or criminals hiding beneath black hoodies ready to drain your bank account, hackers aren’t presented as a welcoming bunch. While those elements exist, what I found there and continue to experience was a group of people eager to share their knowledge and answer my constant questions. The energy and collaborative spirit of the community had me hooked. I was hungry to learn more and later that same year, I volunteered at BSides Las Vegas.

BSides Las Vegas

This year I returned to BSides Las Vegas as a volunteer with the Diana Initiative. Thanks to the generosity of BSides we had an early check-in table for Diana attendees. Much of my day I spent sharing details on the Diana Initiative from how it began, where to find tickets, to how to get involved. The overwhelmingly positive feedback was supportive of the need to increase diversity in information security. I didn’t much chance to check out the talks but there are a few on my list to watch.

Black Hat Tools Arsenal

Daniel presenting at Black Hat Tools Arsenal 2019

Black Hat is the corporate side of the whole week and had a slightly different energy. I joined Daniel for the Dradis presentation at the Tools Arsenal. In my mind, I would show up in my Dradis shirt, hand out a few stickers, and take pictures of Daniel showcasing Dradis CE. Once there, I embraced the opportunity to chat with customers and talk with people about Dradis. I found myself repeating, “If it has been a while, give Dradis CE another look – so much has changed.” 

DEF CON 27

Welcome to DEF CON 27

It can be challenging to make connections at a conference this size. Unlike other large events I’ve attended, smaller distinct groups within the con space allow you to focus your attention and find like-minded folks. No matter your interest, there is a group. There are villages, workshops, talks, meetups, parties, and one of my favorite spaces – hallcon. Finding someone to talk to is pretty easy since #badgelife has most attendees wearing roughly a pound of gear on a lanyard around Las Vegas. This year’s DEF CON badge game worked particularly well to strike up hallway conversations while asking to “boop” someone’s badge.

Tabatha’s badges. A small amount compared to some.

Our staff pirate Christoffer’s post piqued my interest in maritime security, so I made it a point to stop by the inaugural Hack the Sea village. There was a good bit of discussion about the security of our seas even in casual conversation outside of the village, ranging from ICS to the antiquated technologies observed or used onboard. I visited the IoT village long enough to swear off of my existing IoT devices (but not really). While I was there, I cheered on friends that were competing in the IoT CTF.

The evenings held additional opportunities to connect with other attendees, just as varied as the talk and villages. Who doesn’t love a blanket fort? Blanketfortcon has you covered (see what I did there?) with an adult size blanket fort and bounce pad. Hacker Jeopardy is always hilarious, but I laughed the hardest during “Whose Slide Is It Anyways” watching contestants present using a slide deck they had never seen. Parties ranged from bass-thumping events going long into the early morning to more subdued gatherings with board games and great conversation.

Diana Initiative

If I am up at 6 am in Las Vegas, it is for one of two reasons; I am still up from the night before or I am volunteering somewhere. These days it is 100% the latter option, and I was excited to join the Diana Initiate staff to run registration. It turns out I particularly enjoy running registration and check-in, which I can only attribute this to having a generally sunny disposition and a love of spreadsheets. After months of hard work with the rest of the team, it was a gift to greet attendees, speakers, and sponsors and to witness their excitement for the days ahead.

Lodrina Cherne and Tabatha with MaliciousLife swag for Diana Initiative. Photo credit Lodrina Cherne

Diana Initiative has grown from its initial years held in hotel suites and for the first time organized convention space at the Westin. This year Diana Initiative had 65 speakers across three tracks that covered both technical and non-technical skills, several villages, and a CTF. It was a nice break from the noise and crowds of the DEF CON and fostered a welcoming environment for attendees, many at Hacker Summer Camp for the first time. The quieter gathering, smaller size, and inclusivity made for an inviting atmosphere to new faces and established security professionals alike.

Do the thing.

Attending camp this year felt different than my last visit. There are noticeably more women in attendance, to the credit of organizations like WoSEC, WISP, Women’s Society of Cyberjustu, and Diana Initiative. There was plenty of evidence of the work that organizers and volunteers have put in to create an inclusive and safe week including the DEF CON support hotline and improved Code of Conduct. It was incredibly inspiring to connect with the many people that are elevating diversity and bringing change in this fantastic community.

Throughout the week, everyone I spoke with remarked that there is room for everyone in information security; quoting struggles finding qualified candidates and too-large workloads. Increasing the number of women not only brings more workers to the industry, but each person brings a unique lens to approach privacy and security challenges. No matter who you are or what your background, consider this your invitation. Show up, do the work, learn the things, and take your place. And then, share what you know. See you next year!

Tabatha at the Diana Initiative after party.

