New in Dradis Pro v4.5

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

CSV Importer

Dradis can now import CSV files into projects! Some vulnerability scanners produce output in CSV format rather than e.g. XML or JSON. You can now import these (and other) CSV files into Dradis, and configure which column to assign to which field in your Dradis projects on a per-file basis. Simply go to “Upload”, select the CSV importer, upload a file, and you will be redirected to an interface to assign data to fields. As with other plugins, you can create Issue, Evidence, or Node data and fields.

This is v1 of the CSV importer, so we look forward to your feedback on what works for you and what you would like to see in the future from this feature!

Note that for the sake of internal naming consistency, we have renamed the CSV exporter plugin with this change, so if you have the CSV exporter installed, you will need to reinstall the plugin as dradis-csv_export.

JIRA bulk send

Do you use our JIRA integration? If so, you can now bulk-send issues to JIRA. Simply select multiple issues from your project in the “All Issues” view, and click “Send to JIRA”:

That will send all your selected issues to the Dradis-JIRA interface. Pick the destination project, issue type, and other required fields for each item, and you’re done!

Bug fixes and quality-of-life improvements

Another focus of the v4.5 release is working through some bug reports and lower-level requests we have accumulated over time.

Bug fixes include multiple items relating to attachment validation and export, Node labels linking to external resources (so e.g. clicking on a Node label of “www.google.com” will no longer redirect you to Google instead of the Node in Dradis), and the Rules Engine matching against IssueLibrary entries without trailing empty lines.

Quality-of-life improvements include adding Revision History for Content Blocks and improved error messages in the Output Console on Word report export. Check our release notes for more detail!

Release Notes

  • Content Blocks: implement Revision History
  • Upgraded Dradis Pro to run on ruby 3.1.2
  • Upgraded gems:acts_as_tree, bootsnap, bundler-audit, factory_bot, paper_trail, rails, rails-html-sanitizer, timecop, thor, unicorn, unicorn-worker-killer
  • Bug fixes:
    • Attachments: Fix attachments not showing, validating, or exporting correctly
    • Evidence:
      • Add validation for creating evidences in the issue view
      • Set correct localStorage key to prevent pre-populating incorrect content at the issue level
    • Issue Library: Render colored badges in the Tags column of the entries table
    • Nodes: Prevent evidence labels linking to external resources
    • Rules Engine: Fix the Rules Engine not matching Issue Library entries with no trailing empty lines
  • New integrations:
    • CSV Importer
  • Integration enhancements:
    • JIRA:
      • Add support for datepicker custom fields
      • Add Bulk Send To support
      • Update JIRA setup instructions
    • Rules Engine: Prevent subsequent rules from running after a discard action
    • Qualys: Wrap ciphers in code blocks for the Vuln Importer
  • Reporting enhancements:
    • CSV Export: Rename integration to dradis-csv_export
    • HTML Export: Add :rtp plugins feature
    • Word:
      • Fixes “-” in hyperlinks displaying HTML entity
      • Fixes duplicated relationship Ids when adding relationships
      • Fixes text with double exclamation marks breaking report
      • Show error message in export logs when populating multi-paragraph content in inline content controls
      • Show error message in export logs when removing invalid screenshots
  • Security Fixes:
    • Medium: Authenticated author broken access control: read access to issue content

Not using Dradis Pro?

New in Dradis Pro v4.4

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Plugin Manager Validation

The Plugin Manager has new validation! Previously, you’d need a file like issue.txt to use when configuring the Plugin Manager. Now, you can simply associate the Plugin Manager with one of the report templates on your Dradis instance. You’ll see a validation check on the right that will tell you about any missing fields as you configure.

Rules Engine Population

Remember that after a tool file is uploaded, the data runs through the Plugin Manager, then hits the Rules Engine. So, we’ve also updated the Rules Engine so that when you build out new Rules, the Match Field trigger is populated with a dropdown of fields that matches what you configured in the Plugin Manager. No more double-checking field names, capitalization, or anything else like that.

Duplicate a Project

Want to start over with a copy of one of your existing projects? Previously, we had the project import/export feature that would work for this but the new Duplicate button streamlines the process significantly. For retests or just starting over with a copy of a project, just hit the Duplicate button and a new project will be automatically created that is identical to the old one.

