Author Archives: Daniel Martin

New in Dradis Pro v2.4

Dradis Professional Edition is a collaboration and automated reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

This month we’re pleased to bring you Dradis Pro v2.4 with some long-requested improvements.

The highlights of Dradis Pro v2.4

  • Project-wide search (see below)
  • UI improvements (see below)
  • Copying of Report Template Properties
  • Word reports
    • Better file extension handling in Windows
  • Minor bug fixing.

A quick video summary of what’s new in this release:

Project search

It is now possible to perform a project-wide full-text search against Evidence, Issues, Nodes and Notes:

A screenshot showing the "All" tab with results for a "DNS" search

A screenshot from the Search results page showing only Node matches

UI improvements

Dradis is used by over 270 teams in 33 countries around the world. When people are using your platform to edit and generate content in languages as varied as Simplified Chinese, Slovenian or Turkish, it becomes very easy to spot and squash internationalisation and character encoding bugs.

With this release we’ve made sure that Tags fully support names encoded in UTF-8:

A screenshot showing a tag in simplified Chinese

Evidence multi-add

It is not uncommon to need to link the same Issue to a number of hosts in your project. We’ve redesigned the UI to make this task a lot simpler:

  • Select the Evidence template you need (or start with a blank slate).
  • Tick off the relevant items from the Existing Hosts list.
  • If needed, paste list of new IP addresses that will be added to the project and also associated with your Issues.

A screenshot showing the new Add Evidence feature that lets you select existing nodes from a list, or paste a list of IP address.

Validate on save

Teams working with Dradis normally need to use a number of different report templates (e.g. one for vulnerability assessments and one for social engineering). To make it easy for users to remember what information they need to provide on each template we’re now validating the contents supplied by the user against the individual template requirements so we can present a warning if the content doesn’t match the template’s expectations:

A screenshot showing warnings about missing fields and mismatched values in a recently created issue.

Optimistic locking

Have you ever been in a situation where just after updating an Issue or Note, you find out that one of your team mates was also editing that feature? From now on, Dradis will warn you when someone else has been modifying the content you were busy with, so you have the peace of mind to know you’re always working on the latest version of the content:

A screenshot showing how Dradis detects a modification to the content you were just trying to edit.

Still not using Dradis in your team?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the the 1-page summary.

New in Dradis Pro v2.3

Dradis Professional Edition is a collaboration and automated reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

This month we’re pleased to bring you Dradis Pro v2.3 with some interesting additions.

The highlights of Dradis Pro v2.3

  • Smart issues table (see below):
    • Filter / search contents
    • Custom columns
    • Show / hide columns
  • Tabbed view for: Issues, Notes and Evidence (see below)
  • Admin > Templates > Reports improvements
  • Admin > Templates > Projects improvements
  • Redesign of empty views: project, issues, methodologies
  • Add-on enhancements
    • Acunetix: better code / syntax parsing
    • OpenVAS: bug fixing
    • – Project export: improve SQL efficiency
  • Methodologies module
    • Fix task status handler (tasks w/ special chars)
    • Progressive design enhancements
  • REST/JSON API:
    • New coverage: Notes, Evidence
    • Track API actions in Activity Feed
  • Word reports
    • Image captions (see below)
    • Fix bug w/ special chars in Node labels
  • Security fixes
  • Bugs fixed: #324, #325

Smart issues table

Dradis is used by over 270 teams in 33 countries around the world. Each team has a very different way of structuring their findings. With the new smart issues table, each user can decide what information should be presented on the screen for each project:

 

UI improvements

A few screenshots of the recent redesigns:

A screenshot of an Issue showing tabs for Information, Evidence and Activity

A screenshot showing the All Issues table with the new controls for filtering and showing/hiding columns.

A screenshot showing the Web Application Hacker's Handbook methodology

Word image captions in action

You can now specify the caption associated with your screenshots so it appears in your reports:

A screenshot showing how to specify the caption for an image

Hover the image to show the associated caption:

A screenshot showing Dradis rendering an image with a caption.