New Kid On The Block

The blog title gives it away but I’m the new guy over at Security Roots working on Dradis. My name is Matt and I love to explore the world. I was born in Poland, grew up in Canada and I am currently hanging out in one of the most tech savvy capitals, Shenzhen, China. Since I am the new guy I wanted to introduce myself, give you some inside scoop, my experience working with the team and a little bit about my first assignment. 👋

Over many years I have worked on a number of web design and development projects. I pride myself in being a designer with a creative edge and although I have extensive knowledge and experience with design concepts, HTML/CSS/JS, Photoshop, Illustrator, Xd and more, I strive to continuously expand my knowledge with all the ever changing technologies. Currently, as a result of joining Security Roots, I am learning Ruby and Ruby on Rails which, I have quickly realized, it’s quite different from Python and Django. I also enjoy video production/editing using Final Cut Pro X and I have my eyes on a DJI Mavic 2 Pro. 👀

Now let me tell you a little bit about my first month at Security Roots. Initially I was drawn to the job posting because it really resonated with me and I was thrilled when I got an email from Daniel (he’s the big cheese over here if you aren’t sure who I’m talking about) and we discussed the opportunity and by the end of it, all of my needs and wants had been checked off for my dream job. I did a small test assignment, which apparently went well since I’m here, and I got to meet the team. I was a bit nervous about this since I knew everyone had been working together for a few years now and are already in the groove of things. I had all kinds of thoughts going through my mind but I was very excited to join the team. All the nervous feelings were put to rest moments after I joined the workspace as I was welcomed with (virtual) open arms by everyone. With the warm welcome I could feel there was excitement and enthusiasm from everyone that a designer has joined the team. I quickly learned that everyone is friendly, very helpful and extremely knowledgable and skilled in their roles. The work environment at Security Roots is very different from anything I have experienced before but is also the most interesting and effective one in comparison! Everyone works independently on their assignments but at the same time is always collaborating and communicating with each other. Every week there is a new topic that everyone answers in a video and posts it to share with the team. This is a great way to get to know the people on the team and promotes more of a social vibe in a work environment. Curious about what the office looks like? Where is it located? Who has the best parking spot or the prime corner view? Well this is actually one of the MANY perks of being part of the Security Roots team. We all work 100% remotely all over the world, so the office can be anything from a home office to a co-working space, or even a boat! Another great feature of being on the team is consistent personal development. Daniel is constantly encouraging us to grow and develop! Whether you want to learn something new within the industry, take a course or read a book, we have it covered. I love to learn so being part of a company that promotes personal development was very important to me. Security Roots really knows how to treat their employees! ✅

I could go on and on about the perks and first impressions but let’s move on to something you will get to see and experience first hand. The first thing I tackled during my first month on the team was a redesign and update of the user profile page. When I am presented with a new feature that needs to be designed, or a current view that needs to be redesigned, I like to make a list of objectives and goals for the design. I want understand how it will be integrated into the overall project. I do background research on the feature, and use a variety of tools to come up with a few variations of a design, then decide on the best one to continue to develop and finalize. In the case of the profile page redesign, I looked at the current design and identified what the issues were with the flow. We also decided to update to the most current version of the HTML/CSS/JS framework incorporated into the project. There was quite a bit of work to be done to make the view work in the current layout regarding HTML structure and CSS class names. I got the view into something that could be navigated and jumped over to Adobe Xd and made mock ups to see how I could make the page flow better and be more visually appealing. I decided to incorporate a 2-column view which focused on arranging the fields in a way that made more sense. I opt-ed to make the left column show the avatar and API token reset and moved all the text fields into the right column and arranged them in a natural order of flow. Once the front end components were arranged, I added some validation styling and magic to make it all work and BOOM! My first project was completed with better flow and a more user friendly experience. 💣

As a team we truly hope that the new designs are beneficial to you and look forward to any feedback from users on the new designs that will be coming soon to Dradis CE & Pro!

Matt,
Designer.

Dradis Framework Founder’s Letter – 2017

Good Software Takes Ten Years. I didn’t know that when we started back in 2007, but I’ve come to terms with that rule since then. A lot can change in 9 years. You can go from the first commit of an internal project released as open-source to a small, independent, self-funded software team that is making a difference for 300+ teams in 34 countries around the world.

Did I have a clue about where we’d get in 9 years when I pushed that first commit? Most definitely not. Was I confident that we’d be working with 1,000s of InfoSec experts every day when I quit my security consulting job over 2 years ago to concentrate my efforts on Dradis Pro full time? Not even close. Do we have a clue about where we’re heading over the next 2 years? We have clues but most likely, we really don’t know. But that’s fine, we’re not alone in this journey. We’re bringing our entire community along with us. And most importantly, we have the freedom to choose where we’re heading.

We don’t have investors so we can keep our users front and center. Were trying to grow as slowly as possible. By focusing on the fundamentals, we’ve managed to get this far. And, we’re sticking to the same approach going forwards: do the work, keep our users happy, and care about their long term success.

A brief history of our project

Just to put things into perspective, here is what working on the same piece of software every single day for 9 years did:

  • Dec 2007: Start working on an internal tool for pentest collaboration.
  • Jan 2008: Release Dradis Framework as open-source.
  • …3,000 code commits.
  • Jul 2011: Launch a side-business offering additional functionality and official support (Dradis Professional announcement).
  • …work with 140 teams, 17 new releases, 2,967 commits.
  • Feb 2014: Make the side-business our main business.
  • …7 new releases, 782 commits.
  • Mar 2015: Welcome Rachael, our second full-time member of the team
  • …13 new releases, 2,503 commits…

The last 12 months

With the growth in the Dradis Pro side of things, we have been able to reinvest a lot of man-hours in Dradis Community Edition. It’s our way to give back to the community that helped us along the way. The code was refreshed and updated. Many of the enhancements that were created for the Pro edition were backported to CE. Plus, the documentation was rewritten, step-by-step guides were created, and screencasts were recorded. We also created and released OWASP, PTES, HIPAA and OSCP compliance packages with testing checklists, report templates and more.