Bulk Update Issues and Evidence fields

Have you ever run into a situation where you wished that you could edit multiple Issues or instances of Evidence at once? You can now! Just select multiple Issues or instances of Evidence:

Release Notes

  • Login View: Design update
  • Plugin Manager: Add ability to validate plugin templates with report templates
  • Projects: Add ability to clone projects
  • Tylium:
    • Implement bulk updating for issues/evidence fields
    • Improve mobile experience
    • Show the resource title in the header when viewing a resource
  • Upgraded gems:
    • nokogiri, rack, sinatra
  • Bugs fixes:
    • Cards: Prevent adding ‘card’ class to card comments
    • Login: Add button styles for 3rd party login addons
  • Integration enhancements:
    • Rules Engine: Matching fields are now based on the fields defined in the Plugin Manager
  • Reporting enhancements:
    • Word: Assign unique Word IDs to each element in the document.

Not using Dradis Pro?

The Plugin Manager is not so scary anymore!

So you’ve been using Dradis for a while (or maybe you’re a new user — welcome to the community 👋), and you’ve been avoiding the Plugin Manager because it’s been a little intimidating. Its purpose may not have been clear, and the relationship between the Plugin Manager, uploading files, the Rules Engine, and what ends up in a project may have been fuzzy. You uploaded some scanner results, dove into your project, and realized things didn’t appear as expected. Now you’re clicking around trying to figure out what went wrong. Sounds familiar? We’ll admit the Plugin Manager caused some confusion, but you’re in for a treat with Dradis Pro v4.4.0!

We took action to smooth out the friction

Since most of the mystery and confusion seems to be around how changes in the Plugin Manager affect projects and reports, we decided to add a way for users to validate their Plugin Manager configurations. This validation happens on a per-tool basis against any report template uploaded to Dradis. Let’s dive into some of the changes we made and the thought process behind some of those changes.

Improvements to the user interface

Before building out this new feature, we had to figure out where it would live. While deciding on that, we also determined it would be a great time to tidy up the Plugin Manager layout.

When users first landed on the Plugin Manager view, we presented them with some explainer text and an example of how tool output translates to a Dradis note. This wasn’t terrible, but it wasn’t exactly super helpful or welcoming.

Some of the issues we identified and set out to improve here were:

  1. Parts of the copy were confusing
  2. The example section wasn’t clear to first-time users
  3. Users didn’t have a sense of direction (what do they need to do next?)
  4. The plugins menu was not labelled or explained (users had to explore by clicking)
  5. The layout wasn’t very consistent with other views in the app

We decided to shuffle the layout around a little to tackle these points and make it more consistent with other views. Most of our views have a page title, the main content area and a sidebar, so we wanted to implement that here as well. Here is an early mock-up with some changes added with a fat marker (Title, subheading, section headers, and a sidebar with some tips).

Overall, the plan was to:

  1. update the copy and move it to a tips panel in the sidebar
  2. change the example section to a vertical layout with some arrows added to show the flow of stages in the process
  3. update the headings of the three stages in the example section to make them clear
  4. add a header to the plugins menu 
  5. add some copy (not pictured above) to direct the user to select a plugin from the menu on the left

These changes would bring consistency to the view, enable the user to quickly understand the relation of the three stages in the example, and give the user some direction as to what to do next. This design addresses all five issues we wanted to improve, so we started implementing these changes, and this is the new view as a result:

Addition of Plugin Manager Validation 

So far, the above changes are fine and dandy, but they still don’t help users bridge the gap between what they expect in their projects and what they get. This is where the shiny new validation feature comes in.

The idea was to allow users to edit their plugin manager configurations and show them how it will jive with their report template of choice. The validation feature would work by having users select a plugin and a report template. It would show which fields are mapped correctly and which fields are missing. We had internal discussions about the best approach and where we could incorporate validation into the Plugin Manager. Initially, we thought about adding the validation section to the main Plugin Manager view, but we quickly decided against that and thought about a new view dedicated to this new validation feature:

This is the first look at the validation feature design and components. We’ll get into the details a little farther down, but the overall idea is that users select a plugin, select a report template, and they see what’s mapped correctly and what’s not.

This view would show all things related to the validation of the selected plugin, and at first, it seemed like it would work in terms of layout. The view would be consistent with other related views, it would give users all the validation functionality, and it would allow users to edit the plugin’s configuration. However, after further design work and discussing with the team, we realized this implementation would be pretty annoying for users. It would require users to make an edit, come to this validation view, check their validation, realize they need to make further edits, go back to editing, then come back here to re-check their validation… you get the idea, way too much clicking around to get one thing done so back to the drawing board.

