Category Archives: Dradis_Pro

Posts about features, announcements and updates of Dradis Professional Edition.

Software quality: creating a software product you can live with

Leave a reply

When creating a software business there are a lot of things to consider and many decisions to be made. One of the most important ones, especially if you are by yourself, is: how high are you going to put the software quality bar?

Giving the day-to-day pressures to build up the business (do you have a business or do you just think you do?), the multiple feature requests by your users, the support requests you have to tend to, the pile of ideas you’ve got in the roadmap and the limited time in each day, it is clear that some compromises must be made. You’ve got to strike a balance between having enough features that your tool is compelling and making sure that what you have actually works (otherwise people that you worked so hard to convince of using your tool will be frustrated and abandon it).

In the early stages

Remember the classic essay by Joel Spolsky Good Software Takes Ten Years. Get Used To it, yes it takes time to create a great product, but you need to make sure that your company is going to survive long enough to get there and you need to make sure you’re still enjoying what you are doing years down the line 🙂

During the early stages, not every feature we’ve pushed in a release of Dradis Pro was as polished as I’d have liked, but at the time we thought it was the right choice: push the feature out and let our users start benefiting from it. However we’re not in the early stages any more. We’ve been two years in business, with a growing client base and heathy amount of new sign ups every month. Now it’s the time to take two steps back and look at the big picture, to prepare ourselves for the next ten years.

One of the most important things to learn and keep in mind, even more important to those of us coming from an engineering background is that your users don’t care about your product. They don’t want to use your product for the shake of using a product. They want the results they’ll get from using your product, that’s where the focus should be. Let me repeat that again as it is quite important:

Your users don’t want to use your product,
    they want the results they’ll get from using your product.

This means you have to identify what this end results are and focus your efforts in making it ever easier for your users to get there. This often means spending time refining areas of your tool instead of adding new features.

Balancing scope and software quality

In the era of the Lean Startup, the above ties nicely with the concept of minimum viable product: in order to become sustainable, you need to identify several key pieces of functionality that when put together are going to allow your users to get the end results they are looking for. [Note that I’m talking about being sustainable (i.e. generating enough revenue to reinvest in the product to improve it), not just in order to sell or in order to find users for your product. You can sell almost any piece of broken software for a low enough price. But that’s a different discussion for a different time.]

Throwing together those pieces and making sure that they can be made to work together as a coherent application is the very first stage in the lifecycle of the product. This means you’re solving a real problem, for real people, that will pay real money to get their problem solved. However, in the path to this first summit in your journey, you may have to release half-baked solutions or quirky code you are not proud of. You may even do this without being conscious about it (at the end of the day, you’re fighting an uphill battle, and getting results is the only think that counts on a daily basis).

There is a tipping point where you realize that the strategy of knocking together functionality and releasing it is not going to work in the long run. You are accruing too much technical debt. If you are hoping to be developing and maintaining your tool for years to come, you better make sure that you are creating something that you will want to maintain, something that you are proud of.

I saw the light while reading the Designing Web Applications book by Nathan Barry a few months ago. In particular a section discussing the ideas of Ryan Singer, Software designer at 37signals, on product quality:

I like to visualize software. Here’s an intuition that works for me. Feature complexity is like surface area and quality of execution is like height.

A hand-drawn representation of a software product like a surface, with different areas dotted in it and the height of the shape representing the qulity.

I want a base level of quality execution across all features. Whenever I commit to building or expanding a feature, I’m committing to a baseline of effort on the user experience. That way feature complexity — scope — is always the cost multiplier, not user experience. There aren’t debates about experience or how far to take it. The user experience simply has to be up to base standard in order to ship, no matter how trimmed down the feature is.

(Ryan has an article on his blog about the subject: What happens to user experience in a minimum viable product?)

Even though conceptually we’d all agree that it’s desirable to build good quality products, Ryan’s surface/heigh metaphor makes it really easy to understand the end goal we’re striving for and the reasoning behind it. It is a great tool that you can keep on the back of your head and use to drive your development efforts on a daily basis.

Keep your focus

It’s more important to ensure a consistent height across all areas of the product than it is to expand the surface. In fact, it is a trade off, there is no expanding the surface if the heigh isn’t going to be kept consistent.

This helps in narrowing the focus of what you’re trying to build, less surface, more height, build something great. This isn’t new, and there are many ways to phrase this feeling, but I always remember Bill Crosby’s:

I don’t know the key to success, but the key to failure is trying to please everybody.

