Dradis Framework Founder’s Letter – 2017

Good Software Takes Ten Years. I didn’t know that when we started back in 2007, but I’ve come to terms with that rule since then. A lot can change in 9 years. You can go from the first commit of an internal project released as open-source to a small, independent, self-funded software team that is making a difference for 300+ teams in 34 countries around the world.

Did I have a clue about where we’d get in 9 years when I pushed that first commit? Most definitely not. Was I confident that we’d be working with 1,000s of InfoSec experts every day when I quit my security consulting job over 2 years ago to concentrate my efforts on Dradis Pro full time? Not even close. Do we have a clue about where we’re heading over the next 2 years? We have clues but most likely, we really don’t know. But that’s fine, we’re not alone in this journey. We’re bringing our entire community along with us. And most importantly, we have the freedom to choose where we’re heading.

We don’t have investors so we can keep our users front and center. Were trying to grow as slowly as possible. By focusing on the fundamentals, we’ve managed to get this far. And, we’re sticking to the same approach going forwards: do the work, keep our users happy, and care about their long term success.

A brief history of our project

Just to put things into perspective, here is what working on the same piece of software every single day for 9 years did:

  • Dec 2007: Start working on an internal tool for pentest collaboration.
  • Jan 2008: Release Dradis Framework as open-source.
  • …3,000 code commits.
  • Jul 2011: Launch a side-business offering additional functionality and official support (Dradis Professional announcement).
  • …work with 140 teams, 17 new releases, 2,967 commits.
  • Feb 2014: Make the side-business our main business.
  • …7 new releases, 782 commits.
  • Mar 2015: Welcome Rachael, our second full-time member of the team
  • …13 new releases, 2,503 commits…

The last 12 months

With the growth in the Dradis Pro side of things, we have been able to reinvest a lot of man-hours in Dradis Community Edition. It’s our way to give back to the community that helped us along the way. The code was refreshed and updated. Many of the enhancements that were created for the Pro edition were backported to CE. Plus, the documentation was rewritten, step-by-step guides were created, and screencasts were recorded. We also created and released OWASP, PTES, HIPAA and OSCP compliance packages with testing checklists, report templates and more.

Dradis Community edition GitHub repo commits in 2016

The activity in the Dradis CE repo shows how a lot of this effort was concentrated earlier in the year to sync the CE and Pro code bases (kudos to the GitLab team for the inspiration).

Our community is growing stronger than ever. We’re averaging 400 git clones each week. Plus, we have a thriving Slack channel and dozens of new threads in our community forums.

Dradis community edition is being downloaded an average of 400 times per weekWhat we are going to be focusing on over the next 12 months

Over the last 12 months, we’ve pushed 11 new releases of Dradis Pro. From performance and interface to functionality and stability, we’ve noticeably improved every single aspect of the app. The product today is in a completely different category from where it was 12 months ago. And still,  there is so much room to grow, refine, and improve!

2017 is exciting for us in many ways. We’re now working with over 300+ teams. This is a challenge, but we wouldn’t have it any other way. Plus, this the first time that we have a small team of very talented people working full time on taking care of product development and user experience.

I’m sure that the speed at which we’ll be making progress is going to feel break-neck. I can’t wait to see the things that we’re going to be able to build with you and for you and the rest our community.

To our best year ever,

Daniel

New in Dradis Pro v2.5

Dradis Professional Edition is a collaboration and automated reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

Before the end of 2016, we’re excited to bring you Dradis Pro v2.5 with updates and upgrades across the product.

The highlights of Dradis Pro v2.5

  • Trash feature to restore deleted content (see below)
  • Hide expand button in Nodes tree when Node has no children
  • Add multiple Nodes at the same time (see below)
  • Automatically generated Issue template from Report Template Properties (see below)
  • Improved Project Validation error messages
  • Performance upgrades (Russian doll caching)
  • Add-on enhancements:
    • Include CVSSv3 scores in the Acunetix plugin
    • Accommodate Severity Recasting in the Nessus plugin
    • Update Nmap plugin Services table and NSE data
  • New add-ons:
    • Zed Attack Proxy (ZAP) upload
  • Word reports:
    • Filter Evidence content controls
  • Bugs fixed: #215, #256, #268, #327, #334, #336, #337, #338, #340

A quick video summary of what’s new in this release:

Trash Feature

Use the trash feature to recover your deleted content and restore. You can filter the Trash contents to find that one Issue that you need to restore. Then, add it back into your project with a single click.

