Author Archives: admin

New in Dradis Pro v2.6

Leave a reply

Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

Our first 2017 release, Dradis Pro v2.6 is loaded with some very interesting features to coordinate your team and generate better reports, faster.

The highlights of Dradis Pro v2.6

  • Better support for security testing methodologies (see below)
    • Organize tasks in a Kanban board (we ❤️ Trello too!)
    • Provide additional context, gather results, or set a due date for each task.
    • Assign tasks to different team members.
    • Keep Notes and information on each task.
    • Export Methodology details into your reports.
  • Merge multiple Issues in your project (see below)
  • Local Profile Pics (not just Gravatars!)
  • Redesigned error pages with the data you need for troubleshooting.
  • Edit / delete links for Evidence, Issues, and Notes from the sidebar.
  • Attachments HTTP API endpoint.
  • Validate Evidence fields.
  • Automatically generated Evidence Template.
  • Add-on enhancements:
    • Updated Nessus Plugin to support files that are missing a plugin_output tag.
    • Updated Qualys Plugin to better handle tags in report content.
    • Updated Burp Plugin to detect non-base64 encoded files and binary request/response data.
    • Updated the Burp-Dradis connector to correct HTTPS errors.
  • Word reports:
    • Methodology and Task content controls let you provide fine-grained information about your testing methodology as part of your deliverables.
  • Fix XSS in Issues diff view.
  • Bugs fixed: #84, #104, #164, #206, #280, #316

A quick video summary of what’s new in this release:

Methodologies becomes a 1st class citizen of the framework

Methodologies now contain Lists and Tasks. Create custom Lists, add Tasks to the Lists, and move the cards from one List to the next.

Dradis Pro v2.6.0 includes an updated Methodologies feature. Move Tasks between lists.

You can also set due dates, assign cards to team members, and create fields within Task descriptions that can export into your reports.

Dradis Pro v2.6.0 includes an updated Methodologies feature. Create detailed Task descriptions, set due dates and assignees

Combine issues

Combine multiple Issues using our new merge feature. Just find and select the Issues that you want to combine:

Dradis Pro v2.6.0 includes a Merge Issues feature

You can combine them into a brand new Issue or into one of the existing Issues.

Dradis Pro v2.6.0 includes a Merge Issues feature. Combine multiple Issues into a new target Issue.

Ready to upgrade to v2.6?

Still not using Dradis in your team?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the 1-page summary.

Giving back to the InfoSec community

Leave a reply

Today is a good day, 3 years and 19 days after the last release of the Dradis Framework open-source project the team announced a new release: Dradis Framework 3.0: A New Hope.

For a very long time the Community Edition of the framework had been put on hold trying to get Security Roots off the ground. When starting a new venture you’ve got more questions than you’ve got answers and you never know who things are going to play out. In fact, the jury is still out.

A few years ago we had to make a hard decision: as a newborn organization we didn’t have the resources to maintain active development of two different editions of the framework and had to decide what to do: to try to keep both editions (semi) alive and running or to focus 100% in the recently created Dradis Professional edition with the premise that if we were successful a day would come in which we’d have the time and resources to really give the Community Edition the attention it deserved.

Today there are over 200 teams in 31 countries around the world using Dradis Pro. We’ve achieved what we set out to achieve back then, and it is time to give back to the same InfoSec community that made Dradis a successful project with over 25k+ downloads.

And when I say today I don’t mean literally today 20th of February. Today’s release of Dradis Community Edition 3.0 has been months in the making (check the hectic activity across the board in all the of Dradis’ repos on GitHub). But today we get a chance to tell you about it, to show the results of that work and to give back.

Dradis Framework started as an open source project and will die as an open source project. Whether we can make Security Roots as successful as the open source project has been, only time will tell, we most definitely hope so.

Please visit the redesigned project website, the new community forums and get involved in any way you see fit.

Going Freelance

2 Replies

Thinking of going freelance but not sure if it’s for you? Here are a few things that I think are worth considering before you take the plunge.

First, are you sure you actually want to go freelance? Is it that you want to be your own boss and manage your own work/life balance or is it just the lure of what, on the surface, appears to be good money and short hours?