Dradis Community edition GitHub repo commits in 2016

The activity in the Dradis CE repo shows how a lot of this effort was concentrated earlier in the year to sync the CE and Pro code bases (kudos to the GitLab team for the inspiration).

Our community is growing stronger than ever. We’re averaging 400 git clones each week. Plus, we have a thriving Slack channel and dozens of new threads in our community forums.

Dradis community edition is being downloaded an average of 400 times per weekWhat we are going to be focusing on over the next 12 months

Over the last 12 months, we’ve pushed 11 new releases of Dradis Pro. From performance and interface to functionality and stability, we’ve noticeably improved every single aspect of the app. The product today is in a completely different category from where it was 12 months ago. And still,  there is so much room to grow, refine, and improve!

2017 is exciting for us in many ways. We’re now working with over 300+ teams. This is a challenge, but we wouldn’t have it any other way. Plus, this the first time that we have a small team of very talented people working full time on taking care of product development and user experience.

I’m sure that the speed at which we’ll be making progress is going to feel break-neck. I can’t wait to see the things that we’re going to be able to build with you and for you and the rest our community.

To our best year ever,

Daniel

Dradis Pro is sponsoring BSides London 2014

Dradis Professional is sponsoring the next edition of the B-Sides London security conference:

http://www.securitybsides.org.uk/

B-Sides London 2014 will be held at the Kensington and Chelsea Town Hall on April 28, 2014 in London, UK.

We’ve put together a page for the event and are raffling a Dradis Pro license, read more at:

http://securityroots.com/dradispro/events/bsideslondon2014.html

Are you planing to attend or want to get in touch? Contact us or ping us on Twitter: @dradispro

BSides London 2013 aftermath

BSides London took place last Wednesday the 24th on the Kensington and Chelsea Town Hall near High Street Kensington tube station in London.

I was really looking forward to this year’s edition as for the first time ever Dradis Pro was a sponsor in a security event. There are a lot of lessons learned on that front alone, but I’ll save them for another post.

It was a really long day. I only finished the slides for the Creating Custom Dradis Framework Plugins workshop around midnight the night before and I got to the venue by 8am to give the organisers a hand with the preparations. On the bright side, we had a really good turnout on the workshop:

BSides_London_2013_276

Creating Custom Dradis Framework plugins in action (more pics)

I think that the final head count was around 500 people both from around the country and from abroad. The downside is that we had to prepare around 500 tote bags with sponsor swag, the upside is that some sponsors provided some really nice goodies 😉

BSides swag by ScotSTS, 7Elements and Dradis Pro

The truth is that running an event such as BSides is a ton of work, and the team do it for free. And it doesn’t cost a penny to attend and you get a really nice free t-shirt:

BSides London t-shirt

I don’t think people thank the organisers enough. Thanks guys! To both the visible faces of the organisation but also to the rest of the conference goons that make all the little moving parts of the event tick.

As usual in this type of event, it’s easy to let yourself be distracted by the social side of things. I managed to finally catch up with a lot of Dradis Community contributors and Dradis Pro users. And hopefully meet a few future ones 😉 I finally put a face to some of the #dc4420 peeps and manage to catch up with some people that I no longer get to see that often.

It always baffles me that after working for a company for the last 5 years you get to meet some of your colleagues in a random security event instead of in the office or in an official company event. I guess that’s the nature of the industry we are on though. It was also good to catch up with ex-colleagues from previous lives.

Even though the scheduling gods decided I had to miss Marion & Rory’s workshop in the morning, I managed to get myself a WiFi Pineapple after Robin’s, just in time to rush to the main hall to catch the closing ceremony.

WiFi Pineapple kit

And before you realise it, the day was over and you are having a pint too many at the official BSides after-party…

The Ethical Hacker Network interviews Security Roots founder

Daniel Martin (@etdsoft), creator of Dradis Framework and founder of Security Roots Ltd was interviewed by Todd Kendall for The Ethical Hacker Network:

Interview: Daniel Martin of Dradisframework.org

Previous press appearances:

Espanol – Pauldotcom interviews Security Roots founder

Daniel Martin (@etdsoft), creator of Dradis Framework and founder of Security Roots Ltd was interviewed in Episode 11 of PaulDotCom Security Weekly en Espanol.

We talked about Dradis Framework, Ruby, Rails, open-source in general, Dradis Pro, VulnDB HQ, Nokogiri and a number of other things.

The podcast is in Spanish, starts with an introduction by Pauldotcom’s host, Carlos Perez aka “Darkoperator” (@Carlos_Perez) and at about 1m46 the proper interview starts:

[PaulDotCom] How did your interest in security started?

