We are excited to share that we are working with the team at chronyko to present the first-ever HackFu: Community Edition – Friday 29th January 2021 – 9am – 5.30pm GMT.
HackFu is an award-winning immersive learning event designed by chronyko for cybersecurity professionals. Set in a dystopian world in the late 21st Century, participants are tasked with supporting the next phase of humanity’s journey back from the brink.
Participants will each receive a Survival Pack in the post containing items essential to their mission. They will also be provided with access to exclusive pre-event activities to learn more about their mission and the world they will be entering.
The event will run from 09:00 to 17:30 GMT on the 29th January 2021 and will primarily be accessed via web conferencing software and a browser. However, other cybersecurity software and tools (eg a VPN client) will be required to access and complete the technical challenges.
Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.
MS Word Filters – OR, NOT
Filtering content using OR and NOT hasn’t been possible until now! Now you can add OR and NOT operators to create a dizzying amount of control for your report output. As always, you can string together multiple filters to get the results you want to populate your report.
Imagine That!
We’ve added the ability to upload an image anywhere the editing toolbar appears. Dragging and dropping into the editing area works too, saving you a few steps to add images in your project to show evidence, support your statement, or even add a meme to your comment.
Even More Validation
Validating your project before generating it has long been available as a good step to preventing some of the most common report errors. Now, view additional validation in summary views and a panel to help avoid those errors as you are working with report content to catch problems early.
For an at-a-glance way to see what needs a bit more work, the issues and evidence tables include a column showing if that item contains the correct information.
Looks like something needs to be modified…
Issues, evidence, and content blocks now have a validation panel that will highlight problems as you work.
That missing vector could cause problems, glad we caught it now!
Release Notes
Add a validation panel for Issues, Evidence, and Content Blocks
Add a validation column for Issues and Evidence table
Auto upload attachments and screenshots without requiring the use of the staging area
Cards, Evidence, Issues, and Notes now have their own attachment support
Displays a notification badge in the browser tab when there are unread notifications
Editor: Allow drag & drop, copy & paste, and direct image uploading
Increase the node properties column size by changing it to LONGTEXT
Layout: Breadcrumbs have a fixed position
Upload Manager: better validation
Bugs fixed:
Live filtering of templates (methodologies, notes & projects) via sidebar
Use absolute send times in notification emails instead of relative
Reporting enhancements:
Excel: Fix report generation exceeding the maximum cell limit
Word: Add NOT and OR operation for filtering content control
Word: Allow non-English localization documents to be exported
Automated reports, generate the same reports your clients know and love in a fraction of the time.
Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.
Per-Tool Permissions
Before Dradis Pro v3.8.0, Admins had access to everything and Authors had access to a subset of features. Now, you can give specific Author users permission to use the tools they need. And, you can give them just the level of access that they need.
Give each Author tool-specific permissions
Each Author can be given access to specific projects. And, for tools like the IssueLibrary, the Rules Engine, or premium tools like the Remediation Tracker, Authors can be given action-based permissions. Do you only want Author #1 to be able to Read IssueLibrary entries but not create, update, or destroy them? You can do that! Do you want Author #2 to have full control over the Rules Engine? You can do that too!
AffectedCount and AffectedList controls
We’ve had the Affected content control for a long time. The Affected control exports a de-duplicated list of comma-separated Nodes for a specific Issue. But, what about if you needed each de-duplicated Node on a new line or in a bullet list? Or, what if you need to count the number of affected Nodes for your Issue?
We’ve rolled out 2 new content controls: AffectedList and AffectedCount. As you can see in the before/after example below, the AffectedList will export the same data as the old Affected content control, just in a list format. And, the AffectedCount will output the number of unique Nodes that the Issue is associated with.
Do you need help updating your report template to use these new content controls? Email our support team and we’d be happy to help!