I’ve been working for myself on and off for the last eight years so have quite a bit of experience of the advantages, disadvantages and things to consider when making the jump and in this article I’ll cover some of these. I hope they will be helpful to those of you thinking of making the jump or who have recently made it. A short disclaimer though, these are my experiences and opinions, they may not work for everyone and others may disagree but they will at least give you one point of view.

First off, back to the original question, do you really want to work for yourself? On the face of it, freelancers have a great life, the money is good, you can chose when to work, pick your clients and generally have a great time. The reality is that all this can be true but it takes effort, you have to put a lot of work in to get there and to stay there. Clients do not simply come banging on your door and while the daily rate can be very good you are unlikely to be working 5 days a week every week so don’t forget, you have to average that rate out over the month and year.

Here are some other things worth thinking about.

Hours

I find that I work a lot more hours working for myself than I ever did working for someone else. There are lots of reasons for this:

  • You are now running a business so have to do “business stuff” as well as the actual client work – Things like bank reconciliation, marketing/adverting and VAT returns all take time that isn’t billable so ends up being fitted in around jobs, usually in the evenings or weekends during busy periods.
  • Quality of work/reputation – Not that I didn’t care about the quality of work when I was employed but now the business is just me and the next job with a client is likely to be based on the deliverables from this job, I feel an extra pressure to do the best job possible, even if that means putting in a few extra hours. I also end up knowing the client at a more personal level as I’ve often been involved with the whole process from initial contact to final delivery and so want to deliver a higher quality product.
  • There is often no one there to stop you doing the extra hours – When working in an office the end of the day is obvious as everyone else is packing up and leaving but working on your own it is easy to get sucked into a job and lose track of time. This applies to employed people who work from home as well so not just freelancers.

Clients

Unless you are really lucky and are well known or have very specialist skills, it is unlikely that clients will simply come to you and so you’ll need to go out and win them in some way. When starting out you need to be careful how you do this. Most companies have a clause in their contract that stops you approaching any of their clients if you leave so don’t assume that if you are friendly with some of the company’s clients that you will be able to lure them away. You may also have to be careful signing up your own clients while still employed, this may breach your contract. If this is the case you may start your freelance career without any fully signed up clients which isn’t a good position to be in.

When working out where to get clients from there are a couple of options, go direct to companies and try to sell them your services or work through middlemen who resell your services for you. Which you choose is up to you and how you would rather work. Going direct to companies can be more lucrative as you get to negotiate for yourself and keep all the cash but doing this requires you to put effort in finding and winning these clients. Back to the hours worked, this isn’t billable work and you have to fit it in around paying clients. Working through a middleman means you don’t have to worry about sales and marketing and all the client schmoozing but means you lose a cut of the final invoice to the middleman.

I personally prefer using a middleman, actually a number of them, as I really don’t like having to do sales work and so am happy to give them their cut to do the work I don’t enjoy. Something I do consider here though is that if the middleman goes on holiday or has a bad month then I’ll not be getting any work that month. That is why I like to have a number of agencies that I work through as one may be on an ebb while the other is on a flow.

Until it has happened once, most freelancers don’t think about clients not paying, you just assume that you’ve done the job so the cash will come in, hopefully on time. I’ve had a couple of clients not pay, the first one hit me so badly that I ended up going back to employment as I couldn’t cover it. Telling friends their response is often “take them to court, sue them”, that is easier said than done when you find out that they haven’t paid because they’ve blown all their cash and have nothing left to pay anyone. Legal action can cost a lot of money and you are unlikely to be high on the list to get cash back if they are going belly up. Make sure you think about this and have reserves in case it happens.

Software/Hardware

As an employee you are most likely provided with all the hardware and software you require to do your job. You’ll get a laptop, Nessus licence, that kind of thing. When you are on your own you have to provide all that yourself. While a lot of security tools are free there are some instances where the commercial versions are really the best ones to choose. Make sure you add all these costs to your budget. Don’t forget the non-security tool software costs as well, a Windows licence (even if just used in a VM), Office and all the other little apps that you used to just install off the main app server without worrying about licences for.

Laptops, phones and other hardware – are you going to share your personal kit with the business or are you going to get it its own dedicated set? Duplicating it all is expensive but means you can do extra hardening on the work equipment and ensure it is only used for work to lessen the risk of exposing client data.

