New in Dradis Pro v3.0

Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

For this release, we’ve squashed some pesky bugs and updated the system and its add-ons with new features that will make your team’s life easier.

The highlights of Dradis Pro v3.0

  • Add comments for issues
  • Add notifications for comments
  • Add subscriptions for issues in a project
  • Nest the dradis elements under the project scope
  • Add ‘Send to…’ menu for issues
  • Add better handling of the Services table
  • Use puma for the development and test server
  • Remove resque dependency
  • Improve redirect on Evidence#edit
  • Alphabetically sort ContentBlocks
  • Validate empty fields
  • Fix exporting with bc.. prepended with a newline
  • Fix password reset thor task
  • Fix cookie overflow
  • Fix license redirection
  • Fix missing lists bug
  • Add-on enhancements:
    • Add references and vulnerability_classifications fields in the Burp plugin
    • Fix formatting errors and hostname Node property in the Burp plugin
    • Fix vertical buttons for the CVSS calculator
    • Fix issue sorting in HTML export
    • Split services data in the Metasploit, Nessus, Nmap plugin
    • Update fields template in Nessus plugin
    • Add CVSS fields for the Netsparker plugin
    • Resolve nested duplicate content in Paragraph tags in the Nexpose plugin
    • Better handle finding `id`s in Nikto plugin
    • Smart table header for the IssueLibrary
  • Bugs fixed: #102, #118, #321
The IssueLibrary must be updated after you upgrade! Contact support for the files.
A quick video summary of what’s new in this release:

Comments, notifications, and subscriptions

You can now comment on issues within projects.  You can also tag other members of your team in a comment, or subscribe to a conversation.

If a team member is tagged in a comment or subscribed to a conversation that has received a comment, they will see a notification when they open their project.

One project per tab

You may now have multiple projects open in several tabs of your browser.  You are now able to switch freely between projects and tabs altering their content in any order – a boon for multitaskers!

API endpoints for Content Blocks and Document Properties

For users of our REST API, we have now added endpoints for Content Blocks and Document Properties. Now you may create, update, retrieve, and delete Content Blocks and Document Properties through the API.

Ready to upgrade to v3.0?

Still not using Dradis in your team?

These are some of the benefits you are missing out on:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the 1-page summary.

Comments, notifications, & subscriptions

Efficiently collaborate with your team using comments, notifications, and subscriptions inside of Dradis.

We heard you. There are times that you need to discuss a Dradis project with your team. Gone are the days of jumping on Slack or sending an email with a question or request for edits. Instead, leave a comment! Keep all of your Dradis talk inside Dradis.

Comments, notifications, and subscriptions are brand new in Dradis Community Edition (CE) v3.10 (and coming in the next release of Dradis Pro!).

Let’s jump straight into an example of how these new features improve team collaboration:

I’m working on Dradis CE (username rachkor) and have a question for another team member (username daniel). He wrote up a new Issue, but I think that the solution needs expanding. Instead of writing an email or finding him on chat, I scroll to the comment form at the bottom of the Issue:

Add comments to your Dradis Issues

Not only can I comment on the Issue, but I can also mention @daniel by name:

Mention other Dradis users in your comments

The next time Daniel logs in to Dradis, he’ll be greeted by a notification from me:

Get notifications from any mentions in Dradis comments

Comments are included in the Recent activity feed so that you can keep up with your team as a whole, even if you aren’t involved in a specific conversation.

When you comment on an Issue or a teammate mentions you in a comment, you’ll be automatically subscribed to that Issue. If you need to subscribe (or unsubscribe!) from notifications on a specific Issue, click the subscribe/unsubscribe button:

Subscribe or unsubscribe from comment notifications

We’re excited to unveil this new phase of collaboration within Dradis and can’t wait to hear what you think! Want to check it out? Grab the latest version of Dradis CE from GitHub with these instructions and test out the comments, notifications, and subscriptions. These new features will ship in the next release of Dradis Pro. If you’re a Pro user, stay tuned for a release notice soon!

Not using Dradis yet? Learn more about the Dradis Framework and all the time you could save.

That silly moment when a ruby gem doesn’t install

A few days ago I was helping a user to install a custom Dradis plugin.

As you may already know, Dradis plugins are ruby gems and we manage them with bundler.