[Daniel Martin] It was some time ago, there’s always been a computer in my house as one of my brothers studied computer science. Our first proper computer was an 8086.

I started on the sysadmin side of thinks, playing with the different Linux distros available back then. When I got in college, I got involved in different linux and electronics student associations. I even gave a bunch of *introduction to linux (training courses to other students.

At the very end of my masters, I was lucky enough to join my university’s Solar Decathlon team. I was tasked with all things geek: from sysadmin, to setting up the wireless links to providing a web interface to the house’s control systems and securing it all.

After that, I went to work in the security industry from day one. First in Spain, for an integrator, soon after that I moved to the UK where I lived for four years. About a year ago I moved back to Spain although I’m still working for NGS Secure in the UK.

[PDC] I know them, they are the creators of NGSSquirrel an some other great auditing tools. As we discussed before, I’ve used their tools in the past and they are very useful. Unfortunately these days, as Director in Tenable I don’t get to spend a lot of time tinkering around with tools and techniques… only in my spare time I get to review tools. the latest attack techniques and keep up with the work in this podcast and my website.

After hearing your story, you reminded me of a question that I’ve always had. These days people that want to get involved in security they jump feet first into it: they start learning C and assembly, or this attack technique or how to write a brute-forcer, how do I do this and how do I do that. However, not too many people take the time to learn about the sysadmin side of things and the tasks involved in day-to-day systems administration. Do you think security courses and degrees should pay more attention to this side of things? Should people that want to get into security develop some sysadmin skills initially?

[DM] For me there are two things that really make a difference on your day-to-day: on one hand there is this aspect of sysadmin you have mentioned (e.g. having compiled your own Linux kernel, creating small shell scripts for sorting out little tasks, etc.), on the other hand having a background in development is also a great asset. You’re always going to have to put together a script or small program because you don’t know what you’re going to be facing. It’s good to know a dash of .Net, Java, Ruby, or whatever. Having this focus on both the sysadmin and development aspects should definitely be pushed.

[PDC] We are on the same page there. One of the first things I usually recommend to people that want to get into security is to try to rewrite some of the very basic tools. You can use whatever you feel like, you can use Bash, Perl, Python… but the important bit is that you write it yourself so you get to learn how it works underneath the hood. Match your tool’s output with the proper one, make packet captures, etc. This forces them to go beyond the script-kiddie approach, the point-and-click mentality of just running XYZ tool and consume its output without understanding how it works.

Dradis Framework and Dradis Professional Edition

Another area that I feel is left a bit unattended is the business side of things. This is one of the things I really like about Dradis which helps a lot in one if the areas that people struggle with which is the organisation of information. A lot of the folks in security suffer from ADD. I can loose my focus very easily. This is even worse now with my daughter running around the house. When I’m getting into _the zone_ and I’m starting to craft my code, my little girl comes knocking at the door or with her Barbie doll that needs a change of clothes or complaining about Netflix not working properly… and I completely lose my train of thought. Thankfully Dradis helps me to get back on track because the information is organised and is well organised in a single location. This is especially handy when the most painful part arrives: writing the report. Dradis provides a nice shorcut to get my reporting done more efficiently.

So, how did the Dradis project start?

[DM] To be honest, it was driven by the sort of thinking you just mentioned. During my day-to-day work as a security consultant I felt that pain: having to organise all the data you are collecting, having to create a thourough report, etc. In addition, when you are working as part of a team you have the additional overhead of managing everyone’s findings, splitting the tasks, figuring out what has been covered already, what is still to be covered, etc. At the time (and this is 2007) there was not a whole lot in terms of collaboration tools to help in managing this process. After putting together the first release of the tool, I presented it to my colleagues and then straight into the open source community [first in SourceForge and these days in GitHub ].

[Audio fades here, but I was explaining about how the over 23,000 downloads, more like 24,000 now, of the open-source package encourage us to carry on working on the tool.]

[PDC|9m43] There is a feature in Dradis that seems to be lacking in some other pentesting tools. Tools like Core, Metasploit or Canvas don’t have this teamwork and collaboration capabilities or modules to gather information from 3rd party tools… this flexibility. Some of them, like Metasploit, are starting to have it, through the GUI you can import and some stuff, although other stuff remains hidden and you need to use the console to get it. Core now integrates with Metasplioit. Canvas still doesn’t let you import from other tools. Dradis fills in this gap in the pentesting and audit market.

[DM] Some of these tools you’re referring to are commercial products that try to be systems not broadly open. They aim to be a catch-all solution for all their customers. In contrast, Dradis as an open-source project thrives with that openness. We try to be as broadly connected as possible, trying to make the most of what other tools in the pentester’s arsenal can provide.

[PDC|11:15] Dradis is written in Ruby, what made you decide Ruby was the best fit?

[DM] Well, to be honest, I was looking into learning Ruby back when the project started. They say it’s always better to have a concrete project to work on when you are learning a new language. If on top of that you put the features that you get out of the box with Ruby on Rails (which was starting to gain popularity) the decision of picking Ruby was an easy one to make.

[PDC|12:07] What license is Dradis distributed under?

[DM] GPLv2

[PDC|12:12] You also have a commercial product called Dradis Pro?