And select a custom Caption style for your Word image captions:

A screenshot showing a Word document with an image and a caption

Still not using Dradis in your team?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the the 1-page summary.

New in Dradis Pro v2.2

Dradis Professional Edition is a collaboration and automated reporting tool for information security teams that will cut your reporting time in half.

Two short months after the release of Dradis Pro v2.1 in February we’re pleased to bring you Dradis Pro v2.2 which is focused around connectivity and performance.

The highlights of Dradis Pro v2.2

  • Full REST/JSON API coverage (documentation)
  • Performance improvements: Rails 4.2, Ruby 2.2, memory monitoring.
  • Fix bug in Activity Feed of project templates.
  • Add-on enhancements:
    • CSV: export evidence data, fix CLI integration
    • HTML: fix CLI integration
  • Bugs fixed: #204, #319

The REST API

Through the new HTTP JSON APPI you can securely access all of the application entities including:

Screenshot showing a GET request to the /clients endpoint

Perform CRUD operations on all application objects through an easy-to-use JSON interface.

Screenshot showing a POST request to the /issues endpoint

Use your favorite language to interact with the data contained in your Dradis environment.

Performance boost: faster, more responsive interface

Dradis Pro v2.2 also comes with a new version of the Rails framework and a modern version of Ruby. Both of these upgrades should have a significant impact in the overall performance and snappiness of the app and also bring some interesting security features out of the box. Strong parameters and DB performance come to mind on the Rails front and garbage collection (GC) of symbols on the Ruby front are some of the notable changes.

For the nitty gritty details please see the Rails 4.2 release notes and the Ruby 2.2 announcements.

Still not a Dradis user?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the the 1-page summary.

New in Dradis Pro v2.1

Dradis Professional Edition is a collaboration and automated reporting tool for information security teams that will cut your reporting time in half.

Throughout 2016 we’re aiming to shorten our release cycle, and we’re pleased to bring you Dradis Pro v2.1 with a collection of enhancements that will make your day-to-day life a little bit easier.

The highlights:

  • DB performance improvements.
  • Session timeouts.
  • New add-ons
    • CVSSv3 score calculator.
    • DREAD score calculator.
  • Add-on enhancements:
    • Nessus: add support for compliance checks.
    • Nessus: use Node properties.
    • IssueLibrary: tagging of findings + UI improvements.
    • Rules Engine: rule sorting + UI improvements.

A few screenshots of the release

Screenshot showing the IssueLibrary entries with a badge showing their tags

Tag entries in your IssueLibrary

A screenshot showing each rule with handle bars for easy dragging / moving.

Drag and drop rules to re-order them

A screenshot showing the interface of the new calculator that lets you generate CVSSv3 by choosing the value for each subscore.

Calculate CVSSv3 scores and vectors from within Dradis

A screenshot of a piece of Evidence in Dradis with the Policy Value, the Actual Value and the Compliance Status of the check.

We can parse and export to your report Nessus’ compliance data.

How to upgrade to Dradis Pro v2.1?

Just head over to the release page and follow the instructions:

https://portal.securityroots.com/releases/latest

Still not a Dradis user?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the the 1-page summary.

New in Dradis Pro v2.0

Dradis Professional Edition is a collaboration and automated reporting tool for information security teams.

Just in time for the new year a fresh release of Dradis Pro is out of the oven. We’re really excited about Dradis Pro v2.0 as it is going to allow you to have a much better understanding of what is going on in all your security assessments.

The highlights:

  • Activity Feed: see what others are doing (see below)
  • Content revisions: track and *diff* edits (see below)
  • REST API: Clients and Projects
  • New Change Value action for the Rules Engine
  • Open support ticket from the app
  • Better issue Tagging support
  • Scheduled DB cleanup
  • DB performance enhancements
  • New add-ons
    • Brakeman Rails security
    • Metasploit Framework
  • Word reports
    • Better handling of screenshots
    • Pre-export validator (see below)
    • Add .docx / .docm support CLI generation
    • Report template properties (see below)
  • Plugin enhancements:
    • Acunetix issue identification accuracy
    • LDAP integration
    • NMap CLI bug fixed
    • NTOSpider additional data gathering
    • NTOSpider Plugin Manager bug fix
    • Qualys port and protocol information
  • Security fixes

Bugs fixed: #223, #301, #303, #307b

Dradis v2.0 video summary

The most juicy features in a 1m32s video:

The Activity Feed

The new Activity Feed is displayed on every view of the project. It lets you see who has been working on what (and when).