The final step in the installation process usually looks something like this:

bundle install --without development,test

or

bundle update --without development,test [custom_gem]

But at some point in the installation history, a mix of both commands was run, probably something like:

bundle install --without development,test [custom_gem]

This command is wrong, bundle install does not expect a specific gem as a parameter. So the custom_gem parameter is handled by bundler as one of the groups of gems not to be installed. Bundler notifies us about that:

Gems in the groups developement,test and custom_gem were not installed.

We may notice that warning (or not), and try to execute the command correctly:

bundle install --without development,test

But we will see the same warning about custom_gem not being installed. This is because bundler uses a config file to cache some configuration options, like the –without option. That file probably in the same app folder under:

.bundler/config

If we check its contents, it looks like:

---
BUNDLE_WITHOUT: "developement,test:custom_gem"

Until we delete that file or edit it to remove the custom_gem from it, we may have a hard time installing our gem.

New in Dradis Pro v2.9

Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

For this release, we’ve squashed some pesky bugs and updated the system and its add-ons with new features that will make your team’s life easier.

The highlights of Dradis Pro v2.9

  • Added bulk view (and multi delete) for a node’s notes and evidences.
  • Added the trash functionality to content blocks
  • Added the Methodology tasks and content blocks to the search
  • Added report content attachments
  • Added validation for block groups with empty names
  • Fixed nested lists in exported reports
  • Fixed the multi-deletion of issues
  • Fixed the ghost nodes issue
  • Fixed the project import and export with missing users
  • Add-on enhancements:
    • Added trend analysis for the Business Intelligence add-on
    • Added node properties to the Acunetix and Qualys plugin
    • Added metric-specific fields to the CVSS calculator
    • Fixed the encoding error for the Burp upload plugin
    • Fixed the export errors for the HTML export plugin
  • Bugs fixed: #173#349, #354

A quick video summary of what’s new in this release:

List View for Notes and Evidences

You can now view the evidences of a node as a list. This comes with the bonus of being able to delete them in bulk!

The same goes for the notes in a node!

Business Intelligence Trend Analysis

With the addition of trend analysis to the Business Intelligence add-on, you can now compare 2 or more projects so you can easily visualize the ongoing trends between them.

Report Content Attachments

Just like attachments for nodes, you can now add attachments for your content blocks!

Ready to upgrade to v2.9?

Still not using Dradis in your team?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the 1-page summary.

New in Dradis Pro v2.8

Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

For this zippy release, we’ve added a few features and fixed a few bugs to make your reporting life easier.

The highlights of Dradis Pro v2.8

  • Added the content blocks feature
  • Added delete option for document properties
  • Added Excel export through the command line
  • Allow .xlsx and .xlsm templates.
  • Added “Default for template” in Evidence multi-add form.
  • New add-on:
    • Netsparker upload
  • Add-on enhancements:
    • Update Nessus plugin to include CVSSv3 fields
    • Added HTTPS Support for the Mediawiki plugin
    • Added content blocks service in dradis-plugins
  • Bugs fixed: #150#157, #332.

A quick video summary of what’s new in this release:

 

Content Blocks

The new content blocks feature makes adding notes to your report a lot easier. Gone are the days when you have to tediously add a node, add a note to it then set a category, only for you to forget it a few days later.

Document Property Deletion

We’ve added a way for teams to be able to delete unused document properties from their projects. You won’t have to worry about them cluttering your project anymore!

Ready to upgrade to v2.8?

Still not using Dradis in your team?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the 1-page summary.

New in Dradis Pro 2.7

Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

For this release, we’ve added shiny new features to make reporting and collaborating with your team much easier.

The highlights of Dradis Pro v2.7

  • New Excel exporter
  • New Report Content page for custom document properties
  • v2 Methodology Admin templates
  • Methodology actions included in the activity feed
  • Independent scrolling for Methodology Lists
  • User profile image in the navbar
  • Word reports:
    • IssueCounters nested in Nodes work as expected.
    • New EvidenceCounter content controls.
    • Fixed handling of array properties
  • Add-on enhancements:
    • Improved the Qualys plugin data representation
    • Updated the Nexpose plugin with Evidence templates
    • Improved the Nexpose plugin parsing issues
    • Added mouseover details to the CVSSv3 calculator
    • Improved to the Dradis Plugins Content Service
    • Fixed Dradis Plugins import for extremely long descriptions
  • Fix plugin upload and export thor task errors
  • Bugs fixed: #119, #347

A quick video summary of what’s new in this release:

Excel Exporter

You can now export your projects to Excel! If you ever need to manipulate data and/or perform calculations for your exports, you can do this with customized formulas in Excel. How cool is that?