Rather than making users navigate away from the validation view to make the edits to the configuration, we figured why not bring the validation feature to the edit view? Another upside of having validation added to the edit view is that we would eliminate the need for users to select which plugin they want to validate. Here is a screenshot of the current edit view for reference:

It’d be pretty crowded if we just dropped that validation section into this view, so we knew we had to make further refinements to the design. 

We also had to consider cases where there could be multiple exporters for the selected plugin (i.e. Qualys has Asset, Vuln, and WAS), and each of those exporters could have templates that map to Issues, Evidence, or Notes in Dradis Projects. It can be a bit of a guessing game to know which template maps to issues, notes, or evidence. Here is an example:

The image above shows that Nessus has Report host, Report item, and Evidence templates. Users can guess that Nessus Evidence maps to Evidence in Dradis projects, but what about Report Item or Report Host? We decided to get rid of the guesswork for users. Let’s jump into an early mock-up with some fat markered changes:

This design iteration would:

  • Remove those long prefixes in the plugins menu to give us some more real estate to work with 
  • Add a selector for Issue, Evidence, and Note (where applicable). This selector makes it easier for users to determine where things will end up in Dradis Projects; no more guessing! 
  • Add the validation feature to the sidebar. This is a more condensed version of what we designed initially, but all of the same info is there, just arranged in a way that would be more effective in a sidebar format.

It’s a good general direction, but dissecting this further, we didn’t like that the preview is now stacked under the editor. This is awkward and inconsistent with every other view where we show previews. This also makes for awkward placement of the save button. 

Enter the final design iteration:

We really wanted the editor to be side by side with the preview, but we needed some more space to make the editor and preview usable. Ultimately, we decided to trade the plugin menu on the left for that extra space. Removing the plugin menu enabled us to have the side-by-side layout we wanted. The keen observer may have noticed that this design moves the exporter select menu out of the validation section and into the main content area. We made this change here because users not concerned with validation would still need to select the exporter if they wanted to make edits in the editor. The validation feature is only really concerned about which report template users wish to validate against. 

After a few more minor tweaks, we implemented this design and got this final result:

Users are now able to:

  • Differentiate between Issue, Evidence, and Note templates
  • Differentiate between multiple exporters 
  • Validate that all fields are mapped accordingly

How to validate your configuration

Now that we have this awesome new feature, let’s take it for a spin. Let’s say you have a report template with some issue/evidence fields defined and your plugin of choice is Burp. 

Head over to the Plugin Manager and select Burp from the plugin menu:

Select the template you want to validate:

Then select the exporter (if there are options):

At this point, you will see the selected plugin’s template content and a preview of how it would appear based on some sample Burp output.

Now you can select a report template in the Report Template Validation panel:

A validation check will now be executed, and you will see if any fields are not mapped as expected by the report template you selected. From here, you can make edits in the editor to add those missing fields. As you type, you will see the validation panel update in real-time to show you if the configuration passes validation.

Once you see a green validation checkmark, your configuration is valid. You can start importing tool output into Dradis and exporting reports knowing that fields will appear as expected.

Pretty cool, right?

But wait, there’s more!

Earlier in this blog post, I mentioned that the Rules Engine is involved in all of this, but we haven’t touched on it yet. If you’re not familiar with the Rules Engine, it can be used to manipulate the plugin output before it imports everything into a project. For example, based on user-defined conditions, the Rules Engine can do things like:

  • Replace the description that comes from the plugin output with a custom description
  • Change the risk rating
  • Delete a finding
  • and much more.

Here is an example of a Rule being created in the Rules Engine:

We have the condition that has to be met on the left and the actions that will be executed on the right.

Up to now, when building conditions, users would have to manually enter the field that the condition would check, but this required knowledge of the plugin manager configuration. This was also prone to user errors as the field name had to exactly match a field in the plugin manager for the selected plugin. Considering that we already have these fields in Plugin Manager, there is no reason to put this burden on the user. 

With the changes to Plugin Manager, this seemed like a great time to update the Rules Engine and do something about that pesky field input. 

Another issue we tackled was the scalability of this view. With the 2-column setup (conditions on the left and the actions on the right), we found that the arrow in the center would often get misaligned. This arrow guides the user’s flow from one side to the next, but when it gets misaligned, it becomes hard to understand and sometimes, it may even add confusion. 

Keeping the above in mind, we set out to design some changes. We wanted to ensure the view could scale well, accommodating both small and large numbers of conditions and actions for each rule. After some experimenting, we decided to flip the layout into a top-down orientation to give it more of a timeline or story-like feel that paints the complete picture for users.