In the Project Summary page, the feed looks like this:

creenshot showing different activities with the associated user, and data (e.g. Rachel created a note), along with a link to the activity.

The project activity stream.

There is an Activity Feed for issues, evidence, notes and nodes, so nothing will slip through the cracks.

Versioned content

In addition to knowing who did what and when, we’ve taken it one step further: it is now possible to view and compare the changes that were introduced in any piece of content during the lifetime of the project:

A screenshot showing the view comparing the differences between two revisions of the same content.

The Activity Feed view from the Project Summary page.

Report template properties and pre-export validator

Finally a handy feature on the reporting front. Since Dradis doesn’t force you to change the way you write your report, we don’t make any assumptions about how you want to work (trivia fact: Dradis has been used by over 200 teams in 32 countries and dozens of languages). As a result some times there is a small discrepancy between the content in your Dradis project and what your report template is expecting.

For example, say you use High, Medium and Low for risk rating. Maybe in one of the issues somebody made a typo and used Hihg instead of the appropriate spelling. Or say that your template is expecting you to define properties for Project name and Client point of contact but your forgot? Fear not, the new pre-export validator is here to help!

A screenshot showing the different checks the validator is making.

The pre-export validator in action.

So far we’ve got the following checks, but we’re already working in the next batch:

How to upgrade to Dradis Pro v2.0?

Just head over to the release page and follow the instructions:

https://portal.securityroots.com/releases/latest

Still not a Dradis user?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the the 1-page summary.

New in Dradis Pro v1.12

Today we’re happy to announce a new release of Dradis Professional Edition: Dradis Pro v1.12. Dradis is a collaboration and automated reporting tool for information security teams.

The highlights:

  • New Accunetix and NTOSpider connectors
  • Updated Burp and OpenVAS connectors
  • Business Intelligence add-on (see below)
  • Rules Engine add-on (see below)
  • Reporting engine enhancements:
    • Pre-export validator
    • Native support for .docx and .docm
    • IssueCounter control
    • Concurrency enhancements
  • Bugs fixed and feature requests: #128, #131, #141, #145, #152, #184, #189, #197, #201, #205, #207, #212, #216, #232, #238, #239, #254

Rules Engine add-on

Define rules that kick in when you upload the output of a scanner. Akin to your email client processing rules, the Rules Engine allows you, among other actions, to:

  • Tag findings based on their fields (e.g. tag as Critical if CVSSv2 is > 9)
  • Merge several findings into a single one (e.g. group all those pesky “missing patches” entries under a single finding)
  • Replace the default description with your own. That’s right, every time Burp finds XSS, you will get a finding with your team’s custom Description / Recommendation for this vulnerability class.
A screenshot showing the list of configured rules in this Dradis Pro instance.

Define the rules that will kick in when you upload the output of a scanner.

A screenshot showing a rule definition where two findings (one from Nessus and one from Qualys) will be replaced with the team's own description of the problem.

Sample rule: de-duplicate findings.

A screenshot showing a rule definition where any finding coming from a scanner is replaced with the team's own description in the IssueLibrary

Sample rule: use your own descriptions.

Business Intelligence add-on

Most likely you’re running 100s of projects each year. The Business Intelligence add-on helps you make sense of the wealth of information that is at your fingertips but that most likely you haven’t been tracking. These are some of the questions you will be able to start answering:

  • What do you know about the types of projects you’re running (what percentage is webapps vs infrastructure)?
  • What types of clients are you serving? In what industry?
  • How are the most profitable client types?
  • What percentage of your projects is under-scoped or over-scoped?
A screenshot showing the Business Intelligence view with: a list of custom properties for Clients, for Projects and a search facility.