Project List table
We’ve also updated the Projects page to help you find that one Project you’re looking for. Your most recent projects will appear at the top of the screen as always. But, at the bottom, there’s now a sortable and filterable table. Click the column headings to sort the table by that field. Click the 2 columns dropdown to display different fields. And, type in a keyword to filter the table and display a subset of Projects.
Release Notes
Add all activity view
Give dynamic columns, sorting and filtering to project list table
New Per-Tool Permissions
Premier the new project permission panel for testers
Introduce permission management for Issue Library, Rules Engine, and Remediation Tracker
Remove inconsistent content blocks breadcrumb
Render markup inside table columns
Update top navigation link styles and collapsed menu
Upgraded gems: rack, sanitize, sassc
Bugs fixed:
Comments:
Removes the edit link while editing
Fixes lingering comment borders after deleting comments
Resolves broken OVA and DUP upgrades on VM’s running in ESXi
Prevent icon overlap of long headers in secondary sidebar
Fixes overflow of long unbroken table cell text
Prevent text overflow on to select areas
Word report generation no longer errors with extra document properties
Integration enhancements:
IssueLib: markup rendered in columns
Reporting enhancements:
Excel: add Tag column
Word
New AffectedCount content control
New AffectedList content control (one host per line)
Update exported tables to have 100% width by default
Not using Dradis Pro on your team?
Automated reports, generate the same reports your clients know and love in a fraction of the time.
Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.
Formatting Toolbar
Formatting text is even easier now with the editor toolbar. The toolbar makes it simple to enter and format text in an issue, evidence, notes, comments, and methodologies without needing to use Textile markup. The live preview updates with your formatting changes as you work.
Form Editor
Manually create issues and evidence using the form view, rather than using Textile field names and details. Name the form field and add in details for each item and the live preview updates as you work on the side.
If your project has a predefined template, using that template will create those form fields ready to populate.
Prefer to work with Textile? The source view is still available so you have the best of both worlds.
Dots Menu
In order to make the most of the available screen space, some item options – including edit, delete, and subscribe – have been moved to a single “dots” menu. The dots menu is located to the top right of the item and includes the actions available for that item.
Methodology Improvements
Cards in methodologies no longer require a due date. This is helpful for cards that are templates or hold information that doesn’t need to be locked to a specific date.
If a card has moved from one list to another, the original card link will redirect you to the card at its current location. Previously the link to the card would be broken, leaving you to hunt around until you found it (or didn’t and gave up looking).
Making it easier to find the board you are looking for, you can click on a methodology in the project dashboard or the board name in the activity feed to go to that board.
Release Notes
Add author to evidence and notes views
Add dynamic columns, sorting and filtering to Projects list
Add team name link to project navbar
Adjust Uploads layout to provide more visibility to the output console
Allow renaming and deleting boards through their dots menu
Avoid browser pre-populating password fields when editing users
Card improvements:
Not require a mandatory due date
Redirect to new url if the card has changed lists
Show board name and link in the Activity Feed
Card, Evidence, Issue, and Note form data will not be lost even if the form is not saved
Clear the form when the “Cancel” link is clicked
Remove prompt to restore data and instead persist and restore any changes seamlessly
Comments
Add Textile markup
Not lose changes even if the comment is not saved
Update comments feed to show author’s name instead of email
Display note and evidence titles in breadcrumbs
Display the Dots-menu in all views
Editor improvements:
Formatting toolbar to help with markup
New form-view to edit each field individually
Side-by-side editor preview that auto-updates
Generate consistent URLs in emails
Increase the size of output console
Let Admins be added or removed after a project is created
Link to Methodology from project summary chart
Move resource action links to dots-menu in breadcrumbs
Persist the state of the navigation sidebar in projects while navigating across different views
Remove tag color from issue titles in issue summary
Update code element style
Use shared noscript partial
Use user model reference for activities instead of user email
Upgraded gems: puma, rack, rails, sass-rails
Bugs fixed:
Allow Authors to set project permissions on project creation again
Fix Board partial broken structure
Fix ItemsTable extra whitespace causing unnecessary vertical scrolling
Fix Long items_table dropdown menus not scrollable
Fix Long project names interfering with search bar expansion
Fix breadcrumbs in cards under node boards
Fix textile preview not showing on issues with very long text
Prevent repetitive prompt when images are pasted after navigating multiple views.