Recover your deleted content with the trash feature in Dradis Pro v2.5

 

Multi-add Nodes

No more adding one Node at a time. Now you can use the new “Add multiple” option when you’re creating Nodes. Just paste in a list of Nodes to create all of them at the same time.

Add more than one Node at a time in Dradis Pro v2.5

Issue template from Report Template Properties

You’re already using the Report Template Properties for automatic validation, right? We’ve extended the Issue fields even further to help make your life easier. First, define the Issue fields in your Report Template Properties:

Use your report template properties to automatically generate an Issue template in Dradis Pro v2.5

Then, when you manually create an Issue, you’ll notice a new option in the dropdown. Select Default for template and Dradis will automatically pull in the Issue fields from your Report Template Properties to create your Issue template.

Select Default for template to automatically create an Issue template from your report template properties in Dradis v2.5

If you specified values for your text field, they’ll even appear in a list so that you can be sure that your Issue has the fields and values that your report template is looking for.

Your Issue template is automatically created from your report template's Issue Fields in Dradis Pro v2.5
Ready to upgrade to v2.5?

Still not using Dradis in your team?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the 1-page summary.

New in Dradis Pro v2.4

Dradis Professional Edition is a collaboration and automated reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

This month we’re pleased to bring you Dradis Pro v2.4 with some long-requested improvements.

The highlights of Dradis Pro v2.4

  • Project-wide search (see below)
  • UI improvements (see below)
  • Copying of Report Template Properties
  • Word reports
    • Better file extension handling in Windows
  • Minor bug fixing.

A quick video summary of what’s new in this release:

Project search

It is now possible to perform a project-wide full-text search against Evidence, Issues, Nodes and Notes:

A screenshot showing the "All" tab with results for a "DNS" search

A screenshot from the Search results page showing only Node matches

UI improvements

Dradis is used by over 270 teams in 33 countries around the world. When people are using your platform to edit and generate content in languages as varied as Simplified Chinese, Slovenian or Turkish, it becomes very easy to spot and squash internationalisation and character encoding bugs.

With this release we’ve made sure that Tags fully support names encoded in UTF-8:

A screenshot showing a tag in simplified Chinese

Evidence multi-add

It is not uncommon to need to link the same Issue to a number of hosts in your project. We’ve redesigned the UI to make this task a lot simpler:

  • Select the Evidence template you need (or start with a blank slate).
  • Tick off the relevant items from the Existing Hosts list.
  • If needed, paste list of new IP addresses that will be added to the project and also associated with your Issues.

A screenshot showing the new Add Evidence feature that lets you select existing nodes from a list, or paste a list of IP address.

Validate on save

Teams working with Dradis normally need to use a number of different report templates (e.g. one for vulnerability assessments and one for social engineering). To make it easy for users to remember what information they need to provide on each template we’re now validating the contents supplied by the user against the individual template requirements so we can present a warning if the content doesn’t match the template’s expectations:

A screenshot showing warnings about missing fields and mismatched values in a recently created issue.

Optimistic locking

Have you ever been in a situation where just after updating an Issue or Note, you find out that one of your team mates was also editing that feature? From now on, Dradis will warn you when someone else has been modifying the content you were busy with, so you have the peace of mind to know you’re always working on the latest version of the content:

A screenshot showing how Dradis detects a modification to the content you were just trying to edit.

Still not using Dradis in your team?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the the 1-page summary.

New in Dradis Pro v2.3

Dradis Professional Edition is a collaboration and automated reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

This month we’re pleased to bring you Dradis Pro v2.3 with some interesting additions.