The Business Intelligence dashboard. Define custom properties for Clients and Projects to track business metrics.

New admin layout

Yes, we finally have a layout like it’s 2015 (well maybe 2013), but a great improvement over our bare-bones previous one. Here are just a couple of quick examples:

A screenshot showing the project selection view inside Dradis Pro.

Project section view.

A screenshot showing the list of users registered in a Dradis Pro instance.

All users registered in the Dradis Pro instance.

How to upgrade to Dradis Pro v1.12?

Just head over to the release page and follow the instructions:

https://portal.securityroots.com/releases/1.12.0

Still not a Dradis user?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features. Or if you want to start from the beginning, read the the 1-page summary.

Avoiding Common Scoping Mistakes

(Note: This article is part of a series about differentiating your InfoSec company from competitors and improving your perceived value.)

In our last article in this series, we talked about some ideas for setting in place Continual Improvement of processes at your InfoSec company. One process that is often far from perfect at InfoSec companies (and IT companies in general) is scoping.

It’s important to understand that bad scoping, when it reoccurs consistently, is a process problem. It’s not a problem with your account managers, or your testers, and it’s not a problem on the client side. It is fixable. As with most problems in business management, improving this area comes down to having a consistent process.

The Downsides of Bad Scoping

Obviously it’s hard to argue with the need for good scoping procedures. But to drive this need home, let’s look at some of the many negatives resulting from underestimating the amount of work a job will take:

  • Wasted manhours and lost profit
  • Rushed projects, which leads to oversights, which leads to client dissatisfaction
  • Conflicts with other scheduled projects for projects that go over schedule
  • Morale problems due to rushed or mismanaged projects

Overestimating the scope is less immediately harmful to your company but is still obviously bad. Overestimating scope can lead to inflated prices, which can lead to clients noticing those inflated prices and going elsewhere. It can also lead to your testers noticing that you are charging inflated pricing, which may hurt their impression of the company’s ethics.

Many InfoSec companies operate in a constant whirl of activity, working multiple projects back-to-back and simultaneously. You would think this would create an impetus for optimizing scoping procedures, but unfortunately, often the opposite is true: the company is so inundated with work that they have never had time to study their processes and implement new ones.

Scoping Problems

Now let’s look at a few specific ways scoping problems often arise on InfoSec projects.

Clients May Not Know What They Need

Often, the client representative taxed with communicating their needs to your company is not knowledgeable about the problem. There are a few ways this can happen…

Often a non-technical manager or employee is told: “We need a security check; get it done.” Or the owner of a small business or startup knows he needs security testing, but doesn’t know any more than that. They may have no awareness of the technologies involved in their application or website, or of the different pentesting options available.

This situation leads to obvious problems in communicating the scope of a project. There must be a process in place to gain very specific info about the project, or else there will be blind spots that won’t become apparent until the project is started, by which time it’s too late.

Even technically proficient people may be ignorant of what’s involved in pentesting. Even many skilled developers are not familiar with how much work, and what kind of work, goes into a pentest.

This ignorance is not necessarily a shortcoming on their part; developers and hackers just have very different ways of looking at the world. A developer is prone to see their application as a functioning whole, made up of trusted tools and libraries they’ve assembled to get the job at hand done. They often don’t think of their application as consisting of many small, interlocking parts, whereas the hacker sees an application as an assembly of cobbled-together parts and thinks about how to find the weaknesses in the joints of those parts.

This differing mindset means that even the app’s developers are often not able to clearly communicate all the technologies and systems that will need to be probed by a pentest. And this leads to similar problems in scoping.

Team Members Not Knowledgeable or Properly Motivated

Sometimes the internal staff members doing the scoping aren’t technically knowledgeable, either. Sometimes it may be a non-technical account manager or salesperson who is the first contact with clients and who also does the scoping.

