Dradis Pro and a reluctant convert…

My small consultancy company has used Dradis since before the Pro version existed, back when it was a community project only. At that time, I was a pure Dradis consumer. My partner was the Ruby pro, both for coding and creating our own internal systems.

When my partner left for higher things last year, I have to say that I seriously considered switching from Dradis to another program. I am pretty much a dyed-in-the-wool Windows person with no Ruby knowledge and limited experience of having to support an application running on an open source stack. I also doubted that I would get a lot of benefit from the application, as a lot of its strength is in enabling collaboration between multiple testers working on the same project rather than servicing a single user like me.

Nearly a year on and I am still with Dradis, so I thought I would share some of the reasons why.

First, I’ve not had a lot of support issues. It comes as a VM appliance and just runs–there is no necessity to start compiling it yourself or be constantly fiddling about with it. I appreciate this as I essentially start a new test every week, and the last thing I need on a Monday morning is to be trying to get the test platform to work. Because it is browser based, I can run it on any device and I tend to run it in IE in one window while I use Firefox for my testing browser in the other.

Second, it helps me to keep organized well–and this is surprisingly difficult even when you are working on your own. Like most testers, I like the actual testing part much more that the data crunching and report writing parts, because (like most testers) I have a tendency to go off on tangents that look interesting. Having each host listed (for infrastructure) and using a methodology template (for web) enables me to enter up each finding as I discover it. This means I don’t come back at the end of the test unable to remember which one of the ten VPNs I reviewed had the aggressive mode enabled, or whether I had checked a particular site for session fixation. Being able to attach screenshots is useful too, as it makes the whole test portable rather than reliant on being attached to a specific file store.

Third, reporting is easy. This is the major advantage of Dradis to me. A lot of the work I do requires a very elaborate report template involving multiple tables, headings, narrative section, etc. A lot of testing companies seem to like repeating themselves in their report several times, and Dradis not only generates the complicated tables straight from the application, but also ensures that I have the correct list of hosts with the correct vulnerability in all the sections where they occur. (Anyone who has ever tried to correlate four different sections of a hundred-page Word document will be right with me here.) In fact, with a little judicious use of VBA to import some graphics, I can write a table with thirty findings straight into the report and be finished with it in the time it would have taken to make the headers manually.

Fourth, I haven’t found an acceptable alternative. I’ve had a pretty extensive look around, and couldn’t find anything that came close in price or simplicity. For a small consultancy I don’t want something that costs £1000s and takes a team of analysts to set up. The other obvious alternative would be to write something myself, but I am not sure the payoff from having something entirely customized for me is worth the billable hours lost when I am coding and not testing (assuming, of course, that my coding skills are up to it, which they probably aren’t).

I can’t say that Dradis is a perfect tool, as there are definitely changes I would like to see implemented. I’m also not the perfect fit as a customer as I work alone and one of Dradis’ huge strengths is in coordinating multiple people on one test.

But for value for money and something which makes every test easier, Dradis Pro works for me.

Marion McCune is a security consultant and the principal of Scotsts.

Leave a Reply

Your email address will not be published. Required fields are marked *