Monthly Archives: July 2015

New in Dradis Pro v1.12

Today we’re happy to announce a new release of Dradis Professional Edition: Dradis Pro v1.12. Dradis is a collaboration and automated reporting tool for information security teams.

The highlights:

  • New Accunetix and NTOSpider connectors
  • Updated Burp and OpenVAS connectors
  • Business Intelligence add-on (see below)
  • Rules Engine add-on (see below)
  • Reporting engine enhancements:
    • Pre-export validator
    • Native support for .docx and .docm
    • IssueCounter control
    • Concurrency enhancements
  • Bugs fixed and feature requests: #128, #131, #141, #145, #152, #184, #189, #197, #201, #205, #207, #212, #216, #232, #238, #239, #254

Rules Engine add-on

Define rules that kick in when you upload the output of a scanner. Akin to your email client processing rules, the Rules Engine allows you, among other actions, to:

  • Tag findings based on their fields (e.g. tag as Critical if CVSSv2 is > 9)
  • Merge several findings into a single one (e.g. group all those pesky “missing patches” entries under a single finding)
  • Replace the default description with your own. That’s right, every time Burp finds XSS, you will get a finding with your team’s custom Description / Recommendation for this vulnerability class.
A screenshot showing the list of configured rules in this Dradis Pro instance.

Define the rules that will kick in when you upload the output of a scanner.

A screenshot showing a rule definition where two findings (one from Nessus and one from Qualys) will be replaced with the team's own description of the problem.

Sample rule: de-duplicate findings.

A screenshot showing a rule definition where any finding coming from a scanner is replaced with the team's own description in the IssueLibrary

Sample rule: use your own descriptions.

Business Intelligence add-on

Most likely you’re running 100s of projects each year. The Business Intelligence add-on helps you make sense of the wealth of information that is at your fingertips but that most likely you haven’t been tracking. These are some of the questions you will be able to start answering:

  • What do you know about the types of projects you’re running (what percentage is webapps vs infrastructure)?
  • What types of clients are you serving? In what industry?
  • How are the most profitable client types?
  • What percentage of your projects is under-scoped or over-scoped?
A screenshot showing the Business Intelligence view with: a list of custom properties for Clients, for Projects and a search facility.

The Business Intelligence dashboard. Define custom properties for Clients and Projects to track business metrics.

New admin layout

Yes, we finally have a layout like it’s 2015 (well maybe 2013), but a great improvement over our bare-bones previous one. Here are just a couple of quick examples:

A screenshot showing the project selection view inside Dradis Pro.

Project section view.

A screenshot showing the list of users registered in a Dradis Pro instance.

All users registered in the Dradis Pro instance.

How to upgrade to Dradis Pro v1.12?

Just head over to the release page and follow the instructions:

Still not a Dradis user?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features. Or if you want to start from the beginning, read the the 1-page summary.

Praise for Dradis Pro from a Customer

We recently talked to one of our Dradis Pro users. You may be familiar with him: security consultant, researcher, and software developer Robin Wood. He goes by @digininja on Twitter, and has a pretty large following on there. His site is at

We asked Robin some questions about how he uses Dradis Pro, what he finds most useful, and his tips for new users to the software. Here are the edited results of our talk.

Can you walk us through a typical workflow for you and how Dradis Pro plays a role in that?

RW: Projects usually start when a client confirms the job and sends over an initial brief with things like IP addresses, URLs, and other information. At that point, I create a new project in Dradis. I put all the info in to get it started–basically just an initial capture. This might be a week or two weeks before the job itself.

Once the project has begun, it’s fairly typical. I collect all the data into Dradis.just like most people would collect data, no matter where they’re collecting it. I don’t tend to use any bulk import features because a lot of the work I do is web apps, so the findings are more bespoke.

As I’m working, I put findings directly into Dradis Pro and I pulli prewritten findings from MediaWiki, which I use as a findings repository because Dradis communicates easily with MediaWiki. So even for the more sort of rarer or obscure issues, I will still have some kind of template I can start with, instead of redoing it.

Obviously not every client is the same. So I don’t want to give out the same templates or findings to everyone. But I also don’t want to be rewriting the same thing over again. So I just go in, slightly manipulate it around to be bespoke for that customer, and then that goes into the report.

So during the test, I’m going through, doing all the testing, building up all the findings. I always try to take more notes than are necessary, and note everything I find, particularly when it’s an onsite test because I know I can’t go back and check things. In Dradis, I take screenshots, I write up notes on everything, I record everything down to individual IP addresses and one-liners that may be useful. They may not be useful, but then I’ve got them just in case.

At the end of the test, the report creation depends on who I’m working for. Some companies or agencies like to use their own reporting template. If there’s a Word doc template, for example, I’ll do a bit of copying and pasting from Dradis into the document.

It’s much easier when I’m doing work for my own clients, because Dradis has automated reporting features. I just hit a button to generate the reports in whatever format I want, and out pops the report at my end, mostly done for me. Then it’s just a case of a little tweaking and putting a few last bits of customization on it.

How has Dradis proven useful for you?

RW: As soon as you start using a structured format for projects, you realize it’s so much easier to go through and see what everything is.

It’s like: ‘Why haven’t I been doing this the whole time?’ The problem is that you think, ‘My process works as it is, so I don’t have the time to put more effort into it. I’ll just use what I have.’ Then you’ll improve something and find a better way of doing it, and think, ‘Why didn’t I do this six months ago? Why didn’t I do this a year ago?’

What would you say is your favorite feature in Dradis?

RW: Probably having the issue library. It makes a big difference. In every test you do, you think, ‘I know I’ve written that one up before.’ And before, I’d have to dig through all the reports, going, ‘How did I write that up before? I know I did a good description of this at some point.’ With the issue library, I write a good description and I put it in the library and it’s always there for me. I don’t have to reinvent the wheel.

What sequence would you recommend for new Dradis users?

RW: I would go with the issue library first, because on most projects you’ll be repeating many issues. So start getting the library built up fairly quickly. From there, you’d go to the reporting side of it, and try to get yourself a report template made up. You’ll want to start small and slowly build into it.

How does Dradis Pro help your clients?

RW: They get more detailed and more time-tested descriptions. This makes it easier for them to understand what’s going on and makes it easier for them to remediate issues.

It also helps with on-site tests as I can sit down with the client and walk through each issue with them. There’s a nice onscreen display with a full list of issues. I can click on them, show them the descriptions, and there’s a graph that shows how many high, medium, and low risks. You can’t do that with a basic text file.

Also, it’s easy to find past project data. I had a client get in touch yesterday. Their test took place six months ago and they had questions about it. I can easily pull the archive, decrypt it, and I have all the data for them. It’s there, ready to go.

Thanks a lot to Robin for taking the time to talk to us and sharing his experiences. We very much appreciate it.