The view would list all conditions at the top, and as users transition their attention down the page, they would flow into the actions. We added some copy to guide the users between the conditions and actions. This layout scales well because regardless of how many conditions and actions there are, nothing gets misaligned and everything stays grouped together. Users start with their attention at the top, then transition towards the bottom with everything they need in between. We gave this design the green light, and after some further tweaks to the design, this is the implementation:

During this updated layout implementation, we also updated the condition boxes. They now have an uploader select to differentiate between the different uploaders a plugin may have (similar to the exporters in Plugin Manager). In addition, the field input has been replaced by a field selector. This Field selector lists all the possible fields based on the corresponding plugin manager configuration. Now users can simply select available fields without knowing what they are ahead of time or ensuring they don’t mistype anything. The action boxes largely remained the same with just a minor tweak to the headers where we now number the actions to convey the order of the actions executing. 

Give it a whirl

All of these changes combined make for an easier UI to follow and a less complex UX to upload scanner output, map the fields to Dradis in the Plugin Manager, process the data through the Rules Engine, and get the desired results in projects.

Give v4.4.0 a go and test out these new features yourself. Feel free to experiment with them and share your feedback with us. We’d love to know how you like this new validation feature in the Plugin Manager and the updates to the Rules Engine.

Happy Hacking ✌️
Matt

New in Dradis Pro v4.3

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Auto-update Charts in Word

Previously, to include charts in Word templates, VBA macros were necessary to be able to update the charts in exported reports. This was a problem for the Mac users among us, as the relevant VBA is not supported in Office for Mac. We have now tweaked the reporting engine so that the source Excel sheets for charts in Word can be filled in with filters so they will auto-update during the export process from Dradis. The supported filters support the majority of use cases we have seen, such as issue counts by CVSS score, severity, type, category, host, etc.

Gateway comments

Do you use the Dradis Gateway? We have now improved this collaboration feature! Comments are already supported within Dradis projects, but now comments have reached the Gateway as well. If you are an Admin or Author on a project, you can choose to make a comment public (available on Gateway) or not (only visible to your team members within the project). Gateway contributors are able to view your public comments and submit their own comments on issues and other content inside the Gateway.

Qualys Asset Scans

Dradis now supports Qualys Asset Scans! This expands our Qualys coverage to include:

  • Qualys Vulnerability Scans (Vuln)
  • Qualys Web Application Scans (WAS)
  • Qualys Asset Scans (ASSET)

Release Notes

  • Comments: Show public comments for issues in a project
  • Mintcreek: Add breadcrumb navigation
  • Uploads: Allow subsequent file uploads from the same scanner without needing to re-select the scanner
  • Upgraded gems:
    • nokogiri, rails
  • Bugs fixes:
    • Document Properties: Set focus to property name/value inputs when clicking the edit icon
    • Editor:
      • Add keyboard shortcut support for windows and linux
      • Allow comparing document property values with “==” operator
      • Allow text selection expansion using shift-click
    • Issues: Show correct links in the “Send To” menu
    • Subscriptions: Show correct Subscribe/Unsubscribe link after a new comment is posted
    • Tables: Prevent columns state from resetting after 2 hours
    • Teams: Prevent displaying trashed projects
    • Tylium: Remove extra left padding from the first line of content in a code block
    • Upload: Show pre upload validation for Qualys
  • Integration enhancements:
    • Openvas: Update Node label parsing. Include :hostname and :asset_id properties.
    • Qualys: Add Qualys Asset Scanner (ASSET) support
  • Reporting enhancements:
    • Word: Charts in Word can now be exported without the need for macros
  • Security Fixes:
    • Low: Password reset token can be reused in a 5-minute window

Not using Dradis Pro?

New in Dradis Pro v4.2

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Project Soft-Delete and Instance Level Trash

Previously, once you deleted a project or a team, it was gone forever! We have now added soft-delete and an instance-level trash. So, if you delete a project or team, you can find it in your instance’s Trash, and you can recover it from there.

Choose Which Fields to Display by Default in Projects

In recent versions of Dradis, new projects will display all fields for Issues and Evidence in their respective tables by default. This can lead to a cluttered view. You can update which columns to display, but this is stored on a per-project basis. Now, you can select which Issue and Evidence fields to display by default in the Report Template Properties for your project’s associated report template in Templates –> Reports. Simply switch the toggle to “Show” to whichever fields you want to display by default, and that will apply instance-wide from then on. Of course, if you have project-specific preferences, or if you have multiple people working on the same project but with different preferences of which columns to display, each user can still manually set their preferences on a per-project basis as before.