[DM] That’s right, after releasing the tool in 2007 we’ve had a bunch of contributors over the years like Siebert, Rory, Ken and Robin. Today, five years and 23,000 downloads later the story is a bit different. When we first started it was the pentesters and consultants themselves that saw the value in what we were doing. They had the same pain we had and they saw in Dradis a tool to make their lives easier. Over time, the companies these early adopters worked for started to see the benefits of our approach. They realised that each and every single one of their projects had to deal with collaboration, collation of results, etc. and that it would make sense to be systematic about how to approach this problem. They reached out and contacted me to find out whether commercial support was available or whether I could create the custom plugins they needed. This demand is what drove me to start Security Roots and launch Dradis Professional Edition in June 2011.

[PDC|14:08] What is the difference between the Pro edition and the Community edition?

[DM] The main difference is that Pro is tailored to organisations. It is a virtual appliance that is deployed in the company’s network so everyone in the team can access it, create and account and start using it. It is also supports multiple projects: you just log in and choose what project you want to work on today. This allows for several different teams working on different projects at the same time. It’s very easy to upgrade too, so it’s easier to have the latest version installed (as opposed to each person having to upgrade their own version of Dradis every time a new release is shipped).

These type of organisation usually pursues a specific goal: they need to create a high-quality deliverable for their clients. In Dradis Pro we have put a lot of effort into making sure that complex reports can be easily generated and customised, even to the point where you can use your existing templates and harness the power of Dradis very easily without having to start from scratch.

[PDC|15:50] One of the features I like the most in Dradis is the ability to import data from external tools like Nikto or Nessus. What other sources of information can be imported into Dradis?

[DM] I think we currently have around 15 import and upload plugins [You’ll here me typing like a monkey to get a precise answer…]. So the list includes: Burp, Nessus, Nmap, NeXpose, Metasploit, OpenVAS, you can also get entries from the OSVDB, Retina Scanner, webapp testing frameworks like w3af and wXf, Zed proxy… there are a lot of them!

[PDC|17:04] Yeah, I can see that. All these are plugins written in Ruby, right? How do you create one of this plugins?

[DM] Yes, these are vanilla Ruby scripts, they are easy to make, some of them have even been contributed by our user base. People give back to the project and sometimes when they create a plugin they need, like the Retina one, they just share it with us.

For people wanting to develop their own plugins we have created a bunch of step-by-step tutorials that can be found in the Dradis Guides site. There are guides on how to create Upload plugins (I believe the example we have is based on our work on the Zed Attack Proxy plugin) that show you how to parse the output produced by a 3rd party tool. There is another one for Import plugins, which are used to query external systems and retrieve the results like what we do with the OSVDB.

[PDC|18:36] I’ve been checking the site because I want to write a plugin for my very own tool, dnsrecon. It does generate output in three different formats: SQlite3, XML and CSV. I wrote a XML and CSV import plugin for Metasploit but Metasploit is not very well suited for import and data manipulation, I thought I should give Dradis a shot because of its friendlier approach to external data manipulation. Anyway, I think I’m going to start writing my own Dradis plugin.

[DM] That sounds great. You can find a lot of good examples already in the source code to read XML. There is also a nice example of reading from a SQLite3 source in the SureCheck plugin. I don’t know if you’re familiar with this tool, but it’s a very handy build review tool, created by another NGS colleague, for Solaris, Linux and Windows.

There is also another way to get your results into Dradis even if you don’t want to create a plugin. You can use the HTTP interface that Dradis provides. We provide a REST API that can be invoked from within your tool to add data to Dradis on the fly. I believe that the fine wXf team have this implemented in their tool.

[PDC|20:45] Oh, I wasn’t aware of that! Sounds very interesting. I may checkout your Metasploit plugin and maybe update it if there is something that can be added.

[DM] Well, that would be very interesting because I think that with their latest changes in the XML-RPC interface our plugin may have broken.

[PDC|21:12] Yes, I think they want you to connect directly to their DB. They have made a few changes. One of the things I things I must admit as a Metasploit community core contributor is that it changes a lot and changes very fast.

[DM] Well, we have suffered something similar with Ruby on Rails which is a library that evolves really fast. Too fast for our liking…

[PDC|21:38] Yes, you mentioning before you found a bug in Ruby on Rails due to the changes they’ve introduced in the newer libraries. Are you guys trying to keep up with the latest stable release of Rails?

[DM] Yes, we just release Dradis v2.9 which features Rails v3.2.0. Unfortunately I believe they released v3.2.1 two days before we shipped and we couldn’t update in time.

The problem is that Rails is a very fast-paced community, they are always innovating and adding features. Recently with the change from v2.x to v3.x they have introduced a lot of new stuff that is not always backwards-compatible. It made sense for us to switch to 3.2 as soon as possible to avoid further issues down the line.