Here’s a sample of what your Excel report could look like:

Document Properties

With the new Report Content section, you can now define Document Properties for your project. No need to look for that misplaced properties note that you made ages ago!

New Methodologies Templates

To augment the improvements to the Methodology from the previous release, we’re adding the ability to add Methodology templates with the new Lists and Tasks. Go brethren! You are now free from the shackles of Pending and Done!

Ready to upgrade to v2.7?

Still not using Dradis in your team?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the 1-page summary.

Tales from the Other Side: we survived our first security review

In a dimly lit room with Doritos and Mountain Dew on my side, I was ready to begin the assessment and be like Hackerman. – Aaron

Recently, the Dradis team was presented with the opportunity to conduct a security review for a funded startup. Our original team comes from a background in security consulting. But, we also have team members who come from the software or support worlds. Basically, some of us (Aaron, Rachael, and Xavi) were n00bs and had never pwned anything before.

As someone who unintentionally adds holes in an application for a living (aka web developer), finding vulnerabilities in an app sounds like a fun activity that could give me a new perspective on my profession. – Aaron

Why did we decide to take on this project? We wanted to experience what you experience every day. The Dradis team doesn’t (usually) deliver security reports, we release software. We exhaustively test new releases and fix the bugs that you report to us. But, we rarely (if ever) get the chance to use Dradis in a real-world scenario. This time, we had a client, the team needed to collaborate despite time zone differences, and there was a deadline looming. Yes, we crossed over to the other side. And, we survived.

What we did:

  • Performed a security review on 3 components of a single web application
  • Drank a lot of coffee and/or mountain dew
  • Followed the WAHH methodology (with some custom checks added in)
  • Found, verified, and reported on roughly 3 dozen Issues
  • Generated a Word report that was organized by Risk Rating (based on the CVSSv3 score) and by affected component
  • Delivered the report to the client, answered their questions, then wished we could celebrate in person as a team

We learned a lot. We delivered a report to our client that we’re proud of and we covered a lot of ground in a short period of time. The technical team did a great job transitioning from their day jobs as Ruby developers and becoming pentesters for a week. Aaron summed up the learning curve perfectly, it was “like a scientist trying to do ballet for the first time.”. Everyone ran into at least a few walls. But, with some teamwork, fantastic resources, coffee, and a little Google, we got it all done. During the process of the security review, we learned about you, we learned about us, and we’re excited to apply these lessons as we continue building Dradis.

 

We learned a lot about you

No, not about you as a person, but we did learn a lot about our customers in the whole “walk a mile in their shoes” sense. By using Dradis to perform a real-world security review, we got insight into how we can make Dradis so much better for you in the future.

Here’s an example:

We’re a remote team. On this project, team members were collaborating between 3 different continents. Team members jumped in and worked during their own daylight hours. After about day 2 of the project, we realized that we were pasting links from the Dradis project into Slack with messages like “Hey, I don’t understand this part, can you clarify?”. Then, the author of the Issue would have to log back into Dradis, edit the content over there, and then update the Slack thread saying “I fixed it! How does that look now?”.

You know what we needed instead? The ability for all of those conversations to take place within Dradis. This wasn’t our only lightbulb moment, but it was one of the biggest. We can’t wait to roll out new features and improvements to give you the features that we were looking for!

 

We learned a lot about reporting (and deadlines)

Dradis is a collaboration and reporting tool. So, learning about reporting and deadlines is really the same as learning about ourselves. Some of us also learned more about our caffeine tolerance during the security review, but you want to hear about Dradis, right?

I (Rachael) spend a whole lot of time with your report templates. I’ve made friends with Microsoft Word (ok, it’s still a rocky relationship sometimes) and can break and fix just about anything you throw at me. But, I’d never experienced generating a report with Dradis while under an external deadline before. This time, I knew that there was a client waiting for me to review the findings and export the report.

We’ve always had a “we will go above and beyond for our customers” approach to support. But, the next time we get an email like “MY REPORT WAS DUE YESTERDAY AND IT’S BROKEN OH GOD PLEASE HELP ME” (not a direct quote), we can understand you even better. That extra understanding of what you’re going through was worth every hour we spent on this security review.