Also consider hardware redundancy, when employed, if your laptop dies the night before a test you might be able to acquire a replacement from a colleague and if not then you can probably hand off to the project manager talking to the client and postponing the job. When you are on your own all that becomes your responsibility. I’ve been a Linux user for over 10 years but my main laptop has been running Windows 7 for over a year because I’ve not had time to take it out of service for long enough to reinstall it. I have a backup machine that I can use if I need to but being older it is a much lower spec so even when I’ve had a few days spare I haven’t risked making the swap just in case.

Legal Issues

The contract

This section could also be called Cover Your Ass and you need to give it close attention. What you need is dependent on your location and the jobs you are doing but here are the basics.

First you really should get a good contract. There are lots of contracts floating around on the net which you could take and either use as is or modify to your own requirements. This is the cheap option but not one that I went for. The reason I chose not to do it is that I wanted to know that my contract matched my business and the jobs I was doing. The contract is the thing that decides who is in the right if things go wrong, I was happy to spend money and time with a good lawyer to make sure mine was as good as I could get.

There are also a number of potential problems with random contracts found on the net:

  • It could be out-of-date – Laws and regulations change
  • Location – The contract may not be for your country/jurisdiction
  • The contract may have flaws or may simply be written by someone who was not a lawyer and just thought the words sounded good

Insurance

In terms of insurance, some may be mandatory, some may be recommended and some may be personal preference. As with contracts, what you need will be based on the kind of work you are doing and where you are doing it. The different types I’d definitely look at are:

  • Professional indemnity – Covers you if you make a mistake while on a job
  • Public liability – In case someone gets hurt as a result of you doing a job
  • Income protection – If for some reason you are unable to work there will be no money coming in, this can help in this kind of situation

When getting insurance, make sure you explain exactly what it is you will be doing to the insurance company or broker. I went through a few companies who turned me down straight till I got annoyed and asked one for an explanation as to why they wouldn’t cover me. After a discussion they realised they didn’t fully understand the job I initially described to them so changed their minds and covered me. This was quite a few years ago and as the industry has grown there are now many more options out there and companies understand the profession better but I’d still make sure you fully explain to them what it is you will be doing just in case.

Training

It’s all down to you, if you want training you have to pay for it yourself in time and money. There are a lot of free, or very cheap, courses out there and you can learn a lot from just reading articles but back to hours worked again, it isn’t billable work so you have to fit it in around your paying clients.

Holidays

No holiday pay, if you aren’t working you aren’t earning! You don’t even get paid for bank holidays.

I like to tie training and conferences with holidays, our family holiday last year started in Gent at BruCON then moved on to a more normal holiday.

Money

I can’t lie, the money as a freelancer, on the face of it, is a lot better than as an employee but, when you add in all the extra hours you’ll end up working, the lack of holiday pay, having to provide all your own hardware, software, stationary (I still send letters occasionally) and all the other non-billable things you need to do and buy it doesn’t necessarily work out that much better.

When working out your budgets don’t assume that you’ll set your day rate at X and will get 253 * X (253 is the number of working days 2013). Make realistic assumptions about how much work you think you’ll get on a good and bad month and then decide if it looks as good as it did.

Think about what will happen if you have a couple of bad months back to back, can you survive?

Conclusions

I love being freelance. I much prefer the freedom it gives, especially with two small children at home, but I’m lucky that I have a lot of very good clients and I’m able to sit at my desk from 9-5 (or however long a job takes) without getting distracted. I take regular breaks and will take a day off just to play with the kids if work is quiet but I’ll also get my head down and barely leave my office when work is there.

If you are thinking about it, make sure you look at the unglamorous side of it as well as fun looking public side and if you decide to do it, good luck, I hope you enjoy it as much as I do.

About Robin Wood

Robin is a freelance pen-tester, researcher and developer. Among his projects are Karma, KreiosC2 and Jasager. He is based in the UK.

Find him on Twitter as @digininja or at www.digininja.org

How to choose a software vendor

1 Reply

So, you’ve decided you need a software vendor to build an application for you. It might be an idea you have for a great new product, or a tool that needs to integrate with an existing system, or an application to automate a manual process in your organisation.