The highlights of Dradis Pro v2.3

  • Smart issues table (see below):
    • Filter / search contents
    • Custom columns
    • Show / hide columns
  • Tabbed view for: Issues, Notes and Evidence (see below)
  • Admin > Templates > Reports improvements
  • Admin > Templates > Projects improvements
  • Redesign of empty views: project, issues, methodologies
  • Add-on enhancements
    • Acunetix: better code / syntax parsing
    • OpenVAS: bug fixing
    • – Project export: improve SQL efficiency
  • Methodologies module
    • Fix task status handler (tasks w/ special chars)
    • Progressive design enhancements
  • REST/JSON API:
    • New coverage: Notes, Evidence
    • Track API actions in Activity Feed
  • Word reports
    • Image captions (see below)
    • Fix bug w/ special chars in Node labels
  • Security fixes
  • Bugs fixed: #324, #325

Smart issues table

Dradis is used by over 270 teams in 33 countries around the world. Each team has a very different way of structuring their findings. With the new smart issues table, each user can decide what information should be presented on the screen for each project:

 

UI improvements

A few screenshots of the recent redesigns:

A screenshot of an Issue showing tabs for Information, Evidence and Activity

A screenshot showing the All Issues table with the new controls for filtering and showing/hiding columns.

A screenshot showing the Web Application Hacker's Handbook methodology

Word image captions in action

You can now specify the caption associated with your screenshots so it appears in your reports:

A screenshot showing how to specify the caption for an image

Hover the image to show the associated caption:

A screenshot showing Dradis rendering an image with a caption.

And select a custom Caption style for your Word image captions:

A screenshot showing a Word document with an image and a caption

Still not using Dradis in your team?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the the 1-page summary.

New in Dradis Pro v2.2

Dradis Professional Edition is a collaboration and automated reporting tool for information security teams that will cut your reporting time in half.

Two short months after the release of Dradis Pro v2.1 in February we’re pleased to bring you Dradis Pro v2.2 which is focused around connectivity and performance.

The highlights of Dradis Pro v2.2

  • Full REST/JSON API coverage (documentation)
  • Performance improvements: Rails 4.2, Ruby 2.2, memory monitoring.
  • Fix bug in Activity Feed of project templates.
  • Add-on enhancements:
    • CSV: export evidence data, fix CLI integration
    • HTML: fix CLI integration
  • Bugs fixed: #204, #319

The REST API

Through the new HTTP JSON APPI you can securely access all of the application entities including:

Screenshot showing a GET request to the /clients endpoint

Perform CRUD operations on all application objects through an easy-to-use JSON interface.

Screenshot showing a POST request to the /issues endpoint

Use your favorite language to interact with the data contained in your Dradis environment.

Performance boost: faster, more responsive interface

Dradis Pro v2.2 also comes with a new version of the Rails framework and a modern version of Ruby. Both of these upgrades should have a significant impact in the overall performance and snappiness of the app and also bring some interesting security features out of the box. Strong parameters and DB performance come to mind on the Rails front and garbage collection (GC) of symbols on the Ruby front are some of the notable changes.

For the nitty gritty details please see the Rails 4.2 release notes and the Ruby 2.2 announcements.

Still not a Dradis user?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the the 1-page summary.

New in Dradis Pro v2.1

Dradis Professional Edition is a collaboration and automated reporting tool for information security teams that will cut your reporting time in half.

Throughout 2016 we’re aiming to shorten our release cycle, and we’re pleased to bring you Dradis Pro v2.1 with a collection of enhancements that will make your day-to-day life a little bit easier.

The highlights:

  • DB performance improvements.
  • Session timeouts.
  • New add-ons
    • CVSSv3 score calculator.
    • DREAD score calculator.
  • Add-on enhancements:
    • Nessus: add support for compliance checks.
    • Nessus: use Node properties.
    • IssueLibrary: tagging of findings + UI improvements.
    • Rules Engine: rule sorting + UI improvements.

A few screenshots of the release

Screenshot showing the IssueLibrary entries with a badge showing their tags

Tag entries in your IssueLibrary

A screenshot showing each rule with handle bars for easy dragging / moving.

Drag and drop rules to re-order them

A screenshot showing the interface of the new calculator that lets you generate CVSSv3 by choosing the value for each subscore.

Calculate CVSSv3 scores and vectors from within Dradis

A screenshot of a piece of Evidence in Dradis with the Policy Value, the Actual Value and the Compliance Status of the check.

We can parse and export to your report Nessus’ compliance data.

How to upgrade to Dradis Pro v2.1?

Just head over to the release page and follow the instructions:

https://portal.securityroots.com/releases/latest

Still not a Dradis user?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the the 1-page summary.