And it’s not just on the support side. We want to take our newfound understanding and help take away even more of the work (and stress) of the reporting process. How? By improving Dradis.

Improvements: Big and Small

We found plenty of small (and big!) improvements that we can’t wait to implement. We quickly identified a few UI tweaks. In some cases, they’re as simple as moving a button or adding different scrolling options. But, if we were internally screaming for them, we think you’ll like them too.

Some of the takeaways were bigger. For example, after going through the QA process ourselves, we feel very strongly that we need a more seamless QA process within Dradis.

Back to the other side

In the end, we all ended the security review with a deeper respect for what you all do every day. Walking the digital equivalent of a mile in your shoes left us with a list of improvements that we think will make the road a little less rocky for you next time. But, we’re ready to head back to the other side (the software development side) and leave the security reviewing to all of you again. You find the vulns, we’ll keep making Dradis better for you. Stay tuned for more Dradis improvements in the coming months!

 

 

Attachments API using ruby

One of the latest additions in Dradis Pro release 2.6.0 was the attachments API. Until now that was only available using the web interface:

Web interface attachments widget, instead of attachments api new endpoint

Web interface attachments widget

As documented here that new API endpoint allows to manipulate node attachments via REST requests. Here there are a couple of examples, using curl.

Read attachments associated to a specific node:

curl \
 -H 'Authorization: Token token="iOEFCQDR-miTHNTjiBxObjWC"' \
 -H 'Dradis-Project-Id: 8' \
 http://dradis.ip/pro/api/nodes/18/attachments

The response to this request is a JSON list of attachments in that node:

[
  {
    "filename": "burp.xml",
    "link": "/nodes/18/attachments/burp.xml"
  },
  {
    "filename": "screenshot.png",
    "link": "/nodes/18/attachments/screenshot.png"
  }
]

This is a request to attach some other files to that node:

curl \
 -H 'Authorization: Token token="iOEFCQDR-miTHNTjiBxObjWC"' \
 -H 'Dradis-Project-Id: 8' \
 -X POST \
 -F 'files[]=@/your/local/path/image1.png' -F 'files[]=@/your/local/path/image2.png' \
 http://dradis.ip/pro/api/nodes/18/attachments

The response to this request is a JSON list containing the new attachments info:

[
  {
    "filename": "image1.png",
    "link": "/nodes/18/attachments/image1.png"
  },
  {
    "filename": "image2.png",
    "link": "/nodes/18/attachments/image2.png"
  }
]

In addition in this post we would like to extend that documentation providing examples on how to do that using a programming language. Since Dradis is implemented in ruby, here is how we could do that in ruby.

Using ruby there are many libraries that allow us to perform http requests, from the basic
already included ‘net/http‘ to more high level options like ‘rest_client‘, ‘faraday‘, etc…

We will show basic examples using these three mentioned options.
For each option we provide two examples:

  1. a request to get all attachments in a node
  2. a requests to upload a couple of files to a node (in the attachments endpoint many files can be uploaded with a single request).

If you intend to use the examples below, remember that you should use your virtual appliance IP instead of ‘dradis.ip‘. Also change the token, project id and node id in the examples to your own values.

Attachments API using ‘rest-client’ ruby gem:

First of all we will need to install the ‘rest-client’ ruby gem. It can be installed with:

gem install rest-client

Read attachments associated to a specific node:

require 'rest_client'
RestClient.get(
  'http://dradis.ip/pro/api/nodes/18/attachments',
  {
    'Authorization' => 'Token token="iOEFCQDR-miTHNTjiBxObjWC"',
    'Dradis-Project-Id' => '8'
  }
)

Attach some other files to that node:

require 'rest_client'
RestClient.post(
  'http://dradis.ip/pro/api/nodes/18/attachments',
  {
    'files' => [
      File.new("/your/local/path/image1.png", 'rb'),
      File.new("/your/local/path/image2.png", 'rb')
    ]
  },
  {
    'Authorization' => 'Token token="iOEFCQDR-miTHNTjiBxObjWC"',
    'Dradis-Project-Id' => '8'
  }
)

Attachments API using ‘faraday’ ruby gem:

