Monthly Archives: October 2012

The importance of collaboration during security testing

Team collaboration is crucial to ensure the success in security testing. Of course this is an age-old problem, and not at all constrained to the security industry. In any meaningful task, team members need to draw upon pieces of each others vision to create a cohesive idea and achieve a significant result.

You know the feeling, you check your calendar and in a few days you start a new project, but uh oh, this is a four-man team gig. Trouble ahead, a gazillion of emails back and forth and no clear picture of where we are, what else do we need to cover or whether we left something out when everyone thought someone else was looking at it.

The first friction point is usually between different business units: does the technical team have everything they need to hit the ground running on the first day of the assessment? Getting your act together as a security services vendor is far from trivial and requires some work. I’ll write about it soon.

Anyway, back to the test proper. In order for the total results to be greater than the sum of their parts something needs to happen. It is not good enough that each team member is thorough, technically excellent and organised. Information needs to be shared, a glitch in part A of the system noticed by one tester can be exploitable from part F which is been looked at by a different tester. If each person works in isolation, this magic won’t happen.

As a team member, how are you solving this problem? How are you making sure that everyone else has a clear picture of what you’ve uncovered so far so they can build upon your findings? And conversely, how are you building upon your team mates’ findings to improve the overall results of the team?

If you are the technical director or founder of a project-based organisation, are you enabling your team to collaborate efficiently? Is the way in which they collaborate formalised or is it left to each tester and team to decide? If they are not sharing the information they’ve got effectively, are your clients getting the most out of your excellent team?

VulnDB HQ: a few small productivity boosters

We have a new Dashboard for VulnDB HQ:

It presents your private repo’s changes before anything else and we’ve also mixed Page and Methodology entries so get a proper view of recent changes.

Oh, and did you notice the handy links on the sidebar box? We’ve added some additional boxes here and there with links and contextual help:

Last but not least, something those of you with a few hundred entries will find really useful. We’ve added a super fast quick search box to the Pages module. No Ajax, no server round-trip, no nothing, it just hides everything you’re not interested in:

So that’s it for now.

Even when we are not adding brand new features we are still figuring out what bits and pieces we could improve that will make the experience a lot better. Stay tuned for updates!

And be sure to let us know your thoughts on what other improvements you’d like us to add.

The @VulndbHQ Team

New in Dradis Pro v1.6

Today we have pushed a new version of Dradis Professional Edition. This is the result of two months of hard work. It is a shorter release cycle than usual, but there are some good reasons for it. We think it will make our user’s day-to-day work significantly more efficient.

Here are some changes:

  • Improved Word 2010 reporting (more below):
    • The styles you apply in Dradis are kept when generating the report.
    • Easy note filtering and grouping in the report (e.g. list of High-impact findings).
  • New testing methodology support (more below).
  • New Client Manager to group your projects.
  • Fresh look & feel (screenshots).
  • Lots of minor updates:
    • With the new Quick Filter locating clients, projects and users is a breeze!
    • Updated VulnDB HQ plugin to support v2 of the API.
    • Updated to Rails 3.2.8

 

Improved Word 2010 reporting

Creating complex pentest report templates has never been easier. You just need your copy of Word and a few minutes. Of course we have extensive documentation in our support site, but here are the highlights:

Note styles

Add notes in our WYSIWYG editor and the styles will be kept in the report:

Note filters

Word is the only tool you need to create powerful templates

Get the report without breaking a sweat:

 

Testing methodologies

This is a game changer. Tracking progress during an engagement is always a daunting task. No matter how experienced you are, if you don’t play close attention, you might be missing something.

Enter our testing methodology support:

You can define as many methodologies as you need (e.g. webapp, wireless, code review, etc.) and you can add them to your projects. For instance, a typical webapp assessment will have a web testing methodology and maybe a web server checks methodology.

Keep track of progress and split tasks amongst team members. Using a standardized testing methodology is the best way to obtain consistent results.

Still not a Dradis Pro user?

These are some of the benefits you are missing out:

  • Less time writing reports
  • Provide a consistent experience to your clients. Every time.
  • Pro is reliable, up-to-date and with comes with quality support

Read more in Why to give Dradis Professional Edition a try?

Upcoming in Dradis Pro v1.6: improved Word 2010 reporting

Reporting is always a pain point for most security specialists. That’s precisely why we are always improving Dradis Pro reporting capabilities.

In Dradis Pro v1.5 we brought you screenshot support and the ability to use custom Word properties to define elements that have to appear multiple times in the report (like client name, project name, etc.).

We are preparing some amazing improvements for Dradis Pro v1.6. For instance, the style you apply to your Dradis Pro notes gets translated into Word. That’s right, from your browser:

To Word:

In a single click.

Ever wanted to have a section that lists just the High-impact findings? Or to split the findings in groups like infrastructure layer and application layer so they can be added to different sections in the report?

Note filtering

This one is easy enough, you just need to add some filters to your template (note the Impact|High and Impact|Low filters) and presto!

One click and:

You just need to define the Impact field (or any other field you want to filter by) in your Dradis note:

Note grouping

The magic is done via the Node| filter. Lets define two sections one for Node|Infrastructure and one for Node|Application:

So you just need create the right project structure and add your notes to the node they belong:

Click export and bang!

Now start thinking about what you’re going to do with all the reporting time this is going to save you!

Still not a Dradis Pro user?

No problem! You can join dozens of organizations already benefiting from a more consistent approach to security testing.

These are some of the benefits you are missing out:

  • Less time writing reports
  • Provide a consistent experience to your customers
  • Pro is reliable, up-to-date and with comes with quality support

Read more in Why should you give Dradis Professional Edition a try?