Having non-technical staff as the frontline with clients isn’t necessarily a problem. It only becomes a problem when there aren’t systems in place to acquire the necessary project information (which we’ll talk more about in a moment).

Another problem may be that the employee doing the scoping isn’t properly motivated to make sure the information is acquired. Perhaps after the completed scope specifications leaves their hands, they don’t have to think about it again and no one brings up problems to them later. This can make them a bit impervious to pressures to improve their process.

Project Information Not Updated

Sometimes it happens that a client has a project that won’t be completed for some time, but they need to pay for a security assessment now. (One explanation may be that they need to spend end-of-year budget money.)

This situation can obviously lead to problems, as the client tries to describe the technologies that will probably be in place, without knowing for sure what the application will look like months down the line. This isn’t necessarily a problem, either. The problem comes in when the scope and project specs are not revisited as more information becomes available.

For example, if there is no process in place for someone to update the project specs with info as it becomes available, it may happen that the start date arrives and the team members assigned will have no up-to-date information about the project. This can include login information and server credentials and the like. So maybe there were three days assigned for the pentest, but the team has to spend a day acquiring the necessary access information, so now the project ends up taking four days. Or, if it can’t be extended, the team doesn’t have enough time to cover all the steps in their testing methodology.

Scheduling and Talent Allocation Problems

Scheduling and talent allocation are separate issues, but some of the problems from these areas bleed over into scoping a bit. Here are a couple of ways these come into play:

  • If a company doesn’t have a good system of scoping and conducting reviews of projects, scheduling will often be off, which can amplify workflow problems. For example, if scoping is consistently off, and scheduling is much too tight, there will be conflicts between projects and missed deadlines.
  • If the person in charge of scoping doesn’t have a good understanding of the skills of team members available, the projects won’t be accurately scoped and costs won’t be accurate. For example, an account manager estimates three days for a pentest, but doesn’t know the exact skills of his techies or doesn’t factor in research/getting-up-to-speed time, so the actual time needed ends up being significantly longer.

Scoping Improvements

Now that we’ve looked at some of the major problems, what are the solutions? A lot will of course depend on your own business setup and what you already have in place. (Some of you will already be doing some of these things.) But here are some ideas for ways to improve the accuracy of your scoping process:

Pre-Scoping Questionnaire

One way to ensure that the relevant info is gathered is to make a detailed pre-scoping questionnaire a required part of every process. This questionnaire would be ideally filled out by the client company before scoping is started.

This questionnaire would include detailed questions about the architecture (existing or planned), such as:

  • Give a description of your application/website’s architecture.
  • What libraries and tools does your application use? (Perhaps an export of the environmental dependencies?)
  • Where and how is the application hosted?
  • How far along is the application and in what shape will it be by the time work is done on it?

Advise your client contact to give the survey to the most relevant, knowledgeable person in their organization.

Pre-Engagement Questionnaire

A pre-engagement questionnaire is what we call a survey that you give the client a little bit before the official project start date has arrived. As we talked about, often there is a problem with keeping the project file up to date with the state of the client’s app or the required specs (such as login credentials).

Making such a questionnaire a part of your process will ensure that your team members have what they need when the start date arrives. This step also minimizes many of the negative effects of sub-par scoping; your team members will spot scoping problems before that threaten to derail the project.

A pre-engagement questionnaire might include questions like the following:

  • Where is the application hosted?
  • What accounts can be used by the test team?
  • What are permissible testing hours (e.g. can a scanner be left running overnight)?
  • What is the final range of IP addresses in scope?
  • Who is the main point of contact for technical issues?
  • Who is the escalation/business point of contact?
  • Who needs to receive start- and end-of-day email notifications about testing activities?

Scoping Reviews

It’s important to do “post-mortems” on your projects, including the scoping of projects. After every project is complete (or possibly less frequently if that is too difficult), get together with the project principals and ask questions like:

  • Was the scope accurate?
  • Did we have time to do what we needed to do?
  • If the scope was inaccurate, why was it inaccurate?
  • What can we do in future to prevent that happening again?
  • Are the problems with this scope similar to other problems we’ve had in the past? Why is that?
  • Just as importantly: if the scope was very accurate, why was that?