To install faraday:

gem install faraday

In this case we are trying to reuse the same connection, probably useful when building a script that sends many requests to the same endpoint.

require 'faraday'

# Establish connection
conn = Faraday.new(
  url: 'http://dradis.ip/pro/api/nodes/18/attachments',
  headers: {
    'Authorization' => 'Token token="iOEFCQDR-miTHNTjiBxObjWC"',
    'Dradis-Project-Id' => '8'
  }
) do |faraday|
  faraday.request :multipart
  faraday.adapter :net_http
end

# Read attachments associated to a specific node:
get = conn.get
puts get.body

# Attach some other files to that node
post = conn.post(
  nil,
  {
    'files' => [
      Faraday::UploadIO.new("/your/local/path/image1.png", 'image/png'),
      Faraday::UploadIO.new("/your/local/path/image2.png", 'image/png')
    ]
  }
)
puts post.body

Attachments API using ruby ‘net/http’:

‘net/http’ is part of the ruby standard library, so if you already have ruby nothing else should be installed to run this script. As a counterpart this option works at a lower level than the previous ones, therefore the code looks a bit more complex.

require 'net/http'

uri = URI('http://dradis.ip/pro/api/nodes/18/attachments')

Net::HTTP.start(uri.host, uri.port) do |http|
 
  # Read attachments associated to a specific node:
  get_request = Net::HTTP::Get.new uri
  get_request['Authorization'] = 'Token token="iOEFCQDR-miTHNTjiBxObjWC"'
  get_request['Dradis-Project-Id'] = '8'
  get_response = http.request(get_request)
  puts get_response.body

  # Attach some other files to that node:
  BOUNDARY = "AaB03x"
  file1 = '/your/local/path/image1.png'
  file2 = '/your/local/path/image2.png'

  post_body = []

  post_body << "--#{BOUNDARY}\r\n"

  post_body << "Content-Disposition: form-data; name=\"files[]\"; filename=\"#{File.basename(file1)}\"\r\n"
  post_body << "Content-Type: image/png\r\n"
  post_body << "\r\n"
  post_body << File.read(file1)

  post_body << "\r\n--#{BOUNDARY}\r\n"

  post_body << "Content-Disposition: form-data; name=\"files[]\"; filename=\"#{File.basename(file2)}\"\r\n"
  post_body << "Content-Type: image/png\r\n"
  post_body << "\r\n"
  post_body << File.read(file2)

  post_body << "\r\n--#{BOUNDARY}--\r\n"

  post_request = Net::HTTP::Post.new uri
  post_request['Authorization'] = 'Token token="iOEFCQDR-miTHNTjiBxObjWC"'
  post_request['Dradis-Project-Id'] = '8'
  post_request.body = post_body.join
  post_request["Content-Type"] = "multipart/form-data, boundary=#{BOUNDARY}"

  post_response = http.request(post_request)
  puts post_response.body
end

Final thoughts

In conclusion, sending requests to the API should be easy enough from any programming language. In the ruby case, using a specialized gem seems like the best choice.

New in Dradis Pro v2.6

Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

Our first 2017 release, Dradis Pro v2.6 is loaded with some very interesting features to coordinate your team and generate better reports, faster.

The highlights of Dradis Pro v2.6

  • Better support for security testing methodologies (see below)
    • Organize tasks in a Kanban board (we ❤️ Trello too!)
    • Provide additional context, gather results, or set a due date for each task.
    • Assign tasks to different team members.
    • Keep Notes and information on each task.
    • Export Methodology details into your reports.
  • Merge multiple Issues in your project (see below)
  • Local Profile Pics (not just Gravatars!)
  • Redesigned error pages with the data you need for troubleshooting.
  • Edit / delete links for Evidence, Issues, and Notes from the sidebar.
  • Attachments HTTP API endpoint.
  • Validate Evidence fields.
  • Automatically generated Evidence Template.
  • Add-on enhancements:
    • Updated Nessus Plugin to support files that are missing a plugin_output tag.
    • Updated Qualys Plugin to better handle tags in report content.
    • Updated Burp Plugin to detect non-base64 encoded files and binary request/response data.
    • Updated the Burp-Dradis connector to correct HTTPS errors.
  • Word reports:
    • Methodology and Task content controls let you provide fine-grained information about your testing methodology as part of your deliverables.
  • Fix XSS in Issues diff view.
  • Bugs fixed: #84, #104, #164, #206, #280, #316

A quick video summary of what’s new in this release:

Methodologies becomes a 1st class citizen of the framework

Methodologies now contain Lists and Tasks. Create custom Lists, add Tasks to the Lists, and move the cards from one List to the next.