Improved Evidence Creation from the Issue Level

Dradis lets you add Evidence directly from Issues by going to the Evidence tab of an Issue and hitting the “+ New Evidence” button. Previously that only allowed you to add a blank piece of Evidence or adding a Note template with no customised content. Now, you can customise the content right in the “Add New Evidence” form and choose where to put it, including in new nested Nodes.

Release Notes

  • Editor: Support fields with the same name in the Fields View
  • Increased table loading performance on Issues, Evidence, and Notes for projects with a lot of issues, evidence, or notes
  • Issues:
    • Display evidence in a table
    • Load evidence tab content asynchronously
    • Multi-delete evidence at the issue level
    • Update evidence content while creating evidence records at the issue-level
  • Notifications Navbar Dropdown:
    • Improve font-sizes
    • Wrap long notifications links
  • Projects:
    • Generate default report content when updating the report template
    • Truncate long team name badges in active project cards
  • Report Templates: Add Show option to display certain evidence and issue fields by default in tables
  • Trash: Allow projects and teams to be soft deleted
  • Tylium:
    • Import CSS manifests from addons
    • Move ‘…’ (more actions) menu closer to the content affected by the actions of the menu
    • Move the ‘Edit’ action out of the ‘…’ (more actions) menu for issues, evidence, notes, etc.
    • Remove extra left padding from the first line of content in a code block
    • Remove height restriction from code blocks
    • Simplify issues table columns
    • Updates focus state outline color
  • Upgraded gems:
    • mini_racer, puma, rails
  • Bug fixes:
    • Comments: Show sticky toolbar when adding long comments
    • Issues: Send To menu updates when new plugins are installed
    • Fixes background services from not restarting after upgrades
    • Liquid drops: Allow author collection to be called in ProjectDrop
    • Methodology: Fix misformatted cards when saving a methodology as a template
    • Redirect back to issue when updating evidence from the issue level
    • Rules Engine: Allow authors with “update” permission to sort rules
    • Tables: Prevent the select all button from selecting filtered out rows when a filter is been applied
    • Subscriptions: Fixed a caching issue preventing users from subscribing or unsubscribing after the first cache was stored
  • Integration enhancements:
    • Dradis Projects:
      • Fixes missing parent nodes during template and package imports
      • Fixes missing nodes for attachments during template and package imports
    • Gateway:
      • Bug fixes:
        • Fixes ‘authors’ call for the atlantia theme
        • Fixes missing attachments crashing Gateway
        • Select a default pane when Authors edit a Gateway project instead of loading a mostly blank screen
    • Nexpose:
      • Add the Hostname Node property from the name rather than site-name tag
    • Nipper:
      • Add Nipperv1 fields to issues
    • PDF Export:
      • Add Thor task for console export
      • Add view hook for Export#index
    • Qualys:
      • Add ‘element.qualys_collection’ as issue field
      • Add Qualys Web Application Scanner (WAS) support
    • Remediation Tracker:
      • Bug fixes: Hide the tickets’ “edit” and “delete” buttons for unauthorized users
    • SAML:
      • Add PingIdentity support
      • Add SAML logo to Log in button
      • Increases log verbosity on errors
    • Scheduler
      • No longers shows disabled projects in the calendar
    • VSTS:
      • Format issue content when sending to VSTS
  • REST/JSON API enhancements:
    • Projects/Teams:
      • Discard Projects through the DELETE endpoint
      • Hide discarded projects/teams from endpoints
  • Security Fixes:
    • Low: Authenticated author broken access control: read access to screenshots

Not using Dradis Pro?

New in Dradis Pro v4.1

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Move Evidence

Previously, you could only move Notes from one Node to another. Now, we’ve extended this behavior to Evidence as well. Have an instance of Evidence that actually belongs to a different Node? Just open the instance of Evidence, click Move (it’s in the 3 dots icon in the top right of the screen) and move it to the correct Node. That’s it!

Move your Evidence from one Node to another

Download Report Templates

Do you need to make a report template update or send us a copy of the report template? What happens if you didn’t create the report template to begin with or the template is old enough that you don’t even know where your local copy could be hiding? Previously, SCP was your only option to download a copy of a report template on your instance. Now, just head to Templates > Reports in the header and click the download button next to any report template to get your own local copy.

Download report templates via the Dradis UI instead of SCP

IssueLibrary Templates + Comments

IssueLibrary entries are great! But, creating them from scratch can be a pain without a format to work with. Now, when you create your IssueLibrary entries, you can select a Note template. No more blank page paralysis or trying to remember whether that field is called “Recommendation” or “Recommendations”, you can select your Issue template and just populate it with the data that you need.