[PDC|22:50] I know what you’re talking about. I still remember when Ruby moved from v1.8 to v1.9. The pain of handling strings, multi-line strings, character set encoding, UTF… These days I just assume v1.9 in my code and if someone comes complaining about it not in 1.8.5 or 1.8.6 I just ask them to move to 1.8.7 (because they already backported much of that stuff). If they don’t want to upgrade to 1.8.7, that’s too bad, but I won’t be adding version-checking code to my tools. Something similar happened for dnsrecon. After writing it in Python v2.6, and even knowing that Google (who employs Guido) hasn’t really moved to Python 3.x, I decided to take the leap myself. I didn’t know what I was getting myself into. What a headache! The code ended up cluttered with version-checking and error-checking code. Definitely not a pleasurable experience.

[DM] For us, the change between Ruby 1.8 and 1.9 is not so painful as Rails takes care of most of the underlying magic that makes it work in both worlds. Nevertheless, this current release (v2.9) is in the last one we are planning to support Ruby 1.8. From now on, we will be 1.9.3 and above.

The other issue, and we haven’t discussed Dradis project goals yet, is something we realised very early on: every single one of our users is going to run Dradis in a different way, in a slightly different platform. This means that a lot of work and a lot of hours go towards ensuring that Dradis is cross-platform. There is a lot of headaches involved in getting Ruby to play nicely on Windows. That would be another pain point for us.

[PDC|25:58] Surely someone is going to say they want to run Dradis using JRuby, MRuby… etc. That’s one of the things we saw in Metasploit. People wanted to make it compatible with JRuby, because JRuby is written in Java which should be faster when you have to manage a lot of information. But then I believe JRuby is only compatible with Ruby 1.8.6… we are walking backwards!

[DM] Thankfully no one has requested JRuby (or any other Ruby VM) compatibility. However, should the day come, the fact that we are hosted on GitHub and integrated with the Travis:CI continuous integration system, should make it easy for us test our code base against different Ruby VMs. Using Travis, there is a way to specify what Ruby VMs you want to run your tests against. We are currently running on v1.8.7, v1.9.2 and v1.9.3 looking into running them just into v1.9.3. If someone requests another Ruby VM, hopefully adding it to the continuous integration engine would do the trick.

[PDC|27:22] So, what are these project goals you were talking about? What is in the tool’s roadmap?

[DM] We are still working on improving the user experience. We need to make Dradis even more user friendly and stable.

We’re also focused on collaboration. A couple of versions ago (in v2.8) we introduced the Smart Refresh: you get instant updates with information modified by other members of your team; when something changes, it is replicated to all the other users on the same project. We want to keep improving that.

We also want to get a cleaner interface, easier to use, easier to get at a glance. Pick up on things like Ajax errors, we need to present them in a better way to prevent data loss. There is still some work on this. We need to be as reliable as Notepad, that you don’t even notice that you’re using, it just gets out of the way.

[PDC|28:57] As an open-source developer, this project looks very healthy. It seems that you guys are doing a great job. I know what it means to develop open-source: long nights, lots of time sacrificed to make it work.

[DM] I have to agree with you, there is a lot of work involved in trying to make successful an open-source project. I remember, back in the day, when reading about open-source project management and how it was very likely that the project would fail and how difficult it was to make it take off… Truth is, there is a lot of work, and it is not always rewarding. I think I mentioned we had about 23,000 downloads, well, just a very small fraction of all those users that have given Dradis a shot at least once decides to get involved. Often times they don’t even bother with giving feedback, making a feature request or fill in a bug in the tracker. For the project contributors, energy comes from people that not only use the project but also go the extra mile and reporting bugs, or come up with new features or ideas that we should implement. This type of feedback is really important and pushes you to carry on working. Thankfully over the last few months we are also improving in this respect. When we moved the repo to GitHub about a year collaboration improved thanks to the features provided by their platform.

[PDC|30:57] I know what you’re talking about. Initially I wrote dnsrecon in Ruby, improving it day after day. Soon afterwards they guys at SecurityTube decided to feature dnsrecon in one of their reviews. I was very excited about it and was eager to find out whether they loved it or hated it… It turned out they hated it: “it fails”, “it doesn’t find this”, etc. I was able to reach out to the author to ask him why he didn’t report any of his findings and he said he didn’t think about it. ‘- But how long were you playing with the tool?’, ‘About two or three months’… I don’t know why he didn’t think about getting in touch, especially considering my email appears every time you run the tool!

I get a similar feeling when going through old code I find a bug that were introduced months ago but I didn’t realise it because in my dev environment it just works fine (because I have that especial tweak that makes this work). Sure people using the tool must be getting errors because they don’t have the tweaks I have in my dev box! Why no body is reporting these errors? Is someone using the tool? I’ve spent some much time to make this tool work and I didn’t receive any feedback…

Thankfully one of the guys that is providing a lot of quality feedback lately is Robin Wood (@digininja), also involved in Dradis development. He’s help was invaluable, specially for the version I ported to Python, apparently they use it a lot at his work [at RandomStorm]. He said, I don’t use Fierce or DNSenum any more, I’m using DNSRecon exclusively. At the very beginning he was submitting bug reports almost every day. For instance, when he mentioned that a certain UK-based host was giving him grief, it turned out the company had their DNS servers misconfigured (they had a SOA record but no NS or A records). This type of thing forced me to look more into DNS implementation in the wild as opposed to the DNS standard and theory which is something very valuable.