When you conduct a project analysis, it’s important to be honest with each other and not to assign blame. It should be understand that the goal is improving the process, and that mistakes lie with the process, not with the team members.

Assigning New Responsibilities

Making sure project information gets where it needs to go (before scoping and after) may mean that you need to add new responsibilities to your team members’ roles. Whoever is in charge of talking to clients and scoping projects should be clear on their responsibilities and the information-acquisition process (which may include making sure questionnaires are completed, for one).

If your staff is currently kept completely busy as it is, and it doesn’t seem possible to add more to their workload, you might consider adding a new position. It could even be a part-time position. But if no one is currently keeping their eye on such details, you’ll continue to have problems with information not being present when it’s needed.

Tracking The Process

As we’ve talked about in previous articles in this series, long-term improvements come down to making changes to the process. If you aren’t making the changes a trackable and necessary part of the process, they will easily be left by the wayside and lost.

One way to make the ideas in this article part of your process is to use a workflow software (like Trello) to ensure that your team members actually go through the steps on every project. In Trello (and other similar applications), a project is moved from one step to another, which ensures that steps won’t be missed. You would put dedicated places in the workflow for “Pending Pre-Scoping Questionnaire” and “Pending Pre-Engagement Survey”. The process would not continue unless someone actively showed that those steps were complete.

Next…

Hopefully we’ve given you some new ideas on ways you might optimize your scoping process and make it more efficient. Let us know if you found the information helpful or if you have some unique things you’ve done to improve your scoping accuracy.

In the next few articles in this series, we’ll be discussing some other areas of project management, including internal knowledge transmission and ways to improve project and report standardization.

Was This Article Helpful?

Security Roots’ founder Daniel Martin conceived and created the open-source collaboration tool Dradis Framework in 2007. The success of that application led to the creation of the Security Roots company and Dradis Professional Edition software.

Over the years, Security Roots has helped hundreds of InfoSec clients improve their team collaboration and report creation processes. If you have any questions about what we do or the solutions we provide, please fill out our Contact Form and we’ll be in touch soon.

If you’ve found this article helpful, please reach out and let us know how the information has worked for you. And keep an eye out for the future articles in this series.

Making Your InfoSec Team Stand Out Through Continual Improvement

(Note: This article is part of a series about differentiating your InfoSec company from competitors and improving your perceived value.)

In our last article, we talked about some ways to get some “quick wins” at your InfoSec company through practical steps you could immediately begin to affect some process improvement. But, as you know, making long-term change at an InfoSec company (or any company) requires dedication and patience.

Continual Improvement is a philosophy aimed at continually evaluating and improving a business process by using customer feedback on the product or service. By continually improving the interactions that make clients happy and by continually eliminating those things that aren’t important (waste), a company continually approaches perfection.

In this article, we’ll look at a couple of major ways to implement continual improvement in your InfoSec company, such as:

  • Using the deliverable (the report) as a driver for process improvement
  • Giving your team proper motivation and incentive to change

Deliverable Quality As Driver For Process Improvement

Most InfoSec companies are already entirely focused (often overly so) on the deliverable. At these companies, the report is the only thing that matters, and once it’s delivered, the conversation with the client is pretty much over. So making changes to what’s required to be in the report can be a great way to drive other process changes.

Ideally, as we’ve talked about in past articles (and often on our blog), a report will be much more than just a simple collection of vulnerabilities. To be the best it can be, and to set your company apart from the competition, a report should:

Give practical, actionable information on results. In other words, how significant or dangerous are the findings?

Contain an easy-to-understand executive summary. As your most important audience is often non-technical employees, the more you can communicate the situation to them, the more valuable your reports will be.

Showcase your methodology and processes. If you have great processes in place, you want to showcase them in the report. A report composed primarily of findings misses an opportunity to communicate how those results were created and why they can be trusted.