Dradis Pro v2.6.0 includes an updated Methodologies feature. Move Tasks between lists.

You can also set due dates, assign cards to team members, and create fields within Task descriptions that can export into your reports.

Dradis Pro v2.6.0 includes an updated Methodologies feature. Create detailed Task descriptions, set due dates and assignees

Combine issues

Combine multiple Issues using our new merge feature. Just find and select the Issues that you want to combine:

Dradis Pro v2.6.0 includes a Merge Issues feature

You can combine them into a brand new Issue or into one of the existing Issues.

Dradis Pro v2.6.0 includes a Merge Issues feature. Combine multiple Issues into a new target Issue.

Ready to upgrade to v2.6?

Still not using Dradis in your team?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the 1-page summary.

Dradis Framework Founder’s Letter – 2017

Good Software Takes Ten Years. I didn’t know that when we started back in 2007, but I’ve come to terms with that rule since then. A lot can change in 9 years. You can go from the first commit of an internal project released as open-source to a small, independent, self-funded software team that is making a difference for 300+ teams in 34 countries around the world.

Did I have a clue about where we’d get in 9 years when I pushed that first commit? Most definitely not. Was I confident that we’d be working with 1,000s of InfoSec experts every day when I quit my security consulting job over 2 years ago to concentrate my efforts on Dradis Pro full time? Not even close. Do we have a clue about where we’re heading over the next 2 years? We have clues but most likely, we really don’t know. But that’s fine, we’re not alone in this journey. We’re bringing our entire community along with us. And most importantly, we have the freedom to choose where we’re heading.

We don’t have investors so we can keep our users front and center. Were trying to grow as slowly as possible. By focusing on the fundamentals, we’ve managed to get this far. And, we’re sticking to the same approach going forwards: do the work, keep our users happy, and care about their long term success.

A brief history of our project

Just to put things into perspective, here is what working on the same piece of software every single day for 9 years did:

  • Dec 2007: Start working on an internal tool for pentest collaboration.
  • Jan 2008: Release Dradis Framework as open-source.
  • …3,000 code commits.
  • Jul 2011: Launch a side-business offering additional functionality and official support (Dradis Professional announcement).
  • …work with 140 teams, 17 new releases, 2,967 commits.
  • Feb 2014: Make the side-business our main business.
  • …7 new releases, 782 commits.
  • Mar 2015: Welcome Rachael, our second full-time member of the team
  • …13 new releases, 2,503 commits…

The last 12 months

With the growth in the Dradis Pro side of things, we have been able to reinvest a lot of man-hours in Dradis Community Edition. It’s our way to give back to the community that helped us along the way. The code was refreshed and updated. Many of the enhancements that were created for the Pro edition were backported to CE. Plus, the documentation was rewritten, step-by-step guides were created, and screencasts were recorded. We also created and released OWASP, PTES, HIPAA and OSCP compliance packages with testing checklists, report templates and more.

Dradis Community edition GitHub repo commits in 2016

The activity in the Dradis CE repo shows how a lot of this effort was concentrated earlier in the year to sync the CE and Pro code bases (kudos to the GitLab team for the inspiration).

Our community is growing stronger than ever. We’re averaging 400 git clones each week. Plus, we have a thriving Slack channel and dozens of new threads in our community forums.

Dradis community edition is being downloaded an average of 400 times per weekWhat we are going to be focusing on over the next 12 months

Over the last 12 months, we’ve pushed 11 new releases of Dradis Pro. From performance and interface to functionality and stability, we’ve noticeably improved every single aspect of the app. The product today is in a completely different category from where it was 12 months ago. And still,  there is so much room to grow, refine, and improve!

2017 is exciting for us in many ways. We’re now working with over 300+ teams. This is a challenge, but we wouldn’t have it any other way. Plus, this the first time that we have a small team of very talented people working full time on taking care of product development and user experience.

I’m sure that the speed at which we’ll be making progress is going to feel break-neck. I can’t wait to see the things that we’re going to be able to build with you and for you and the rest our community.

To our best year ever,

Daniel