Category Archives: User Stories

Security Assessment Process: The Problem With “Good Enough”

The Current Process

As a freelance security consultant, researcher, and software developer, you could say Robin Wood is someone who knows their way around the security assessment process. On his site DigiNinja, you can find more than 50 security-related projects he’s released to the community.

Several years ago, Robin’s workflow involved using a basic text editor to log his clients’ vulnerability issues. He would then use those notes to produce his final reports. He did not use a structured or dedicated system or software platform.

Robin tested primarily web applications. This meant that the issues he discovered were pretty diverse from project to project. This project diversity was the major reason Robin felt that standardization of his project management would be difficult to implement.

He did recognize that his process had shortcomings. For one thing, he was often “reinventing the wheel” – writing about vulnerabilities that were similar to ones he’d written about before. He didn’t have an organized way to compare issues and easily re-use that content.

But, by and large, Robin’s process was “good enough” – it worked for him and he was doing fine. Mainly he felt that it would be too difficult and time consuming for him to switch to a new way of doing things.

Security assessment process quote about Dradis Pro

Enter Dradis Pro

A few years ago, Robin found himself working with an InfoSec company that was using Dradis Pro for logging issues and creating reports. At first he didn’t believe that learning the new software was worth the trouble. At any rate, he did it because it was part of the company’s process.

After getting used to using Dradis, though, Robin realized that his speed and efficiency had increased substantially. He continued to use Dradis from that point onward, even when he left that company and went to work for himself.

As Robin put it, “The problem is that you think, ‘My process works as it is, so I don’t have the time to put more effort into it. I’ll just use what I have.’ Then you’ll improve something and find a better way of doing it, and think, ‘Why didn’t I do this six months ago? Why didn’t I do this a year ago?’”

We’ll look at some of the ways in which Dradis Pro has helped improve Robin’s workflow and his clients’ experiences with the security assessment process.

Greater Project Structure and Organization

Even though Robin’s clients and projects are diverse, Dradis Pro has allowed him to standardize his project management. Dradis gives him a consistent way to do everything associated with a project: use and update methodologies, organize an assessment, take notes, and include screenshots and other evidence.

“All my stuff is in a nice place where I know where it is, and it’s all recorded in a constant fashion. The organization is the same every time.”

Easier Report Creation

Dradis can be connected to a library of vulnerability descriptions. Robin connects Dradis to MediaWiki (free, open-source software) to create his own library of preferred descriptions that can be easily edited and reused as he sees fit.

“It makes such a big difference. In every test you do, you think, ‘I know I’ve written that one up before.’ And before, I’d have to dig through all the reports, going, ‘How did I write that up before? I know I did a good description of this at some point.’ With the issue library, I write a good description and I put it in the library and it’s always there for me. I don’t have to reinvent the wheel. It saves so much time and effort.”

The library is always growing and always improving.

“You don’t put in an issue and forget about it. It’s always getting better over time. Whenever I find something I don’t understand or think I can improve, I go back in and improve it and that goes back in the library. It might even be minor improvements, like the odd typo or spelling mistake. So even in small ways, the client is getting a win out of it.”

Dradis customized report

Easier Report Customization

Dradis helps Robin even for his clients whose findings and reports require customization. In fact, with Dradis you can have multiple types of templates for different types of jobs. Once you have all of your project data in one place, you can export it in a variety of formats, such as Word, Excel, and HTML.

“I don’t use the same template for everyone because everyone is not the same. But I don’t want to be rewriting the same thing over again, either. So I just go in, take what I’ve got, and edit it to be bespoke for that customer, and that goes in the report. Even for the more rare or obscure issues, I still have a template that I can start with, instead of redoing it.”

Long-Term Storage and Retrieval

Dradis allows encrypted storage of projects, which makes it easy to keep projects secure and to revisit past projects.

“I had a client get in touch yesterday. Their test took place six months ago and they had questions about it. I can easily pull the archive, decrypt it, and I have all the data for them. It’s just there, ready to go.”

Improved Client Perception

Additionally, Dradis Pro has been key in helping Robin organize his projects as well as his clients’ perceptions of his work when he does on-site assessments.

“A client can come and sit down beside me while I’m on a site, and I can walk through each issue with them. There’s a nice display on screen with a full list of issues. I can click on them, show them the descriptions, and there’s a graph that shows how many high, medium, and low risks. If you tried to do that with a basic text file, obviously that doesn’t look as good.”

Improved Client Results

Improved project organization doesn’t just help Robin; most importantly, it improves his clients’ results.

“My clients really do get value out of it. They are getting more detailed and more time-tested descriptions. This makes it easier for them to understand what’s going on and makes it easier for them to remediate issues.”

New Features and Updates

Regularly, Dradis Pro adds and updates features in response to customer feedback and ideas.

“There are new versions and new features coming out frequently. It’s nice to be able to offload a technical issue to someone else. Unsurprisingly, [the Dradis team is] responsive to requests for features.”

