We recently talked to one of our Dradis Pro users. You may be familiar with him: security consultant, researcher, and software developer Robin Wood. He goes by @digininja on Twitter, and has a pretty large following on there. His site is at digi.ninja.
We asked Robin some questions about how he uses Dradis Pro, what he finds most useful, and his tips for new users to the software. Here are the edited results of our talk.
Can you walk us through a typical workflow for you and how Dradis Pro plays a role in that?
RW: Projects usually start when a client confirms the job and sends over an initial brief with things like IP addresses, URLs, and other information. At that point, I create a new project in Dradis. I put all the info in to get it started–basically just an initial capture. This might be a week or two weeks before the job itself.
Once the project has begun, it’s fairly typical. I collect all the data into Dradis.just like most people would collect data, no matter where they’re collecting it. I don’t tend to use any bulk import features because a lot of the work I do is web apps, so the findings are more bespoke.
As I’m working, I put findings directly into Dradis Pro and I pulli prewritten findings from MediaWiki, which I use as a findings repository because Dradis communicates easily with MediaWiki. So even for the more sort of rarer or obscure issues, I will still have some kind of template I can start with, instead of redoing it.
Obviously not every client is the same. So I don’t want to give out the same templates or findings to everyone. But I also don’t want to be rewriting the same thing over again. So I just go in, slightly manipulate it around to be bespoke for that customer, and then that goes into the report.
So during the test, I’m going through, doing all the testing, building up all the findings. I always try to take more notes than are necessary, and note everything I find, particularly when it’s an onsite test because I know I can’t go back and check things. In Dradis, I take screenshots, I write up notes on everything, I record everything down to individual IP addresses and one-liners that may be useful. They may not be useful, but then I’ve got them just in case.
At the end of the test, the report creation depends on who I’m working for. Some companies or agencies like to use their own reporting template. If there’s a Word doc template, for example, I’ll do a bit of copying and pasting from Dradis into the document.
It’s much easier when I’m doing work for my own clients, because Dradis has automated reporting features. I just hit a button to generate the reports in whatever format I want, and out pops the report at my end, mostly done for me. Then it’s just a case of a little tweaking and putting a few last bits of customization on it.
How has Dradis proven useful for you?
RW: As soon as you start using a structured format for projects, you realize it’s so much easier to go through and see what everything is.
It’s like: ‘Why haven’t I been doing this the whole time?’ The problem is that you think, ‘My process works as it is, so I don’t have the time to put more effort into it. I’ll just use what I have.’ Then you’ll improve something and find a better way of doing it, and think, ‘Why didn’t I do this six months ago? Why didn’t I do this a year ago?’
What would you say is your favorite feature in Dradis?
RW: Probably having the issue library. It makes a big difference. In every test you do, you think, ‘I know I’ve written that one up before.’ And before, I’d have to dig through all the reports, going, ‘How did I write that up before? I know I did a good description of this at some point.’ With the issue library, I write a good description and I put it in the library and it’s always there for me. I don’t have to reinvent the wheel.
What sequence would you recommend for new Dradis users?
RW: I would go with the issue library first, because on most projects you’ll be repeating many issues. So start getting the library built up fairly quickly. From there, you’d go to the reporting side of it, and try to get yourself a report template made up. You’ll want to start small and slowly build into it.
How does Dradis Pro help your clients?
RW: They get more detailed and more time-tested descriptions. This makes it easier for them to understand what’s going on and makes it easier for them to remediate issues.
It also helps with on-site tests as I can sit down with the client and walk through each issue with them. There’s a nice onscreen display with a full list of issues. I can click on them, show them the descriptions, and there’s a graph that shows how many high, medium, and low risks. You can’t do that with a basic text file.
Also, it’s easy to find past project data. I had a client get in touch yesterday. Their test took place six months ago and they had questions about it. I can easily pull the archive, decrypt it, and I have all the data for them. It’s there, ready to go.
Thanks a lot to Robin for taking the time to talk to us and sharing his experiences. We very much appreciate it.