Seeing that your tool is being used by others, is what encourages open-source development, even if this results in bug reports (oh no! more bugs), it means that you are helping someone. Even if the bug is filled at 1am you want to deal with it there and then. It kind of makes you proud of your work.

[DM] Definitely. However, if you go down that route you may spend an ever increasing amount of time fixing bugs that should have not made it to the production code to begin with instead of focusing on adding new features and implementing new functionality. We also have people eager to develop their own private Dradis plugins that join our IRC channel [#dradis at irc.freenode.org] and complain because there is not a lot of documentation available.

[PDC|35:00] And you feel like strangling someone…

[DM] Hehe, no, not at all. They are right! However, there is a tremendous amount of ground to cover, a lot of work. I tend to spend a few hours on it every day, the other contributors spend as much time as they can (they are all fairly busy) but there is huge amount of work. It is a juggling act between bug-fixing, pushing new features and writing documentation. There is another side to this, now with Dradis Pro we have a group of users that are using Dradis for real, it is a key part of their business processes a tool they rely upon. That’s also energizing, you know you have to keep improving, adding features and continue to make these people’s lives easier.

VulnDB HQ

[PDC|36:28] So apart from Dradis, there are a bunch of other things you are involved in at the moment…

[DM] That’s right. Most are closely related with this group of Dradis Pro users.

Organisations that understand the value of using Dradis to manage their projects, share information, etc. the next thing to streamline is reporting. In any given security review project you’re likely to find a bunch of bugs that you have discovered previously in other projects or for other clients.

For instance, SQL injection, server config issues or XSS. When the time comes to produce the final deliverable, a lot of what goes into the report could come from what you already wrote in a previous report (not the nitty gritty details, but say, the description of what SQLi is).

Back in the day, our VulnDB product was a platform to manage these type of information chunks. Organisations could have a repository of templates for common issues that they can reuse. If SQLi is found, then copy the standard template, add the instance-specific details of this particular case and be done with it. There are several key advantages to this type of approach: you have all your templates in a single repository that facilitates collaboration and improving upon the existing entries (for example, if a new CSRF paper is published, you can quickly edit your template and add it to the References section of your CSRF entry). This means that you have a single ‘master’ description for all the common issues, something that your team improves over time and gets reused every time you have to produce a report. That saves a substantial amount of time. The alternative is to rely on your memory to remember that months ago there was this project that had a related issue. If you are lucky and remember the project and can find the report, you may be able to reuse some of it. If you aren’t so lucky, you’ll end up writing it from scratch again, and maybe you’ll forget something important (not ideal for the consistency of the deliverables either).

We are now launching VulnDB HQ, a service that enables organisations to manage their repository of vulnerabilities and report entries. It connects with Dradis so you can easily import entries from your repo into Dradis and click ‘Export’ to get a high quality report. Instead of adding a short note like ‘HTTP TRACE is enabled’, you can import the full description, maybe paste in some details and mark the note as ready for the report. This takes about the same time a standard ‘note to self’ would have taken, but goes a long way towards cutting your reporting time.

In VulnDB HQ, in addition to your private repository, you also get access to the Public repository. This Public repo is maintained by us and contains dozens of vuln descriptions already and you can use them (or use them to inspire your own versions). This is very valuable because we take care to provide quality references for our issues that you can also checkout to learn more about them.

[PDC|41:05] Are you also planning to add some delta-reporting type of feature, where users can compare their current results with the results of previous projects? That would be a valuable feature for a manager type if you can provide a dashboard of changes showing the evolution over time for a given set of assets.

[DM] Well, VulnDB HQ is just a platform to manage the entries for your reports. These features you are now describing for comparing results and evolution is more in line with what Dradis Pro is about. In Pro you have different projects with all the details in each case. It should be straightforward to match data from any two projects. I trust that these features will end up being implemented in Pro in the future.

[PDC|43:21] So, when is VulnDB HQ officially launching? That link you sent me said it wasn’t open yet…

[DM] Hopefully by the end of February. We are in private testing at the moment with our Security Roots customers and fine tunning the last few bits and pieces. [We’re now open for business, head on to http://vulndbhq.com/why to find out more]

[PDC|44:03] That’s very interesting. It is amazing how people get passionate about what they love. In your case you have your day job and then Dradis is your second job.

[DM] Hehe, yeah, the job after my job.

[PDC|44:28] So, is there any other project that you are involved in that you want to talk about?

[DM] To be completely honest, my schedule is currently quite full as it is with all these things we’ve been talking about. Between liberating new releases of Dradis Community and Professional and launching VulnDB HQ I’m fairly busy. That of course doesn’t take into account the standard 8h of work of my day job.

[PDC|45:03] He he, definitely. I noticed it when we were arranging this interview, you telling us you hadn’t slept that night and such things. I was wondering whether you had a little baby to take care of or something else to keep you awake… But then I saw on Twitter a couple of days later that the Dradis v2.9 is out I understood what was going on…

[DM] Yeah, the problem has been that v2.9 was ready for a while now but there was this bug that we couldn’t hunt down. Unfortunately it was on a critical component, file uploads, so we had to make it work before releasing v2.9. We also released v1.4 of Dradis Pro also had to wait for Dradis v2.9 to be released. A bit stressful.