Check out our newest edition release

A Necessary Tool

Dradis Pro has proven to be an indispensable part of Robin’s workflow.
We asked Robin, considering the many strengths of Dradis Pro, why isn’t everyone in InfoSec using something like it?

“It can seem like a lot of effort to learn a new security assessment process. I think that might put some people off. But like I did, you start small and just slowly build up into it. And at each step, you realize that you’ve made a big jump up and improved your efficiency and quality. It’s definitely worth the effort.”

Try Dradis for 30 Days

We are confident that Dradis Pro will improve your InfoSec workflow as it did for Robin’s. Conversely, if you try Dradis Pro for 30 days and don’t believe you’ve gotten your money’s worth, just let us know and we’ll give you your money back. Check out our straightforward plans here.

Want to ask us a question about how Dradis Pro can help your project management and report creation? Reach out to us on our Contact Page.

That silly moment when a ruby gem doesn’t install

A few days ago I was helping a user to install a custom Dradis plugin.

As you may already know, Dradis plugins are ruby gems and we manage them with bundler.

The final step in the installation process usually looks something like this:

bundle install --without development,test


bundle update --without development,test [custom_gem]

But at some point in the installation history, a mix of both commands was run, probably something like:

bundle install --without development,test [custom_gem]

This command is wrong, bundle install does not expect a specific gem as a parameter. So the custom_gem parameter is handled by bundler as one of the groups of gems not to be installed. Bundler notifies us about that:

Gems in the groups developement,test and custom_gem were not installed.

We may notice that warning (or not), and try to execute the command correctly:

bundle install --without development,test

But we will see the same warning about custom_gem not being installed. This is because bundler uses a config file to cache some configuration options, like the –without option. That file probably in the same app folder under:


If we check its contents, it looks like:

BUNDLE_WITHOUT: "developement,test:custom_gem"

Until we delete that file or edit it to remove the custom_gem from it, we may have a hard time installing our gem.

Dradis Pro and a reluctant convert…

My small consultancy company has used Dradis since before the Pro version existed, back when it was a community project only. At that time, I was a pure Dradis consumer. My partner was the Ruby pro, both for coding and creating our own internal systems.

When my partner left for higher things last year, I have to say that I seriously considered switching from Dradis to another program. I am pretty much a dyed-in-the-wool Windows person with no Ruby knowledge and limited experience of having to support an application running on an open source stack. I also doubted that I would get a lot of benefit from the application, as a lot of its strength is in enabling collaboration between multiple testers working on the same project rather than servicing a single user like me.

Nearly a year on and I am still with Dradis, so I thought I would share some of the reasons why.

First, I’ve not had a lot of support issues. It comes as a VM appliance and just runs–there is no necessity to start compiling it yourself or be constantly fiddling about with it. I appreciate this as I essentially start a new test every week, and the last thing I need on a Monday morning is to be trying to get the test platform to work. Because it is browser based, I can run it on any device and I tend to run it in IE in one window while I use Firefox for my testing browser in the other.

Second, it helps me to keep organized well–and this is surprisingly difficult even when you are working on your own. Like most testers, I like the actual testing part much more that the data crunching and report writing parts, because (like most testers) I have a tendency to go off on tangents that look interesting. Having each host listed (for infrastructure) and using a methodology template (for web) enables me to enter up each finding as I discover it. This means I don’t come back at the end of the test unable to remember which one of the ten VPNs I reviewed had the aggressive mode enabled, or whether I had checked a particular site for session fixation. Being able to attach screenshots is useful too, as it makes the whole test portable rather than reliant on being attached to a specific file store.

Third, reporting is easy. This is the major advantage of Dradis to me. A lot of the work I do requires a very elaborate report template involving multiple tables, headings, narrative section, etc. A lot of testing companies seem to like repeating themselves in their report several times, and Dradis not only generates the complicated tables straight from the application, but also ensures that I have the correct list of hosts with the correct vulnerability in all the sections where they occur. (Anyone who has ever tried to correlate four different sections of a hundred-page Word document will be right with me here.) In fact, with a little judicious use of VBA to import some graphics, I can write a table with thirty findings straight into the report and be finished with it in the time it would have taken to make the headers manually.

Fourth, I haven’t found an acceptable alternative. I’ve had a pretty extensive look around, and couldn’t find anything that came close in price or simplicity. For a small consultancy I don’t want something that costs £1000s and takes a team of analysts to set up. The other obvious alternative would be to write something myself, but I am not sure the payoff from having something entirely customized for me is worth the billable hours lost when I am coding and not testing (assuming, of course, that my coding skills are up to it, which they probably aren’t).

I can’t say that Dradis is a perfect tool, as there are definitely changes I would like to see implemented. I’m also not the perfect fit as a customer as I work alone and one of Dradis’ huge strengths is in coordinating multiple people on one test.

But for value for money and something which makes every test easier, Dradis Pro works for me.

Marion McCune is a security consultant and the principal of Scotsts.