New in Dradis Pro v2.0

Dradis Professional Edition is a collaboration and automated reporting tool for information security teams.

Just in time for the new year a fresh release of Dradis Pro is out of the oven. We’re really excited about Dradis Pro v2.0 as it is going to allow you to have a much better understanding of what is going on in all your security assessments.

The highlights:

  • Activity Feed: see what others are doing (see below)
  • Content revisions: track and *diff* edits (see below)
  • REST API: Clients and Projects
  • New Change Value action for the Rules Engine
  • Open support ticket from the app
  • Better issue Tagging support
  • Scheduled DB cleanup
  • DB performance enhancements
  • New add-ons
    • Brakeman Rails security
    • Metasploit Framework
  • Word reports
    • Better handling of screenshots
    • Pre-export validator (see below)
    • Add .docx / .docm support CLI generation
    • Report template properties (see below)
  • Plugin enhancements:
    • Acunetix issue identification accuracy
    • LDAP integration
    • NMap CLI bug fixed
    • NTOSpider additional data gathering
    • NTOSpider Plugin Manager bug fix
    • Qualys port and protocol information
  • Security fixes

Bugs fixed: #223, #301, #303, #307b

Dradis v2.0 video summary

The most juicy features in a 1m32s video:

The Activity Feed

The new Activity Feed is displayed on every view of the project. It lets you see who has been working on what (and when).

In the Project Summary page, the feed looks like this:

creenshot showing different activities with the associated user, and data (e.g. Rachel created a note), along with a link to the activity.

The project activity stream.

There is an Activity Feed for issues, evidence, notes and nodes, so nothing will slip through the cracks.

Versioned content

In addition to knowing who did what and when, we’ve taken it one step further: it is now possible to view and compare the changes that were introduced in any piece of content during the lifetime of the project:

A screenshot showing the view comparing the differences between two revisions of the same content.

The Activity Feed view from the Project Summary page.

Report template properties and pre-export validator

Finally a handy feature on the reporting front. Since Dradis doesn’t force you to change the way you write your report, we don’t make any assumptions about how you want to work (trivia fact: Dradis has been used by over 200 teams in 32 countries and dozens of languages). As a result some times there is a small discrepancy between the content in your Dradis project and what your report template is expecting.

For example, say you use High, Medium and Low for risk rating. Maybe in one of the issues somebody made a typo and used Hihg instead of the appropriate spelling. Or say that your template is expecting you to define properties for Project name and Client point of contact but your forgot? Fear not, the new pre-export validator is here to help!

A screenshot showing the different checks the validator is making.

The pre-export validator in action.

So far we’ve got the following checks, but we’re already working in the next batch:

How to upgrade to Dradis Pro v2.0?

Just head over to the release page and follow the instructions:

https://portal.securityroots.com/releases/latest

Still not a Dradis user?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the the 1-page summary.

Creating Sustainable Cultural Change

In previous articles in this series on differentiating your InfoSec consulting company, we’ve talked about the importance of two core areas:

  • Process improvement and
  • Improving the customer experience

Most everyone would agree these are worthwhile aims. We all want our processes to get better and more efficient, and we all want clients to be satisfied with our work. Truly improving in these areas requires a culture aligned with these values.

But the nature of many InfoSec companies can make it difficult to change the culture. For one thing, there is often a rather frantic focus on just getting projects finished, and this doesn’t leave time to discuss bigger picture philosophies or allow time to get everyone onboard for a larger process change.

Also, the high value of technical talent often means that managers are hesitant to tackle process changes. They don’t want to take the risk of aggravating talent; they want to keep them happy. Keeping talent happy is a great goal, of course–it only becomes a negative when it interferes with other, important areas of improvement.

In this article, we’ll go over some strategies for enacting sustainable process change at your InfoSec company whilst keeping your team members happy. This article will assume you have either already read the other articles in our series or that you have some specific cultural changes you want to implement but are having some problems.

Explain How Changes Impact The Customer

Any meaningful improvement to a product or service will stem from a focus on the client experience. And most team members do want their clients to have a good experience.