You product can’t be all things to all people. This is why you’ve seen a multitude of minimalist text editors thrive by focussing on what is important and nothing else (iA Writer, Writeroom, Byword…). Have the basics taken care of before thinking about adding new stuff. As Julie Zhuo, Director of Product Design at Facebook puts it, there is a tax associated with every new feature you introduce that you better understand.

Making this shift, this change of focus towards quality, clarity and purpose has benefits all around. It makes you proud of the work you do and it helps to ensure that you don’t have too many features that you can’t pay attention to.

This is where we are going for the next few releases of Dradis Pro: don’t expect a lot of growth in the surface, we’ll focus on pushing and levelling our height, always keeping an eye on the results our users want to realize.

I’d like to wrap this post with another quote about quality and building a software product, this time by Jason Fried also of 37 signals:

It better be good, because people are depending on it to be good

Upcoming in Dradis Pro v1.8: fine-grained project permissions

Leave a reply

The next release of Dradis Pro will introduce a long standing feature request: fine-grained project permissions.

From now on, it will be possible to restrict who has access to what projects. We’ll evolve the interface over time but the basics are already here:

A screenshot showing the interface to assign project permissions

Users will only be presented with those projects they have access to in the **Project selection** view:

The Project selection window filters only those projects to which the user has access to

Of course administrators can access any project any time and reassign the permissions:

A screenshot showing the full list of projects for an administrative user

The implementation is almost there, just running the finishing touches. We are hoping to release in the next few days.

Our users have been pushing for project permissions for a while now. Among the use cases where having fine-grained project permissions is going to be a big win are:

  • Restrict access to project that require a specific level of clearance (e.g. government projects, department of defense, etc.).
  • Accommodate requirements by certain clients that only a specific set of pre-approved individuals is allowed to take part and manage their projects.
  • Limit the visibility of the breadth of clients and projects of external contractors or freelancers brought to the organization.
  • Limit the visibility of new joiners that are still in their probation period.

That is on the most pure permission == restriction front. However, having fine-grained project permissions is also going to allow us to do a number of interesting things:

  • Create dashboards in which a users can quickly review all the projects they have been involved in lately.
  • Create dashboards in which Technical Directors can quickly see a breakdown of projects for each team member.
  • Quickly identified who has been working with who, and how long ago (useful for 360-degree feedback and evaluation).

All in all, this is a big step forward in the right direction and while we would normally wait to have a handful of new features before producing a new release we think this is important (and useful) enough to warrant its own version of the tool.

More information

If you are not a Dradis Pro user yet, you can read more about painless 1-click reporting, merging tool output from your favorite tools into a single report and delivering consistent results with our tool. Get a license and start saving yourself some time today.

Follow the OSSTMM v3 methodology with Dradis

Leave a reply

You can now follow the OSSTMM v3 (Open Source Security Testing Methodology Manual) in your projects. Today we’ve added a new bundle to our Extras section. Extras is where we post report templates, methodologies and checklists for our community to grab and use.

Not familiar with the OSSTMM yet? From their website:

The OSSTMM is about operational security. It is about knowing and measuring how well security works. This methodology will tell you if what you have does what you want it to do and not just what you were told it does.

What you get from utilizing OSSTMM is a deep understanding of the interconnectedness of things. The people, processes, systems, and software all have some type of relationship.

Included in the OSSTMM bundle

The bundle contains methodologies for all the areas covered by OSSTM:

  • Defining a security test
  • Data networks security testing
  • Human security testing
  • Physical security testing
  • Telecommunications security testing
  • Wireless security testing

Included in the bundle is also a project template with the basic project structure you can use to follow the OSSTMM guidance.

Get the OSSTMM v3 methodology bundle and follow the OSSTMM v3 from today.

New in Dradis Pro v1.7

Leave a reply

Today we have pushed a new version of Dradis Professional Edition: Dradis Pro v1.7. This is the result of eight months of hard work, a bit longer than usual, but the release is packed with lots of handy improvements.

Here are some changes:

  • New Issue/Evidence architecture: read about why this is a big deal.
  • New all-in-one view (more below).
  • New “by host” and “by issue” reporting (more below).
  • New default project / report template: to make it easy for you to build on top of it.
  • New interface to import Issues from external sources.
  • New Qualys upload plugin.
  • Updated plugins
    • Burp upload
      • Generates Issue/Evidence
      • Is orders of magnitude faster.
      • Integrates with the Plugin Manager.
    • MediaWiki import is now compatible with versions 1.14 -> 1.21
    • Nessus upload generates Issue/Evidence
    • Nexpose upload generates Issue/Evidence
  • Updates and internal improvements:
    • Updated to Rails 3.2.13
    • Improved code block and table styling

