Monthly Archives: August 2021

On being human.

Leave a reply

Our team has grown slowly and deliberately from a single person at the start to a nine-person team in 2021. Some things that work well enough on a small team need more thought as the group expands. With that in mind, we are encouraged and continuously reminded from the day we are hired to challenge our status quo and enabled to suggest and adopt changes.

Embracing that opportunity means our internal processes and approaches evolve as each new person joins the team and adds unique perspectives. As a global team, our views are as varied and diverse as the individuals providing them.

We have internal core values and guidelines for working together as a fully remote and distributed team that might be worth sharing in future posts. We have a clear mission, which I’ll share here to save you a few clicks. 

We help information security teams focus on making systems more secure by reducing the overhead of managing and discussing the outcome of the security assessments they perform for their clients (whether these are inside their organisation or outside of it).

Not too long ago, we realized that there is a bunch of info about Dradis out there – how it works, what it does and doesn’t do, how to use it, etc. Still, not much is available to help the community understand the people and company behind the tool. Taking inspiration from companies like Balsamiq, we decided to do something about that gap. Now, we’ve put into words what we believe to share with you and the ideas that give us a yardstick to measure our decisions against. Without further ado:

We are here for the humans. At the end of the day, the work done in infosec is for and about humans. And as messy as humans are, that can make this work frustratingly complicated. Sure, scanning tools and blinking boxes can handle some of it – but pulling everything together requires a human. We are here to make it simpler for you to be human by getting the time sucks out of your way.

Infosec is a team sport. Just like information systems are interconnected, so are the different folks involved in securing them. Sharing clear information and thinking creatively together is often critical to solving the problem at hand, so let’s do more of that well.

Customers + Vision = Roadmap. We don’t have an official roadmap, but that’s not to say we don’t have plans. We’ve got big ideas on how this industry will continue to evolve and how we can best serve you and your customers. That’s why we reach out to our customers and invite your feedback.

It’s your data. You keep it. Whatever data you put in Dradis, is yours, and we like it that way. We respect your privacy and that of your customers like we value our own. We trust that you will let us know how we can improve and make a better product.

These declarations of what we believe are posted on our website so you can revisit them, and new users can easily find them. These beliefs may change as we grow as a team and new voices are added, and as this industry faces new challenges. I hope you’ll help us stay accountable to these beliefs and call us out if you see us not operating consistently to them.

We are human, after all.

The humans behind Dradis

New in Dradis Pro v4.0

Leave a reply

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Gateway Themes

One of the biggest changes in Dradis Pro v.4.0 is the move from a single HTML Gateway template to Liquid themes. Create a dynamic, info packed, theme to deliver assessment results dynamically in Gateway using Liquid. Multiple Gateway themes means each project can use a different theme that’s appropriate to the engagement. Two new Gateway themes are included with Dradis Pro v4.0 to get you started.

Liquid has a well supported and documented history for creating robust templates. This will make it easier for teams to create and support their own well organized, customized templates.

Are you currently using a customized Gateway HTML template? Reach out to our team with your existing template so we can help convert it to Liquid before you upgrade any production instances.

Downloadable Assets

In addition to reviewing the results of an assessment dynamically in Gateway, contributing users can securely download assets that have been added to their project. Deliver final reports, scope documents, and other assets directly from Gateway keeping everyone out of their inboxes and project details centralized.

Simple Team Setup

Getting started using Dradis Pro is simple. Once deployed to your environment, the super-admin for the instance is created during the first run and can quickly set up the rest of the team through this new guided walk-through.

Maximum Login Attempts

Configure the number of maximum login attempts to help prevent brute-force attacks on your Dradis instance. The default is set to 3 attempts before the account is locked. Admins can increase or decrease the number of attempts to align with their team’s policies.

Captain Kirk and Sulu are both locked out for entering invalid credentials

Release Notes

  • Projects:
    • Cleanup the New/Edit view
    • Create and remove the results portal from the Edit view
    • Dashboard: Add Default issue entry to menu when project is empty
    • If there is only one RTP, select it by default
  • Setup: new initial Team and User wizard
  • Teams: cleanup the New/Edit view
  • Users: account gets locked after too many failed sign in attempts
  • Upgraded gems: addressable, nokogiri, papertrail, puma
  • Bugs fixed:
    • Better support for characters inside textile linked text
    • Display placeholder text for issue sorting dropdown when no field has been selected to remove confusion about default options that are not yet applied
    • Fix issue library entries action buttons not appearing due to caching
    • Fix revisions with “destroy” event not removed from the database after deleting a project
  • Integration enhancements:
    • Acunetix:
      • Add support for Acunetix 360
      • Make Request and Response fields available at the Evidence level
    • Gateway 🍾
      • Moved project contributor assignment to Gateway management
      • Deliverable upload management
        • Your contributors can now download assets directly from your results portal!
      • Themes!
        • Gateway now supports theme management and the ability to apply different themes to different projects
    • IssueLib entries#index API now supports pagination
    • Nessus:
      • Add age_of_vuln, exploit_code_maturity, threat_intensity_last_28 threat_recency, and threat_sources_last_28 as available Issue fields
    • Nexpose:
      • Update HTML tag cleanup
    • Nipper:
      • Include multiple paragraphs when importing fields.
    • Remediation Tracker
      • Use Datatables for the Tickets#index table
  • Reporting enhancements:
    • Word:
      • Add support for template syntax within resources exported in Word reports
      • Fix exporting node labels with links
  • REST/JSON API enhancements:
    • Update the API to handle pagination
  • Security Fixes:
    • Medium: Authenticated (contributor) information disclosure
      • After a contributor was assigned Gateway access to a project by an admin user they may retain access to the project after the projects team has been changed.

Not using Dradis Pro?