Apply a Note template the next time you create a new IssueLibrary entry

Then, once your IssueLibrary entries are created, you can use comments to have a conversation with the rest of your team. Ask questions, offer suggestions, or just leave celebratory emoji comments! 🎉

Leave comments on IssueLibrary entries to have a conversation with the rest of your team

Release Notes

  • Contributors:
    • Create a new Team (optionally) when creating a new Contributor
  • Editor:
    • Insert an appropriate single or multiline tag for blockquotes and code blocks
    • Limit the content height for easier access to the Create/Update button
    • Quote text from comments and resource content (cards, evidence, issues, notes, etc)
  • Evidence:
    • Create a new issue (optionally) when creating new evidence
    • Move evidence across nodes
  • Liquid drops:
    • Add available_properties method to DocumentProperties drop
  • Projects:
    • Sort templates by title in project form
  • Project Validation:
    • Add missing attachments validation for Textile screenshots
  • Report templates:
    • Add functionality to download templates
  • Report Template Properties validation
    • Disable bulk validation in Issues and Evidence tables if the “Validation” column is hidden
    • Move bulk validation in Issues and Evidence tables to a background job
  • Tables:
    • Add selector to change the number of records displayed
  • Tylium:
    • Import CSS manifests from addons
    • Remove height restriction from code blocks
  • Upgraded gems:
    • brakeman, nokogiri, puma, rails
  • Bugs fixes:
    • Account Lockout:
      • Send password reset instructions on account lockout
    • Conflict resolver
      • Apply the correct warning when a conflict happens on edit
    • Custom Properties:
      • Remove Custom project properties header in team show
    • Document Properties
      • Allow document properties to have a value and be nested at the same time.
    • Methodologies:
      • Ensure boards don’t nest when the instance has been inactive
    • Nodes:
      • Remove extra HTML tag causing the methodology tab to break after a board is added
    • Tables
      • Prevent columns state from resetting
  • Integration enhancements:
    • CVSS Calculator:
      • Settings: show/hide the calculator in the Issues view
      • Toggle between CVSSv3.0 and CVSSv3.1
    • Dread Calculator:
      • Settings: show/hide the calculator in the Issues view
    • Gateway
      • Deliverables:
        • Allow macro enabled word and excel filetypes
        • Allow the CSV filetype
      • Projects:
        • Add “Created” and “Updated” columns to the Gateway projects table
        • Show theme versions when selecting a project theme
      • Themes:
        • Atlantia:
          • Check for the existence of document properties before rendering the value
          • Remove newlines from issue titles
          • Show untagged issues
          • Wrap text in code blocks
      • Bug fixes:
        • Allow Authors to enable their own projects for Gateway
    • Issue Library:
      • Add comments to entries
      • Add subscriptions to entries
      • Create entry from note templates
      • Notify users of updates
    • Jira:
      • Bugs fixes:
        • Issue form: Prevent app from crashing when submitting without project or issue type
    • Nessus:
      • Add product_coverage & cvss3_impact_score as available Issue fields
    • Nexpose:
      • Update HTML tag cleanup to better cover UnorderedList and URLLink tags in the solution field
    • Qualys:
      • Add dd, dt support
      • Remove orphaned b tags
    • Remediation Tracker: Tickets: Create new categories and states (optionally) when creating new tickets
  • Reporting enhancements:
    • Word:
      • Adds EvidenceCounter controls support to not nested in an Issue controls
      • Fixes exporting with missing attachments
      • Fixes invalid predicate error by escaping control characters in XML attributes
      • Fixes links inside inline controls
      • Fixes numeric values for non-range filters
      • Fixes “frozen string” error when exporting nodes without a services table
      • Move image captions to their own paragraph
  • Security Fixes:
    • High: Authenticated author broken access control: read access to issue content

Not using Dradis Pro?

On being human.

Our team has grown slowly and deliberately from a single person at the start to a nine-person team in 2021. Some things that work well enough on a small team need more thought as the group expands. With that in mind, we are encouraged and continuously reminded from the day we are hired to challenge our status quo and enabled to suggest and adopt changes.

Embracing that opportunity means our internal processes and approaches evolve as each new person joins the team and adds unique perspectives. As a global team, our views are as varied and diverse as the individuals providing them.

We have internal core values and guidelines for working together as a fully remote and distributed team that might be worth sharing in future posts. We have a clear mission, which I’ll share here to save you a few clicks. 

