Monthly Archives: June 2017

Tales from the Other Side: we survived our first security review

Leave a reply

In a dimly lit room with Doritos and Mountain Dew on my side, I was ready to begin the assessment and be like Hackerman. – Aaron

Recently, the Dradis team was presented with the opportunity to conduct a security review for a funded startup. Our original team comes from a background in security consulting. But, we also have team members who come from the software or support worlds. Basically, some of us (Aaron, Rachael, and Xavi) were n00bs and had never pwned anything before.

As someone who unintentionally adds holes in an application for a living (aka web developer), finding vulnerabilities in an app sounds like a fun activity that could give me a new perspective on my profession. – Aaron

Why did we decide to take on this project? We wanted to experience what you experience every day. The Dradis team doesn’t (usually) deliver security reports, we release software. We exhaustively test new releases and fix the bugs that you report to us. But, we rarely (if ever) get the chance to use Dradis in a real-world scenario. This time, we had a client, the team needed to collaborate despite time zone differences, and there was a deadline looming. Yes, we crossed over to the other side. And, we survived.

What we did:

  • Performed a security review on 3 components of a single web application
  • Drank a lot of coffee and/or mountain dew
  • Followed the WAHH methodology (with some custom checks added in)
  • Found, verified, and reported on roughly 3 dozen Issues
  • Generated a Word report that was organized by Risk Rating (based on the CVSSv3 score) and by affected component
  • Delivered the report to the client, answered their questions, then wished we could celebrate in person as a team

We learned a lot. We delivered a report to our client that we’re proud of and we covered a lot of ground in a short period of time. The technical team did a great job transitioning from their day jobs as Ruby developers and becoming pentesters for a week. Aaron summed up the learning curve perfectly, it was “like a scientist trying to do ballet for the first time.”. Everyone ran into at least a few walls. But, with some teamwork, fantastic resources, coffee, and a little Google, we got it all done. During the process of the security review, we learned about you, we learned about us, and we’re excited to apply these lessons as we continue building Dradis.

 

We learned a lot about you

No, not about you as a person, but we did learn a lot about our customers in the whole “walk a mile in their shoes” sense. By using Dradis to perform a real-world security review, we got insight into how we can make Dradis so much better for you in the future.

Here’s an example:

We’re a remote team. On this project, team members were collaborating between 3 different continents. Team members jumped in and worked during their own daylight hours. After about day 2 of the project, we realized that we were pasting links from the Dradis project into Slack with messages like “Hey, I don’t understand this part, can you clarify?”. Then, the author of the Issue would have to log back into Dradis, edit the content over there, and then update the Slack thread saying “I fixed it! How does that look now?”.

You know what we needed instead? The ability for all of those conversations to take place within Dradis. This wasn’t our only lightbulb moment, but it was one of the biggest. We can’t wait to roll out new features and improvements to give you the features that we were looking for!

 

We learned a lot about reporting (and deadlines)

Dradis is a collaboration and reporting tool. So, learning about reporting and deadlines is really the same as learning about ourselves. Some of us also learned more about our caffeine tolerance during the security review, but you want to hear about Dradis, right?

I (Rachael) spend a whole lot of time with your report templates. I’ve made friends with Microsoft Word (ok, it’s still a rocky relationship sometimes) and can break and fix just about anything you throw at me. But, I’d never experienced generating a report with Dradis while under an external deadline before. This time, I knew that there was a client waiting for me to review the findings and export the report.

We’ve always had a “we will go above and beyond for our customers” approach to support. But, the next time we get an email like “MY REPORT WAS DUE YESTERDAY AND IT’S BROKEN OH GOD PLEASE HELP ME” (not a direct quote), we can understand you even better. That extra understanding of what you’re going through was worth every hour we spent on this security review.

And it’s not just on the support side. We want to take our newfound understanding and help take away even more of the work (and stress) of the reporting process. How? By improving Dradis.

Improvements: Big and Small

We found plenty of small (and big!) improvements that we can’t wait to implement. We quickly identified a few UI tweaks. In some cases, they’re as simple as moving a button or adding different scrolling options. But, if we were internally screaming for them, we think you’ll like them too.

Some of the takeaways were bigger. For example, after going through the QA process ourselves, we feel very strongly that we need a more seamless QA process within Dradis.

Back to the other side

In the end, we all ended the security review with a deeper respect for what you all do every day. Walking the digital equivalent of a mile in your shoes left us with a list of improvements that we think will make the road a little less rocky for you next time. But, we’re ready to head back to the other side (the software development side) and leave the security reviewing to all of you again. You find the vulns, we’ll keep making Dradis better for you. Stay tuned for more Dradis improvements in the coming months!