Open source, Ruby and Rails

[PDC|46:22] So this was the bug introduced by the Ruby on Rails guys?

[DM] Not quite, It is a bit of a especial case. We realised some time ago that parsing files containing tool output could be very time consuming. Especially if it is a biggish file like a Nessus report. If you try to upload and parse in line while the user is waiting, the experience is not great, it takes too long. To work around this, we have a background process that deals with larger files (>1Mb). The bug was in this worker process. We’re using a fairly old library to manage background tasks. It is fairly old, but there were not a lot of options because we needed our code to be cross-platform (we strive to make Dradis platform-independent). The Rails guys made some changes in v3.2 that broke this library. We had to patch it, but it was a bit of a nightmare.

[PDC|48:28] Yes, I can imagine you throwing “puts” all over the place to get some debug traces…

[DM] Well, that wasn’t even good enough. The exception was thrown within Rails code not our code. The library’s code caused Rails code to choke several layers down the rabbit hole. We had to use ruby-debug to go down the call stack to find out the culprit and figure out what was going on.

[PDC|49:15] Yup, sounds like a real nightmare. No wonder you didn’t get any sleep… You started me thinking, I’m using the Nokogiri library and I was wondering would it work in Windows?

[DM] Yes, thankfully it does.

[PDC|49:32] I’m asking because I remember when I created DNS Recon importer that I used the REXML library shipped with Ruby. It was slooooooow. I tried a PTR scan of 300,000 and it took aver one hour and 4 gigs of RAM. Then I learned about Nokogiri and rewrote my parsers and was able to cut it down to 3 or 4 megs of RAM and a fraction of the time. Trust me, I’ve suffered the pain of XML parsing!

Would it be an issue if I write my plugin using Nokogiri?

[DM] Not at all. Conveniently enough the step-by-step guide we have explains how to use Nokogiri efficiently in your plugins.

[PDC|51:09] Since I already wrote the plugin for Metasploit in Ruby, it should be easy.

[DM] Definately. Actually in v2.9 we’ve revamped the Nessus, Nmap and Nikto plugins to use Nokogiri instead of REXML. It is a lot faster. We benchmarked the Nessus plugin and the new one is 60x faster than the old one.

[PDC|51:38] Wow… People, anyone using an older version Dradis please update!

[DM] Yup

[PDC|51:44] I miss the 90s when everything they teach you at uni was how to use flat files, and not this XML nonesense…

[DM] It is a matter of finding the right tool. Parsing XML with Nokogiri is a different story. Very simple.

[PDC|52:22] But documentation isn’t great… you get a list of methods, but that’s about it. No return values, not much info…

[DM] Hopefully you’ll be able to use the code in some of our existing plugins to help you there.

[PDC|52:52] With that an Ruby’s IRB (Interactive Ruby shell) that should be easy. Going call-for-call with irb makes your life a lot easier.

[DM] Now that you bring it up, people are usually not aware of the powerful console that ships with Rails. It is an irb environment with all the application preloaded. It is an IRB session that lets you query your Dradis repository, you can check your Notes, Categories, Attachments, anything! It’s pretty powerful, I use it on a daily basis. Unfortunately it isn’t very well documented either [although we’re getting there: Dradis Development 101]. It’s a great debugging tool. That’s a protip right there.

[PDC|54:17] Since this is turning into to a development episode, what’s your favourite editor: vim or emacs?

[DM] Vim

[PDC|54:32] For some reason, I got a flashback to the FOSS-weekly podcast where they always ask the favourite editor question 🙂 I’m looking forward to Matz’s next release of his Ruby interpreter (MRI). I saw in Rubycon he said he was jealous of Lua and running scripts in embedded devices like Android phones. He’s working on an ultra-fast Ruby implementation for those environments.

I know Ruby is a great community, I’ve never looked into Ruby on Rails, but after talking to you I think I’m going to give it a shot.

[DM] You are right, even considering all the issues we had, Rails makes your life a lot easier. You get a lot out of the box.

[PDC|56:10] Daniel, thanks again for your joining us in this new edition of Pauldotcom en Espanol, it’s been a pleasure having you. Dradis is a tool I use quite a lot. I’m going to make sure that I include in the show notes all the links you provided. I’d like to invite everyone to give it a shot, but refrain from trying to run it in weird environments like HP-UX or AIX 😉

[DM] Well, if someone tries it in those platforms, please make sure to let us know how it goes. And remember that any feature requests are also more than welcomed.

Thanks for having me in your show and for the opportunity to discuss our project and reach a broader audience. It’s been a pleasure.

Open-source project released: passdb

On Wednesday we released passdb a Ruby gem to search CIRT.net’s default password database.

We have decided to host our gem’s source code in GitHub (which we will be using in the future to host all our open-source contributions). Find the repository, documentation and install instructions in:

https://github.com/securityroots/passdb

Future plans for the library include adding an option to submit new entries, so the guys at CIRT.net can keep their database updated with the latest additions.

Feel free to fork and submit pull requests. If you find the library useful or have suggestions for improvements, we will love to hear about them.