We help information security teams focus on making systems more secure by reducing the overhead of managing and discussing the outcome of the security assessments they perform for their clients (whether these are inside their organisation or outside of it).

Not too long ago, we realized that there is a bunch of info about Dradis out there – how it works, what it does and doesn’t do, how to use it, etc. Still, not much is available to help the community understand the people and company behind the tool. Taking inspiration from companies like Balsamiq, we decided to do something about that gap. Now, we’ve put into words what we believe to share with you and the ideas that give us a yardstick to measure our decisions against. Without further ado:

We are here for the humans. At the end of the day, the work done in infosec is for and about humans. And as messy as humans are, that can make this work frustratingly complicated. Sure, scanning tools and blinking boxes can handle some of it – but pulling everything together requires a human. We are here to make it simpler for you to be human by getting the time sucks out of your way.

Infosec is a team sport. Just like information systems are interconnected, so are the different folks involved in securing them. Sharing clear information and thinking creatively together is often critical to solving the problem at hand, so let’s do more of that well.

Customers + Vision = Roadmap. We don’t have an official roadmap, but that’s not to say we don’t have plans. We’ve got big ideas on how this industry will continue to evolve and how we can best serve you and your customers. That’s why we reach out to our customers and invite your feedback.

It’s your data. You keep it. Whatever data you put in Dradis, is yours, and we like it that way. We respect your privacy and that of your customers like we value our own. We trust that you will let us know how we can improve and make a better product.

These declarations of what we believe are posted on our website so you can revisit them, and new users can easily find them. These beliefs may change as we grow as a team and new voices are added, and as this industry faces new challenges. I hope you’ll help us stay accountable to these beliefs and call us out if you see us not operating consistently to them.

We are human, after all.

The humans behind Dradis

New in Dradis Pro v4.0

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Gateway Themes

One of the biggest changes in Dradis Pro v.4.0 is the move from a single HTML Gateway template to Liquid themes. Create a dynamic, info packed, theme to deliver assessment results dynamically in Gateway using Liquid. Multiple Gateway themes means each project can use a different theme that’s appropriate to the engagement. Two new Gateway themes are included with Dradis Pro v4.0 to get you started.

Liquid has a well supported and documented history for creating robust templates. This will make it easier for teams to create and support their own well organized, customized templates.

Are you currently using a customized Gateway HTML template? Reach out to our team with your existing template so we can help convert it to Liquid before you upgrade any production instances.

Downloadable Assets

In addition to reviewing the results of an assessment dynamically in Gateway, contributing users can securely download assets that have been added to their project. Deliver final reports, scope documents, and other assets directly from Gateway keeping everyone out of their inboxes and project details centralized.

Simple Team Setup

Getting started using Dradis Pro is simple. Once deployed to your environment, the super-admin for the instance is created during the first run and can quickly set up the rest of the team through this new guided walk-through.

Maximum Login Attempts

Configure the number of maximum login attempts to help prevent brute-force attacks on your Dradis instance. The default is set to 3 attempts before the account is locked. Admins can increase or decrease the number of attempts to align with their team’s policies.

Captain Kirk and Sulu are both locked out for entering invalid credentials

Release Notes

  • Projects:
    • Cleanup the New/Edit view
    • Create and remove the results portal from the Edit view
    • Dashboard: Add Default issue entry to menu when project is empty
    • If there is only one RTP, select it by default
  • Setup: new initial Team and User wizard
  • Teams: cleanup the New/Edit view
  • Users: account gets locked after too many failed sign in attempts
  • Upgraded gems: addressable, nokogiri, papertrail, puma
  • Bugs fixed:
    • Better support for characters inside textile linked text
    • Display placeholder text for issue sorting dropdown when no field has been selected to remove confusion about default options that are not yet applied
    • Fix issue library entries action buttons not appearing due to caching
    • Fix revisions with “destroy” event not removed from the database after deleting a project
  • Integration enhancements:
    • Acunetix:
      • Add support for Acunetix 360
      • Make Request and Response fields available at the Evidence level
    • Gateway 🍾
      • Moved project contributor assignment to Gateway management
      • Deliverable upload management
        • Your contributors can now download assets directly from your results portal!
      • Themes!
        • Gateway now supports theme management and the ability to apply different themes to different projects
    • IssueLib entries#index API now supports pagination
    • Nessus:
      • Add age_of_vuln, exploit_code_maturity, threat_intensity_last_28 threat_recency, and threat_sources_last_28 as available Issue fields
    • Nexpose:
      • Update HTML tag cleanup
    • Nipper:
      • Include multiple paragraphs when importing fields.
    • Remediation Tracker
      • Use Datatables for the Tickets#index table
  • Reporting enhancements:
    • Word:
      • Add support for template syntax within resources exported in Word reports
      • Fix exporting node labels with links
  • REST/JSON API enhancements:
    • Update the API to handle pagination
  • Security Fixes:
    • Medium: Authenticated (contributor) information disclosure
      • After a contributor was assigned Gateway access to a project by an admin user they may retain access to the project after the projects team has been changed.