All-in-one view

Notes, issues and attachments all in a single place:

A screenshot showing note contents, issues and attachments in one page

And an improved interface to import form external sources:

Screenshot f the new one-click importer

And of course, you also get Dradis’ Smart Refresh goodness:

More screenshots

“By host” and “By issue” reporting

We have discussed multiple times how providing a useful deliverable is part of what makes a pentest firm great. With this release of Dradis Pro we’re introducing even more flexibility to our reporting engine.

byhost-20

It is now possible to write an issue description once and associate it will multiple hosts. Then in your report you can either present each issue along with all the affected hosts (and associated evidence) or the other way round: a host-by-host summary where you least each host under scope along with all the issues that affect it.

byhost-09_small

This flexibility is what saves our users 2 hours of reporting time in every project.

Still not a Dradis Pro user?

These are some of the benefits you are missing out:

Read more about Dradis Pro’s time-saving features.

Upcoming in Dradis Pro v1.7: Issues and Evidence

1 Reply

A new release of Dradis Pro is in the making: Dradis Pro v1.7. We continue to evolve our solution based of the feedback we receive from our users.

Starting in Dradis Pro v1.7 we have introduced two new concepts:

  • Issues: these are findings or vulnerabilities. An example would be: “Cross-site scripting“.
  • Evidence: this is where you provide the concrete information / proof-of-concept data for a given instance of the Issue.

For example:

  • The ‘Hackme bank’ application is vulnerable to Cross-site scripting (Issue). There are 7 instances of this issue and here is the information about them (Evidence).
  • The HTTP service in tcp/443 of the 10.0.0.1 host is affected by the Out-of-date Apache Tomcat issue and so is the tcp/8080 service in 10.0.0.2

As you can see, the main benefit of this approach is that you get to describe the Issue once and reuse that description.

To continue with our example, we’d have to create the following project structure:

Here we would add the Out-of-date Apache Tomcat Issue to the all issues node of the project, and then the Evidence for each host will be added in the corresponding node.

By segregating core vulnerability information from the evidence associated with each instance of the issue, we can start doing some powerful things.

Reporting by host, reporting by issue

On the one hand, some penetration testing firms like to structure their reports by finding. They go through the list of issues identified, providing description, mitigation advice, references, etc. and including all the hosts affected by the issue in each instance.

byhost-20

On the other hand, some prefer to structure their report by host. They list all the hosts in-scope for the engagement and describe each issue that affects them.

Of course there are others that provide these two options in the same report. A section where all the issues are described in detail followed by a host summary where you can quickly see a list of issues affecting a given host.

In order to provide this level of flexibility there needs to be a segregation between the issue details and the instance information.

With the introduction of Issues/Evidence in v1.7, we have just opened the door to all this flexibility.

More information

If you are an existing Dradis Pro user, you can already take advantage of all this features without having to wait until the release of v1.7. We have also prepared a step-by-step reporting guide for you:

Reporting by host, reporting by issue

If you are not a user yet, you can read more about cutting your reporting time, putting external tools to work for you (and not against you) and delivering consistent results with our tool. Get a license and start saving yourself some time today.

BSides London 2013 aftermath

Leave a reply

BSides London took place last Wednesday the 24th on the Kensington and Chelsea Town Hall near High Street Kensington tube station in London.

I was really looking forward to this year’s edition as for the first time ever Dradis Pro was a sponsor in a security event. There are a lot of lessons learned on that front alone, but I’ll save them for another post.

It was a really long day. I only finished the slides for the Creating Custom Dradis Framework Plugins workshop around midnight the night before and I got to the venue by 8am to give the organisers a hand with the preparations. On the bright side, we had a really good turnout on the workshop:

BSides_London_2013_276

Creating Custom Dradis Framework plugins in action (more pics)

I think that the final head count was around 500 people both from around the country and from abroad. The downside is that we had to prepare around 500 tote bags with sponsor swag, the upside is that some sponsors provided some really nice goodies 😉

BSides swag by ScotSTS, 7Elements and Dradis Pro

The truth is that running an event such as BSides is a ton of work, and the team do it for free. And it doesn’t cost a penny to attend and you get a really nice free t-shirt:

BSides London t-shirt

I don’t think people thank the organisers enough. Thanks guys! To both the visible faces of the organisation but also to the rest of the conference goons that make all the little moving parts of the event tick.

As usual in this type of event, it’s easy to let yourself be distracted by the social side of things. I managed to finally catch up with a lot of Dradis Community contributors and Dradis Pro users. And hopefully meet a few future ones 😉 I finally put a face to some of the #dc4420 peeps and manage to catch up with some people that I no longer get to see that often.