Showcase technical talent and allocation. Your company should have a way to ensure that the best people work on the problem, and this should be showcased in the report.

By creating requirements that contain these elements (effectively and accurately!) in every single report, you are also, simultaneously, creating process change. When reports are only required to contain the findings, it’s easy for your team members (managers and techies) to overlook the process, and the process is vital.

Some examples of what you can require to be in the report and how that can create broader, cultural change:

  • The report must contain information about how team members were chosen. This forces you to put in place an effective process of selecting talent for projects.
  • The report must prove the technical expertise of the team members who worked on the project. This will encourage you to create and reinforce methods of spreading knowledge efficiently throughout your organization. A more knowledgeable staff means that you have more people available to handle specific technologies, which makes scheduling jobs easier and improves the client experience.
  • The report must contain information about your process and its consistency. This forces you to initiate processes that demonstrate said consistency (e.g., team collaboration tools, up-to-date and shared testing methodologies, standard issue descriptions and ratings).
  • The report automatically is set up to contain all of the checks possible on a specific technology. This serves as a reminder to your team that those checks must be done, every time.
  • The report is automatically set up to contain a section for soliciting client feedback. That feedback will always be collected and be used to improve your process.

These requirements for the report act as powerful feedback loops that help continually improve your process. These requirements help managers easily check that the desired steps were followed on every project. And once your team gets used to the new requirements, they will automatically start to think of ways to improve the process, if only to make life easier on themselves. Which brings us to…

Motivating and Incentivizing Your Team

True company change will seldom happen without cultural change. In other words, a business will seldom really change its ways unless there is buy-in from its employees. Employees must have proper motivations and incentives for acting in the desired way.

It’s not enough to tell your team, “The boss wants it this way and that’s just how it is.” And it’s also not effective management to say, “Do this or you’ll be punished.” Behavioral change must come from within team members and should be positively motivated, not negatively motivated.

Creating cultural change may be one of the biggest obstacle at InfoSec companies. Here are cultural challenges we face in this industry:

  • Technical ability is highly valued, and there is often a tendency to “bow down” to highly-skilled workers and let them operate how they want to operate.
  • Technical workers like to think about real, technical things, and there can be a lack of awareness (and sometimes outright disdain) for “softer” issues like customer experience and customer support.

So how might you tackle this problem? What are some ways you might communicate to your team why the changes you are implementing are valuable? Here are some ideas:

Show your team that the request for process change is coming from the client, not from management. The demand for change starts with the client. All changes you make should be derived from understanding what will improve your clients’ experiences. Ideally you will have already gone through some steps to get clear about what makes your clients happy (these were discussed in our last article). It’s easier to sell the need for change to your workers when you show them exactly how your clients are asking for change. It’s harder to sell the need for change when it’s phrased as something “we just have to do now”, without explanation. So share the relevant feedback and emails from clients that are driving the change.

Explain the importance of client happiness to the company’s health, their jobs, and their lives. Client happiness is not a wishy-washy, abstract concept. Client happiness can be the difference between your company’s success or failure. Success means more money to go around and more industry respect for your team members. The more you can make your team see how the process changes have real benefits to them, the easier the changes are to implement. One way to do this is to track and analyze some key performance indicators as changes are made over time (e.g., number of repeat contracts, client survey average scores, time spent on projects) so that your team can see the concrete ways your changes are helping.

A more efficient process makes their work lives easier. Your technical team wants to work on technical tasks; they don’t want to spend time working on boring administrative tasks or editing the wording of a report. One aspect of continual improvement is enhancing your process and making it more efficient. (One example: automated report creation software reduces the need to constantly write new descriptions for the same vulnerability classes every time.) When team members see that the process changes lead to less time spent on things they don’t want to do, and more time spent on the things they want to do, change is easier to sell.