But you must explain to your team members why your proposed changes are important to your clients. For example. it’s not enough to simply command: “Starting today, you must create testing methodologies after every project and share them with the team.” Your team must fully understand the full chain of events that make a new procedure important, which would go something like this:

  1. Improving methodologies means less time spent on easily repeatable tasks.
  2. Less time spent on easily repeatable tasks means more time spent on unique project challenges.
  3. More time spent on unique challenges means better service for the client.

And they should understand the downside to continuing to do things the old way.

For example, when all team members use their own methodologies and there is no consistency from project to project, this hurts the client’s experience (especially for repeat clients).

Major takeaway: Talk to your team about the greater philosophical reasons for your changes. Make them see that you are doing this for the customer.

Explain How Changes Impact The Team

In a similar way, team members need to see how changes help them do their job more easily and help them hone their craft. The logic here is basically:

  1. Making procedures more efficient means team members spend less project time on easily repeatable tasks.
  2. This leaves team members more project time for doing the fun and creative hacking–the stuff they love to do.
  3. More time spent on interesting and challenging hacking makes a hacker smarter and better at his job, which improves his standing in the industry, increases his reputation, payrate, etc.

To create real cultural change, it’s necessary to get true buy-in from everyone. And this means that your team needs to see what’s in it for them. The more you can make them see what’s in it for them, the more buy-in you get and the easier it is to shift the culture.

If you haven’t already, check out one of our past articles on how more process standardization can, perhaps counterintuitively to some people, actually increase creativity.

Get Management and Influential People Onboard

If a large company change does not have the buy-in of senior and influential members of your team, it probably won’t succeed. For example, if you have a senior tester or manager denigrate a new process openly, that has a huge impact on whether the people working with him will be more or less likely to use it.

To mitigate this conflict, try to help these team members understand the importance of the changes you’ve put in place, both for your clients and for them personally. Also explain that their buy-in is especially important in creating a trickle-down effect in the company.

An important point: You may have employees who are not technically in powerful positions but who nonetheless may be very socially influential. It’s important to discover who those team members are so you can do your best to persuade them, too.

A potential stumbling block. One possible obstacle is that some of your more senior team members may have had negative past experiences with failed process overhauls. They may be thinking, “Yeah, I’ve seen people try to do this kind of thing before. It’s pointless and won’t work.” This is actually a great opportunity to ask those members about those past attempts at change. What worked and why did it work? What didn’t work and why not? If you give them a chance to be a part of the discussion, they will feel more involved and positive about the effort.

Use Real Stories

When you try to sell the changes to your team, use real stories and anecdotes. Real stories are powerful and convincing and help people see the value of the new way of doing things. This is why companies use testimonials from customers to show the value of their products. Thought of in another way, what you are doing can be thought of as selling ideas to your team, so be willing to use any promotional tactics at your disposal.

For example, at a team meeting, you can talk about how a new procedure resulted in measurable positive results for a specific client, and read a testimonial from the satisfied client. Go on to explain how that got you thinking about extrapolating similar results across the board, and how that translated into the changes that you are going to be implementing over the next few weeks. They key message to convey is that new ideas are not coming out of thin air; they are grounded in solid value added to your clients, the company or the team. You just need to find the right way to let team members know how you got to the conclusions you did, and what needs to happen next.

Or you can get a team member to describe how a new procedure saved them time on a project and how they had more time to devote to tests that were actually intellectually engaging.

Consider Remote Workers

These days, most InfoSec companies rely on remote workers. If you have remote workers, don’t forget about them. Process changes need to be done company-wide or it’s unlikely they’ll be successful.

Plan ways to communicate the new processes to your remote workers. When was the last time you had a one-to-one with each of your remote workers? How can you expect for them to be invested and onboard new processes if you haven’t checked in with them for several months? Schedule video conferences and make sure your team knows that these are important events. If anyone can’t attend them (e.g. they need to be off-site for a client visit), go out of your way to bring them in the loop. You need to reach out to anyone and take the time to explain the importance of what you are doing, if you want them to embrace your ideas.

If at all possible, consider having all your workers travel to a single location to roll out and talk about the new changes.

Set Goals That Are Measurable (and Failable)

When the goals of a change initiative are too vague, the initiative will rarely succeed. You need to have goals that are measurable, so that you know if the cultural changes are sticking. You need to have goals that can fail, so that you know when you are not succeeding.