It always baffles me that after working for a company for the last 5 years you get to meet some of your colleagues in a random security event instead of in the office or in an official company event. I guess that’s the nature of the industry we are on though. It was also good to catch up with ex-colleagues from previous lives.

Even though the scheduling gods decided I had to miss Marion & Rory’s workshop in the morning, I managed to get myself a WiFi Pineapple after Robin’s, just in time to rush to the main hall to catch the closing ceremony.

WiFi Pineapple kit

And before you realise it, the day was over and you are having a pint too many at the official BSides after-party…

Dradis Pro report templates and testing methodologies for download

Leave a reply

Ever wanted to create your own Dradis Pro report templates but didn’t know where to start? Wait no more! A few days ago we introduced the Extras page. From there you can download report templates and testing methodologies. The idea is to showcase all the possibilities supported by our reporting engine and lay the ground work so our users can build on top of these templates.

The latest addition has been the OWASP Top 10 – 2013rc checklist. This covers the recently released OWASP Top 10 – 2013 release and contains 60 checks that you can use to test for all the issues in the new Top 10:

  • A1-Injection
  • A2–Broken Authentication and Session Management
  • A3–Cross-Site Scripting (XSS)
  • A4–Insecure Direct Object References
  • A5–Security Misconfiguration
  • A6–Sensitive Data Exposure
  • A7–Missing Function Level Access Control
  • A8-Cross-Site Request Forgery (CSRF)
  • A9-Using Components with Known Vulnerabilities
  • A10–Unvalidated Redirects and Forwards

Below is a list with a few examples of the Dradis Pro report templates (both Word and HTML) that you can find there:

Advanced Word example

Mix everything together: use Dradis notes for your conclusions, sort your findings by severity, filter, group, make use of document properties, etc.

Dradis Pro Advanced report template: a screenshot showing the advanced word report

A simple report to get you started

Never created a custom Dradis Pro report template before? No problem, start with this basic template to learn about the inner workings of the engine and in no time you’ll have your custom own report template up and running.

Dradis Pro Basic report template: a screenshot showing a detail of a table in the simple report template

A fancy HTML report

Dradis Pro supports a number of report formats including Word 2010 and HTML. In this case we show you how to create a fairly complex HTML report with the list of issues order by severity, a bit of JavaScript to auto-colour and auto-link external references and some awesome charts to nicely show the risk profile of the environment.

Dradis Pro HTML report template: a screenshot of the HTML report template showing a chart for all the issues

With the help of these samples, creating your own report template has never been easier. Are you ready to give Dradis Pro a try?

New in Dradis Pro v1.6

Leave a reply

Today we have pushed a new version of Dradis Professional Edition. This is the result of two months of hard work. It is a shorter release cycle than usual, but there are some good reasons for it. We think it will make our user’s day-to-day work significantly more efficient.

Here are some changes:

  • Improved Word 2010 reporting (more below):
    • The styles you apply in Dradis are kept when generating the report.
    • Easy note filtering and grouping in the report (e.g. list of High-impact findings).
  • New testing methodology support (more below).
  • New Client Manager to group your projects.
  • Fresh look & feel (screenshots).
  • Lots of minor updates:
    • With the new Quick Filter locating clients, projects and users is a breeze!
    • Updated VulnDB HQ plugin to support v2 of the API.
    • Updated to Rails 3.2.8

 

Improved Word 2010 reporting

Creating complex pentest report templates has never been easier. You just need your copy of Word and a few minutes. Of course we have extensive documentation in our support site, but here are the highlights:

Note styles

Add notes in our WYSIWYG editor and the styles will be kept in the report:

Note filters

Word is the only tool you need to create powerful templates

Get the report without breaking a sweat:

 

Testing methodologies

This is a game changer. Tracking progress during an engagement is always a daunting task. No matter how experienced you are, if you don’t play close attention, you might be missing something.

Enter our testing methodology support:

You can define as many methodologies as you need (e.g. webapp, wireless, code review, etc.) and you can add them to your projects. For instance, a typical webapp assessment will have a web testing methodology and maybe a web server checks methodology.

Keep track of progress and split tasks amongst team members. Using a standardized testing methodology is the best way to obtain consistent results.

Still not a Dradis Pro user?

These are some of the benefits you are missing out:

  • Less time writing reports
  • Provide a consistent experience to your clients. Every time.
  • Pro is reliable, up-to-date and with comes with quality support

Read more in Why to give Dradis Professional Edition a try?

Create a report in minutes with Dradis Pro and VulnDB HQ

Leave a reply

How long did it take you to create your last pentest report? Days? Hours? Sounds like too much effort for something that should be 80% automated!