Prevent report ‘Download’ button becoming a disabled ‘Processing…’ button once clicked
Render Textile preview of issues with very long text
Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.
Hello, good looking.
Tylium is included with Dradis Pro v3.6 and CE 3.16
We’ve introduced a new project theme for Dradis. Tylium* is more than sprucing up the design with sleek lines and modern styles. It incorporates thoughtful details to improve your workflow and provides us greater flexibility to address your UI feedback moving forward.
This is a big visual change, but you won’t have to hunt for the Dradis items you rely on since they haven’t gone too far from the previous theme, Snowcrash. We’ve minimized the impact on your day-to-day use of Dradis by keeping the feel and flow of the app familiar.
Snowcrash vs Tylium
Tylium optimizes your workspace, keeping the purpose of each view in mind. It adds space where you need more real estate for updating findings and resizes or rearranges elements when you need to see the big picture. An example of this can be seen with the collapsible sidebar that adds roughly 20% more space and keeps all sections of the app quickly accessible, even adding a dashboard link to the project summary.
Now you see it, now you don’t!
As always, we’re eager to hear what you think. If you have feedback on Tylium drop a comment here, send it via email, or share it in Slack.
*It is SOP at Security Roots that we honor our nerdoms where we can. Snowcrash, the previous theme, is a nod to Neal Stephenson’s cyberpunk novel of the same name. Our love of Battlestar Galactica continues on with the new theme, paying homage to the powerful fuel source used in the series – Tylium.
Report Generation Errors
Everyone knows that validating your report before generating it will save you a headache tracking down problems with the report later. Now, the validator is more helpful by providing additional context to help locate the problematic evidence. While we are preventing headaches if your report has errors that are detected during generation the option to download it won’t be displayed.
Oooh, there’s the problem!
Release Notes
Update app to new Tylium layout
Add the ability for kits to update an instance’s Plugin Manager templates
Add revision history for cards
Bugs fixed:
Updated support beacon. Legacy support was dropped for older versions
Fix errors on content overwrite flash messages
Fail and redirect to login instead of raising an error when attempting to log in as a user that has been removed
When a report export is invalid and errors we disable the download button to prevent further errors
Fix the mail initializer not finding existing configuration settings from the db
Fix Cancel link path for the Note Edit page
Fix services_extras not being excluded from Excel exports
Fix Rule checking for non-existent fields
Integration enhancements:
CVSSv3 calculator provides access to all Temporal/Environmental fields
Reporting enhancements:
Add support for ellipsis
Better Evidence references on failed validations
REST/JSON API enhancements:
Add team (team id, team name, team_since) in the teams API endpoint
Security Fixes:
High: Authenticated author can no longer continue to make project changes and will be logged out after being disabled by an admin
Medium: Prevent admins from updating other user’s comments
Now you can have your notifications emailed to you when you aren’t working in a Dradis project. Each user can adjust their notification settings to receive them individually as they happen, in a daily digest, or not at all. Get started using email notifications by configuring the mail server on your Dradis Pro instance.
A few @mention enhancements are in this release, including loading an @mentioned user’s profile photo or gravatar so you quickly spot who is in the conversation.
Burp Suite Issue severity
The way that Burp Suite handles severity is different than other integrations. Burp assigns severity to each instance of an issue as evidence and doesn’t assign severity to the issue directly. As a result, this was leading to several pieces of evidence with different severity levels for an issue with no assigned severity in Dradis. Now, Dradis will assign the issue severity using the highest evidence severity level.
Table Sorting
Finding the information you are looking for in a long table is easier with table sorting. Tables in Dradis can be sorted by any column. Click on the column heading of your choice and presto, change-o the table is sorted.