For example, if one of your goals is something ambiguous like: “Improve internal understanding of tech methodologies,” there is no real way to measure that. You will never know if you’ve actually succeeded.

So make your goals concrete and measurable, like “Review 1–2 methodologies each month.”

Go For Small Wins (and Small Failures)

It can be daunting to create large cultural and procedural changes at a company, we know. Especially because the people responsible for those changes can sometimes be blamed for things that go wrong.

So it’s worth pointing out that some of the best and most long-lasting process improvements start small and grow from there. You should focus on making small but lasting and widely-used improvements. You don’t have to roll out a hugely complex series of changes all at once. Instead, you can make small changes that create noticeable benefits, then track and measure them. This will create a snowball effect that leads to bigger and more widespread changes.

For some of our best ideas on making this happen in your company, read “Getting Quick Wins”.

Next…

Hopefully this article has shown you a few ideas for creating long-lasting, sustainable cultural change at your InfoSec consulting company. If you liked this article, check back on our site for future related articles.

Was This Article Helpful?

Security Roots’ founder Daniel Martin conceived and created the open-source collaboration tool Dradis Framework in 2007. The success of that application led to the creation of the Security Roots company and Dradis Professional Edition software.

Over the years, Security Roots has helped hundreds of InfoSec clients improve their team collaboration and report creation processes. If you have any questions about what we do or the solutions we provide, please fill out our Contact Form and we’ll be in touch right away.

Stabilizing (and Increasing) Revenue

Many information security companies these days are struggling to maintain revenue. Many are finding it difficult to maintain their rates and their client list. The InfoSec market has been increasingly commoditized, with many standalone pentesting tools and many new competitors.

With these new market pressures, InfoSec consultancies are trying to provide as much value to their clients as possible, and are looking for ways to provide new and ongoing services.

In this article, we’ll look at some ideas for stabilizing and increasing revenue at your InfoSec company. Some of these ideas are currently being used by some InfoSec companies, but at Security Roots, we believe these ideas are deserving of wider implementation and experimentation.

You can think of this article as a brainstorming tool. As you read these insights, apply them to your company and your specific clients.

Pre-Booking Work

The first idea we’ll look at is the pre-booking of work, which is the point when you sell your services to a client for a specific time in the future. For example, a client has an app scheduled for release six months away, so you pre-sell them 60 man-hours that they can use any time during that month.

Often, this is used in conjunction with a discount on the usual rate. Maybe you offer your services at 80% of your normal rate when booked six months ahead or during a typically quiet block of time on your calendar.

This is a technique used in a lot of industries to exert some control on the ebb and flow of demand. For example, the airline industry lowers its rates during slow seasons in order to maintain smoothness in its bookings. Offering a pre-booking discount could also be a way for your consultancy to maintain some smoothness in your schedule and even out the times of the year you know are historically slow or unpredictable.

Another way to implement this would be to have clients pay for x number of man-hours, which they could use at any time, as needed. Tweak this approach even further by charging higher rates to ensure immediate access and a rapid response from your team.

Retainer Service Agreements

With retainers, clients pay in advance for work to be specified later.

Some types of retainer-type agreements include:

  • Paying for emergency response work in the event something goes wrong. This retainer usage is kind of like insurance.For a fee, you’re ensuring that someone is available for an immediate response.
  • Clients pay upfront for a certain amount of pentesting and vulnerability-seeking per month (this is basically what we talked about above, with pre-booking of hours).
  • Clients pay upfront for guaranteed access to your team consulting and discussion.

With regards to this last idea, there are many ways you might provide clients access to your team’s expertise. Your team has deep insights into vulnerabilities and testing, of course, but they probably also have a lot of thoughts on secure development practices. So, for example, let’s say a software company client is adding an LDAP authentication layer to their software. This client might find it valuable to get input from one of your team members on the process to help them minimize risks of a future compromise.

Subscription Services

With subscription services, you are trying to achieve more passive income and move away from time-intensive tasks to more automatic ones. The main difference that separates subscription-based services from retainer-type services is that your subscription offerings are not tied to the specifics of a single project. Your subscription offerings are ways to bundle your expertise and knowledge into more packageable, automatic chunks. (Subscriptions can overlap with retainer agreements a bit, depending on the services offered.)