Lets see how you can use Dradis Pro and VulnDB HQ to create a pentest report in minutes.

Tracking progress with Dradis Pro

Everybody tracks progress and makes notes while conducting an assessment. However, using Dradis Pro has a few advantages over other methods (e.g notepad).

First you can use testing methodologies to define the steps you need to cover and track your progress:

Of course this is useful both when you’re working alone and when you’re part of team to ensure there is no overlapping.

If everyone is adding their findings to Dradis Pro’s shared repository, generating the report is one click away (keep reading!).

Adding a few findings from your VulnDB account

Say that today is your lucky day, LDAP injection on the login form! You don’t think this is in your private VulnDB HQ repository but search anyway:

Well, it was not in your private repository, but there is an LDAP injection entry in VulnDB HQ’s Public repository that you can use as a baseline. You import it.

You continue with you hack-fu, find a bunch of issues: cross-site scripting, some SQL injection, Axis2 testing servlet, header injection and a few SSL issues. For each of these, you spend 30 seconds searching VulnDB HQ, importing the issue to your project and tweaking the particulars.

Assign everything to the AdvancedWordExport ready category, and you’re done. Fairly painless, no?

And if Dradis is not your cup of tea (?!) you could always connect your VulnDB HQ account to your own tools using our RESTful API (or the convenient vulndbhq Ruby gem).

Report template

Now, the report. We want a high-quality Word 2010 document that we can easily edit and adapt as time passes.

I won’t get into the nitty-gritty details of template building here (there is a Creating Word reports with DradisReports guide in our support site with step-by-step instructions).

We will use a fairly simple approach, I’ve created a template based of one of Word’s default styles (Home > Styles > Change Style > Formal). Just add the headings you need and a few Content Controls. Here is what ours look like:

It starts with a table with some information about the project (name, client, dates, team, etc.).

Then the Exec Summary with a Conclusions section (sorry, you’ll have to adjust this with your own conclusions!) and a Summary of Findings list which will contain just the Title of each finding.

Then a Technical Details section that contains issue descriptions for each of the vulnerabilities we’ve identified during the report.

Note that you only have to create the template the first time, and then reuse it for every project. The template you see above took me about 10 minutes to create.

One last thing: the properties

Yes, we could add the project specifics like the client name and dates and everything else by hand. However, chances are that your report template is a bit more complex than the one in this example and that you’ll have your client’s name in multiple places and that some of the other information will also be repeated.

Thankfully we can define document properties from within Dradis Pro (see the DradisReports: using custom document properties guide for more information):

There you go. Now we can re-export and voila, the report is complete:

  • Total reporting time: 1 click.
  • Overhead during the test for importing issues from your VulnDB HQ account: ~30 seconds each?

We rest our case.

Would you like to know more?

We recommend you start with:

New in Dradis Pro v1.5

Leave a reply

Today we have pushed a new version of Dradis Professional Edition. This is the result of four months of hard work.

Changes include:

  • Upgraded look & feel (screenshots).
  • Improved Word 2012 reporting:
    • Custom screenshots.
    • Custom document properties.
    • Fully integrated with support for note re-ordering.
  • Drag’n’drop file uploads with pre-upload preview.
  • New Plugin Manager (more below).
  • New Note Templates (more below).
  • New Format Cheat Sheet (more below).
  • Lots of minor updates:
    • Updated NeXpose plugin.
    • Improved Forgotten password.
    • Improved markup editor with full-screen support.
    • Updated to Rails 3.2.6

Plugin Manager

The Plugin Manager puts all the Dradis Plugins plugins to work for your organization.

You can now customize how the different plugins create their notes. This means that all plugins can generate notes in exactly the format you need for your report template.

This is how the main interface looks like:

And the note template editor with live preview:

That’s right, you can map from the plugin’s native fields into the fields you need for your report. That’s going to save you an incredible amount of time!

Note Templates

Tired of typing the same fields in your new notes again and again? With this release we introduce note templates:

Create templates that include the fields that you will need for your reports, or different templates for different clients. Then whenever you are adding a new note you will be able to choose whether you want an empty note or to use one of the templates:

Format Cheat Sheet

Not familiar with Textile markup? No problem! Now the note editor features a mini cheat sheet with some of the styles you are most likely to need to create rich notes:

Still not a Dradis Pro user?

These are some of the benefits you are missing out:

  • Less time writing reports
  • Provide a consistent experience to your customers
  • Pro is reliable, up-to-date and with comes with quality support

Read more in Why to give Dradis Professional Edition a try?