Release Notes
Email notifications
Add notification settings to decide how often to get email notifications
Add a smtp.yml config file to handle the SMTP configuration
Preserve SMTP configuration on updates
Various mention related improvements:
Enhance the mentions box in comments to close when it is open and the page is scrolled.
Fix bug that prevents the mentions dialog from appearing after navigating through the app.
Fix elongated avatar images so they are round once again.
Added avatar images to mentions in comments.
Load Gravatars for users whose email has been set up with gravatar.
Add and update methodology download links to Dradis Portal
Enhancement when adding new nodes to copy node label data between the single and multiple node forms.
All tables can be sorted by column
Bugs fixed:
Fix handling of pipe character in node property tables
Fix projects count not updating in teams view
Fix error on team page when showing primary team
Fix overflow issue where the content would expand out of view
Fix page jump when issues list is collapsed
Fix conflicting version message when updating records with ajax
Fix hamburger dropdown menu functionality.
Fix node merging bug when `services_extras` properties are present
Fix cross-project info rendering
Prevent content block group names to be whitespaces only
Fix displaying of content blocks with no block groups
Limit project name length when viewing a project
Removed bullet style in node modals
Validate parent node project
Integration enhancements:
Burp: Make `issue.severity` available at the Issue level
Nessus: Fixed bullet points formatting to handle internal text column widths
Nexpose: Wrap ciphers in code blocks
Netsparker: Fix link parsing of issue.external_references
Jira: Loading custom (required) fields from JIRA by IssueType and Project
REST/JSON API enhancements:
Fix disappearing owner when assigning authors to a Project using the API
Set the “by” attribute for item revisions when using the API
Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.
Node Methodology
Add a methodology to a node containing the details appropriate for that node type. Create and apply methodology templates to ensure everyone on the team knows the next steps for that node. Project methodologies are still available; these new methodologies bring the same consistency to nodes.
Merging Nodes
If you have ended up duplicate nodes in your project, you can now merge them and preserve any findings related to that node. The new node merge action moves all associated Notes, Evidence, Attachment, and Activities from the source node into the target node.
Highlight Inside Code Blocks
Call attention to the most important details within a code block. Wrap the section with $${{ }}$$ to highlight it in yellow. The highlights transfer to your final report using styling updated in your report template.
Collapsable Sidebars
If your project has a long list of issues or attachments, it can be unwieldy to quickly access the import fields at the bottom to add more. The sidebars are now collapsable using the chevron at the top of the list and are expanded by default. Issues, Report content, and Nodes received this UI update to help you move through a cleaner interface.
Release Notes
Allow nodes to have an associated methodology
Highlight code snippets.
Better new board form empty name handling
Fix migration paths during database setup
Collapsable sidebar in issues
Collapsable sidebar in report content
Better placeholder syntax in Issuelib
Contributor dashboard redesign
Fix screenshot validator when Textile screenshot links have captions
Add Node merging feature
REST/JSON API:
New coverage: Tester users
Word reports:
Add CodeHighlight style support
Add-on enhancements:
Nexpose: Add risk-score attribute to nodes
Nmap: Add port.service.tunnel field to the port template
Remediation tracker: tickets can be assigned to testers and contributors, and contributors can see their tickets too.
Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you deliver the results of security assessments, in a fraction of the time without the time-wasting frustration of creating manual reports.
What’s new in Dradis Pro v3.3
Auto-Save
There are few things more frustrating than losing work in progress when your connection drops, browser crashes, or you close the wrong tab. Dradis now automatically saves your changes every few seconds to help avoid this problem. When you return to work, and auto-saved data is available, restore your work from the browser’s cached version.
Configuration Kits
Get started with Dradis Pro with a click of a button using kits. Use a Dradis kit to set up an instance tailored to your needs just by uploading a single file. A single kit zip file can quickly import and configure a project, report, issue, and evidence templates and properties, Rules Engine rules, methodologies, and sample projects. Admins can still tweak and configure Dradis manually; kits offer a simple way to jumpstart setup.