The traditional subscription service in the industry has been the Vulnerability Assessment service, which is often mandated by different policies and regulatory bodies (e.g. monthly PCI scans). But that is not the only service you can offer.

Examples of subscription services:

Automated (or semi-automated) newsletters/emails. With a content management system, you can create a database of which clients have specific technologies, and then automatically send security-related news about those individual techs every month (or more frequently) to your clients (e.g., security releases by vendors, new vulnerability classes, latest research / white papers / conference presentations / etc.). Basically, it’s kind of an automated, personalized newsletter. You can also add in items related to specific industries (for example, sending banking-related security news to your bank clients).

Product-specific recurring vulnerability scanning. (This could also be thought of as a retainer-based deal.) The idea is that you’re running automatic scans of specific products and technologies without much need for human oversight of the tests. We’ve seen this service with WordPress site scanning, but it also works for any other widely available product category: CMS, e-commerce shop, blogging platform, enterprise portal, etc.

Threat intelligence. No matter what your opinion is on the merits of “threat intelligence”, the truth is that vendors providing these types of service have found a profitable recurring subscription model.

Compliance and legal issues. In the same way, you could automatically gather news/updates on legal and compliance issues that affect clients in certain industries, certain regions, or certain technologies, and send that as an automatic email. This ongoing communication lets your clients know that you’re watching trends and watching out for them on multiple levels as you’re saving their mental bandwidth.

Recurring Testing Services

You could charge a retainer/subscription-type service for recurring vulnerability testing of various kinds. Examples of recurring tests are:

  • Recurring scans of critical assets
  • Perimeter monitoring
  • Social engineering and phishing attempts of company’s employees
  • Random DDoS fire drills

For all testing and scanning you do, you should be tracking your activities and the related improvements in the client’s system. This will let you easily prove the worth of the work your team is doing. Keep in mind that it’s not the raw data that is important to your clients; your main value is in providing them actionable information, which will come in the form of trends, delta reporting, and comparisons with other companies.

Recurring Training and Education

You could also provide recurring training and education for your clients. This could take many forms, depending on your area of expertise or the client’s needs. Ideas include:

Employee Awareness Campaigns

These could be occasional in-person or online training sessions, dedicated to improving the client workforce’s understanding of security threats. The more specific to a client’s needs and workplace you can make this, obviously the more value the client gets. But even a fully-automatic online training could improve things for many clients.

Awareness and training doesn’t have to be limited to lessons, video, or audio. It can also mean monitoring the news and forwarding to your clients specific instances where lack of awareness resulted in a breach or some other negative outcome. The idea is to make your client’s employees have an “aha” moment and think, “Well, I didn’t know about that vulnerability, and we could be the next headline.” This targeted information can prove to them the value of your regular input on security issues.

Training on Specific Products/Tech

You could do customized or automated online training on specific products and their vulnerabilities (e.g., WordPress, Sharepoint, etc.). This goes hand in hand with your product-specific scanning service. The knowledge you gain through the scanning service can be repackaged and offered as training material, hardening guides, etc.

Monthly Calls

Similar to the retainer-style agreement, you could have clients pay upfront for a certain number of hours to talk to your staff about practical issues they are facing or potential threats they want to discuss.

Better Opportunity Tracking

We might be saving the strongest idea for last here. One of the major ways InfoSec companies drop the ball is that they don’t optimally track the many ways they might continue to provide value for their existing clients. Here are some ideas on how to improve discovery of new opportunities:

  • Follow-up. Do you check back with existing clients regularly to see what they are doing and what they may need? It should be a part of your standard protocol to check in with clients.
  • Post-project surveys. When projects are done, a survey should be given to your clients. Not only does this help discover their opinions and thoughts on the completed project, it helps illuminate the value you just provided them, which might otherwise be a bit unclear. (For example, ask, “What potential future issues might have arisen if our team had not uncovered this vulnerability?”) The survey can also bring to light other areas in which you might offer them value.
  • Tracking products and technology used. By keeping files on what products and tech your clients are using, this will allow you to proactively look for opportunities to win work from them. For example, if there is a major vulnerability discovered in Android, it can be part of your process to send an email about this to your Android app clients.