I assume you know a little about software but you do not have much experience in how applications are built and how software development teams operate; you would like to know how to pick a software team that will build a quality product, that will understand what you need and contribute to the success of your business.

To give you some background, I am a software engineer, have led software teams, outsourced projects to remote software teams and delivered work for remote clients. I would like to share a few ideas to help you judge if a software team is worth their weight in gold.

How well do they communicate?

You will be spending a fair bit of time with the team you pick. You’ll explain your idea to them, they’ll explain their approach to the project, It’s important that you understand each other, that you click, that you are on the same wavelength. When you explain your idea to them they should understand it and be able to contribute constructively to it. When they explain their implementation to you it should be in such a way that you can understand. Successful communication is critical to the success of your project – pick a team that you can communicate well with.

Do they understand your business domain?

It is incredibly valuable if the team that you engage with understands your business domain or the industry that you are in. Have they worked with clients in your industry before? Do they specialise in a specific domain and does it overlap with yours?

A software team that understands the context in which an application will be used, will spend less time trying to understand the problem space and more time focussing on the solution. You might have a very clear documented vision of your application but inevitably decisions need to be made during development by the development team. A software development team makes better decisions when they understand the business domain.

Do you like their existing work?

Past behaviour predicts future behaviour. You can tell a lot from a team based on work that they have delivered in the past. Most teams would be happy to share a portfolio with you of applications that they have built before.

Do they design clear and easy to understand user interfaces? Is it intuitive to use their applications? Do you get a sense that they have thought through every scenario in which the application might be used? Do they take pride in their work?

Are they willing to involve you in the process?

A good software team values continuous contribution from their client. Be wary of a team that vanishes for 3 months with your requirements with the promise that they’ll deliver the perfect product when they return.

Before any line of code is written they should involve you in their planning process or at least give you clear visibility on their planning. When development starts they should be able to show you their progress on a weekly basis and invite your feedback.

A good software team understands that requirements may change during a project and they embrace change, knowing that certain things become clearer only during development.

Do they have good software development practices?

Even if you are not very familiar with software development you can still make a judgement of a team’s engineering practices by asking a few simple questions.

Do they test their software? Good software development teams have diligent process through which they test their software. You can reasonably expect testing to be partially automated and partially manual. I would be careful if they do not do a fair bit of each. Most teams would be happy to discuss this.

Do they break their projects down into small testable chunks of work? Similar to manufacturing, it is best to break a software project into small well-defined pieces of work that can be tested from a user’s perspective. Successful teams have a well-defined process by which they define, implement and test pieces of work and measure their overall progress (protip: why can’t developers estimate time?).

Do they frequently deploy their code to a production like environment? It is important that deployment to production is part of the development process early on in the project. This eliminates surprises at the end. It is also important that this process is automated.

Do they have a process in place to deal with bugs? Teams should have a process in place through which they track, prioritise and fix bugs.

Are they familiar with software security? Good software teams consider security from early on in the development project and have checkpoints in place during the project to review security of the application.

How do they stay on top of the latest technologies? Software development is a fast changing industry. Good software teams encourage and support their developers to read, attended conferences, have side projects and experiment with new techniques.

Do they contribute to the software community? All software teams rely heavily on the wealth of knowledge that is provided by the software community. Healthy software teams give back to the community through publishing their knowledge, contributing to open source projects, speaking at conferences, etc.

What is their public reputation?

A good software team has happy clients (client testimonials), they engage in conversation in the public domain (twitter, mailing lists), they are regarded as specialists in their own domain (blogging, speaking at conferences), etc.

Wrapping it up

The above pointers are aimed to help you to judge a vendor’s maturity in few fundamental aspects of software development without having to know the industry jargon. There is more to software development that can be covered in a single blog post but hopefully the above will enable you to have a confident discussion when engaging with a software team for the first time.

About Sibert Lubbe

Siebert is a software engineer, enthusiastic about all things software related – the code, the people, the business, the processes and emerging technologies.

He is based in Melbourne, Australia currently working at realestate.com.au. Find him on Twitter as @siebertlubbe or at siebertlubbe.com.