Not using Dradis Pro?

New in Dradis Pro v3.12

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Instance Notifications

All notifications now display at the instance level so you don’t have to open each project to see notifications. These Dradis instance-wide notifications include notifications from updates in Remediation Tracker tickets too.

Accessibility Improvements

Dradis font and element contrast are adjusted to meet Level AA WCAG 2.0 standards. Also, screen reader and alt-text are added and a few broken Aria references and missing labels are fixed. All of these improvements make Dradis easier for everyone to use.

Emojis 🥳

We 💖 love emojis on the Security Roots team and use them all the time working together. 😤 It was frustrating that we couldn’t use them in Dradis, so we added them 🎉! Now you can use emojis in any input field of Dradis to express yourself or within projects details for additional context. 😎

ServiceNow Integration

Create a ServiceNow Vulnerable Item from a Dradis Issue in a few clicks. The new ServiceNow integration allows the owner of the system to receive critical finding details so they can handle remediation outside of Dradis.

Release Notes

  • Add avatar and user’s name to project navbar
  • Comments:
    • Load feed asynchronously
  • Configuration Kits
  • Emojis! Update the database collation to allow emojis
  • Improve accessibility:
    • Add alt text to any linked images
    • Add screen reader only text to forms
    • Adjustments to font and element contrast to meet at minimum Level AA WCAG 2.0 standards
    • Fix any broken Aria references
    • Update element label association & add missing labels
  • Mintcreek notifications:
    • Add notifications dropdown in mintcreek navbar
    • Add project and plugin notifications in the view
    • Authors and contributors will now be notified when assigned a project
  • Replace deprecated font-awesome-sass gem with vendor asset files
  • Rule Engine: include rule name in upload console
  • Subscriptions:
    • Load feed asynchronously
  • Truncate long hostnames when viewing evidence in an issue
  • Upgraded gems:
    • Rails
  • Bugs fixed:
    • Fix attachments base64 encoding for filenames with symbols
    • Placeholder gravatars appear if gravatar is not available
    • SMTP file will take configuration precedence again
    • Update the HelpScout beacon in the instance admin
  • Integration enhancements:
    • Remediation Tracker:
      • Add activity and comment feed
      • Users can now be subscribed to tickets
  • Reporting enhancements:
    • Fix exporting formatting in content controls without Crazy Triangles
    • Fix exporting captions with non-alpha characters
    • Fix URLs breaking textile table formatting

Not using Dradis Pro on your team?

New in Dradis Pro v3.11

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

JIRA Sync

Details added to JIRA tickets will now sync back to Dradis Issues and Remediation Tracker tickets making it easier to keep all of the project details together to speed up remediation tasks.

Ruby 2.7.2 and Rails 6.1.1

Sometimes we have to roll up our sleeves and take care of the less flashy bits of development. In this version, it was due time to update Ruby, Rails, and a handful of other gems. There won’t be a noticeable difference on your side but this sets up the team to make future improvements.

Improved Caching

When the projects listing or Issue Library contained thousands of entries, it became slow to load and in some cases wouldn’t load at all. This update improves caching to make it much faster to load those long lists.

Release Notes

  • Upgraded DradisPro to run on Ruby 2.7.2 and Rails 6.1.1
  • Add view hooks for the export view
  • Increase secondary sidebar width for medium viewports
  • Projects page: Add caching to speed up slow loading when thousands of projects are present
  • Upgraded gems: bundler, papertrail, rails
  • Bugs fixed:
    • Correct position of sticky editor toolbar in fullscreen source view
  • Integration enhancements:
    • Integrate JIRA ticket/status details into Remediation Tracker
    • IssueLib: Add caching to speed up the issuelib table when thousands of entries are present
    • Add remote JIRA Comments to Issues#show and Tickets#show
  • Security Fixes:
    • Medium: Authenticated (admin) persistent cross-site scripting in Business Intelligence Custom Properties search

Not using Dradis Pro on your team?