Start Small and Improve

As we’ve talked about in past articles, you shouldn’t be afraid to start small. Some people put off making changes to their product/service offerings because they think there has to be some huge, overarching plan in place before they make changes. But if there are obvious quick and easy wins you can get by making the change, go ahead and do it.

For example, you could start offering retainer-type services tomorrow if you wanted. You could toss up some copy about these services immediately and that might have an immediate impact on attracting a new client.

The thing to remember about making these changes: you will be continuously improving them. As your clients give you feedback and as your team understands the product better, you will get better at doing it. You’ll figure out how to optimize the process, how to reach more clients, and how to make more money.

So, in short, don’t be afraid to start small and improve from there.

Next…

Hopefully this article has helped you brainstorm some ideas on how to stabilize and increase revenue at your InfoSec consultancy.

If this article strikes a chord with you, please reach out and let us know the financial challenges at your company and maybe some unique changes you’ve instituted to improve your situation.

In our next article in this series, we’ll be discussing ways to enact long-term and meaningful cultural change at your InfoSec company.

Was This Article Helpful?

Security Roots’ founder Daniel Martin conceived and created the open-source collaboration tool Dradis Framework in 2007. The success of that application led to the creation of the Security Roots company and Dradis Professional Edition software.

Over the years, Security Roots has helped hundreds of InfoSec clients improve their team collaboration and report creation processes. If you have any questions about what we do or the solutions we provide, please fill out our Contact Form and we’ll be in touch right away.

New in Dradis Pro v1.12

Today we’re happy to announce a new release of Dradis Professional Edition: Dradis Pro v1.12. Dradis is a collaboration and automated reporting tool for information security teams.

The highlights:

  • New Accunetix and NTOSpider connectors
  • Updated Burp and OpenVAS connectors
  • Business Intelligence add-on (see below)
  • Rules Engine add-on (see below)
  • Reporting engine enhancements:
    • Pre-export validator
    • Native support for .docx and .docm
    • IssueCounter control
    • Concurrency enhancements
  • Bugs fixed and feature requests: #128, #131, #141, #145, #152, #184, #189, #197, #201, #205, #207, #212, #216, #232, #238, #239, #254

Rules Engine add-on

Define rules that kick in when you upload the output of a scanner. Akin to your email client processing rules, the Rules Engine allows you, among other actions, to:

  • Tag findings based on their fields (e.g. tag as Critical if CVSSv2 is > 9)
  • Merge several findings into a single one (e.g. group all those pesky “missing patches” entries under a single finding)
  • Replace the default description with your own. That’s right, every time Burp finds XSS, you will get a finding with your team’s custom Description / Recommendation for this vulnerability class.
A screenshot showing the list of configured rules in this Dradis Pro instance.

Define the rules that will kick in when you upload the output of a scanner.

A screenshot showing a rule definition where two findings (one from Nessus and one from Qualys) will be replaced with the team's own description of the problem.

Sample rule: de-duplicate findings.

A screenshot showing a rule definition where any finding coming from a scanner is replaced with the team's own description in the IssueLibrary

Sample rule: use your own descriptions.

Business Intelligence add-on

Most likely you’re running 100s of projects each year. The Business Intelligence add-on helps you make sense of the wealth of information that is at your fingertips but that most likely you haven’t been tracking. These are some of the questions you will be able to start answering:

  • What do you know about the types of projects you’re running (what percentage is webapps vs infrastructure)?
  • What types of clients are you serving? In what industry?
  • How are the most profitable client types?
  • What percentage of your projects is under-scoped or over-scoped?
A screenshot showing the Business Intelligence view with: a list of custom properties for Clients, for Projects and a search facility.

The Business Intelligence dashboard. Define custom properties for Clients and Projects to track business metrics.

New admin layout

Yes, we finally have a layout like it’s 2015 (well maybe 2013), but a great improvement over our bare-bones previous one. Here are just a couple of quick examples:

A screenshot showing the project selection view inside Dradis Pro.

Project section view.

A screenshot showing the list of users registered in a Dradis Pro instance.

All users registered in the Dradis Pro instance.

How to upgrade to Dradis Pro v1.12?

Just head over to the release page and follow the instructions:

https://portal.securityroots.com/releases/1.12.0

Still not a Dradis user?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features. Or if you want to start from the beginning, read the the 1-page summary.