Azure DevOps / VSTS
Send any issue from a Dradis project to Azure DevOps (formerly Visual Studio Team Services / Team Foundation Server) to create a Work Item. Once sent, the Issue in Dradis displays the state of Work Item so you can keep track of remediation activities without leaving Dradis.
Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you deliver the results of security assessments, in a fraction of the time without the time-wasting frustration of creating manual reports.
What’s new in Dradis Pro v3.2
Here is Rachael with a quick video summary of what’s new in this release:
Integrated CVSSv3 Calculator
Quickly generate a CVSSv3 Risk score for an individual issue directly in Dradis. The CVSSv3 score calculator is now included as a tab on each issue for handy access. Edit the values on the calculator to populate the issue’s CVSSv3 details, including a valid vector string, with no need to copy and paste!
IssueLibrary ships with Dradis Pro⛵
Ever wish that the IssueLibrary wasn’t a separate installation and upgrade process from Dradis Pro? Wish no more! IssueLibrary is now bundled with Dradis Pro.
If you haven’t been using IssueLibrary, now is your pain-free opportunity to give it a spin. Cultivate a collection of your finest vulnerability descriptions to reuse across your Dradis Pro projects.
Already have vulnerability descriptions in another format outside of Dradis? Reach out to our support team and they can set you up to easily migrate them into IssueLibrary.
Upgrading from an earlier version of the IssueLibrary? You must first remove IssueLibrary before applying the DUP by deleting the IssueLibrary line from /opt/dradispro/dradispro/current/Gemfile.plugins.
IssueLibrary API endpoints
The IssueLibrary is the newest API endpoint to be added to Dradis Pro. Use this new endpoint to create, update, retrieve and delete IssueLibrary entries. Check out the IssueLibrary API guide for examples to get started.
For this release, we’ve squashed some pesky bugs and updated the system and its add-ons with new features that will make your team’s life easier.
The highlights of Dradis Pro v3.1
Added comments, subscriptions and notifications to notes
Added comments, subscriptions and notifications to evidence
Added comments, subscriptions and notifications to methodology cards
Pre-flight tool upload validator
Fix default tags creation bug
Allow numeric fields to be 0 when validating
Fix BI engine load error (hook into model load and not ActiveRecord load)
Fix overflow bug when editing report templates (issue sorting tab)
Updated how add-ons hook into the main menu
Fix error pages
Renamed clients to teams in the backend
Fix blockcode characters displaying incorrectly
Fix red dot still being displayed on the first visit to the page that caused the single unread notification
Fix wrong ‘There are no comments’ message
Escape HTML in comments
Track activities when multiple-creating evidence
Fix BI custom project properties
Better engine manifest hooks
Keep lists and cards order when exporting as XML
When errors found validating evidence, report with evidence id
Add-on enhancements:
Note and evidence comments in export/import in dradis-projects
Fix usage of set_property to use set_service in Nexpose plugin
Netsparker: Update cleanup_html to format content + add new fields
A quick video summary of what’s new in this release:
Comments for methodology cards, evidence, and notes
Comments, notifications, and subscriptions introduced in Dradis v3.0 have been extended to include methodology cards, notes, and evidence in projects. You can leave a comment tagging another user, subscribe to be notified of comments and receive notifications for cards, notes, evidence, and issues. All comments are included during project import/export with dradis-project.
Checking for empty fields
Dradis will check for empty fields when saving a field required by your template and when validating your project before exporting a report. Catching and correcting these empty fields before generating your report will help prevent the dreaded ambiguous cell mapping Word error.
Pre-flight tool upload validator
While uploading output from a tool into a project, Dradis will check your Plugin Manager configuration against your report template configuration. If your template is configured to require a “Recommendations” field but no #[recommendation]# field is defined in the Plugin Manager for this output file type, Dradis will throw a warning.