Sharing technical knowledge efficiently helps everyone. Part of improving your processes is increasing your knowledge transmission; i.e., how technical knowledge is shared throughout your organization. (We will be talking more about knowledge transmission in a later article.) Effective knowledge transmission, of course, means better client service, but it also means that your team members learn a lot more than they otherwise would. Learning new tech skills makes workers more valuable and gives them more earning potential. (It then follows that a more educated workforce makes it easier to book and schedule jobs.)

Good performance is rewarded. When team members perform at or above your expectations, have systems in place to reward them. It can be a financial reward, or it can be non-financial (e.g., granting them access to new tech training or time off). One caveat is to not hurt morale by making the workers who weren’t rewarded feel punished.

Remember, The Process Is Usually The Problem

As you move forward with a continual improvement process, you should remember that the majority of company problems stem from processes, not employees. There can be a reflex tendency to blame individuals when procedures are not being followed and goals not being met.

But, by and large, these problems come down to not having good processes. Most employees want to do a good job and be rewarded for doing a good job. The problem for managers is mainly one of defining what constitutes a good job and making it easy for workers to jump through those hoops.

Another major aspect of Continual Improvement is to encourage your team members to report problems with the process, and to make it easy for them to do so. Your tech team contains the people most knowledgeable about how the current process impacts their ability to get things done. They are the best people to get input from about your processes. Ask them questions, give them surveys, and make it easy for them to give criticism (even anonymously).

Once you get feedback on a process and you see the feedback is valid, you should act on it quickly. This avoids procrastination and shows your team that you are serious about improvement and encourages them to come forward with their ideas.

Two great resources on process improvement that we recommend are The E-Myth Revisited and Work The System.

Next…

Hopefully this article has given you some ideas on how to start down the continual-improvement road. In the next few articles, we’ll be discussing some specifics of project management, including:

  • Improving scoping and scheduling
  • Knowledge transmission
  • Project standardization

Was This Article Helpful?

Security Roots’ founder Daniel Martin conceived and created the open-source collaboration tool Dradis Framework in 2007. The success of that application led to the creation of the Security Roots company and Dradis Professional Edition software.

Over the years, Security Roots has helped hundreds of InfoSec clients improve their team collaboration and report creation processes. If you have any questions about what we do or the solutions we provide, please fill out our Contact Form and we’ll be in touch soon.

If you’ve found this article helpful, please reach out and let us know how the information has worked for you. And keep an eye out for the future articles in this series.

Differentiating Your InfoSec Company: Getting Some “Quick Wins”

(Note: This article is part of a series about differentiating your InfoSec company from competitors and improving your perceived value.)

In our first article, we talked about some of the problems facing InfoSec companies: overseas competition, competition from smaller firms and consultancies, and the commoditization of pentesting in general.

The primary challenge for many InfoSec companies is to stand out–to showcase to current and future clients what makes their service different, valuable, and worth the rates being charged.

The process of re-positioning and differentiating an InfoSec company from competitors will be a long and ongoing process, involving procedural changes and cultural changes. In this article we’ll look at some things you can start doing immediately to gain some “quick wins” at your company.

Plan Quick Wins As Part of a Long-Term Process

Why do most New Year’s resolutions fail? It’s because most people try to implement change suddenly, immediately, and haphazardously, without having an underlying strategy or process.

When trying to change an organization’s processes and philosophy, you should remember that the actions you take today should be part of a deeper, longer-term strategy. Immediate actions are great, as long as they are part of a sustained push towards continual improvement.

There are a few dangers in attempting to implement organizational changes without having a broader plan:

  • You might alienate your technical team. If they are used to doing things “their way”, drastic attempts to change their behavior will likely alienate them and ultimately fail.
  • You might cause disruptions to projects and workflow. If you attempt to implement change too rapidly, your team will be confused and work quality will suffer, and this will probably be noticed by your clients.

Your attempts at quick wins should be focused on:

Demonstrating value to your clients. Improving your client’s experience and perception of your company is key to the differentiation process. You want to, above all, make sure your changes are positively influencing your clients’ experience.

Demonstrating value to your team members. The more you can show your team why your changes are valuable and necessary, the more likely it becomes that they will absorb those reasons and make them their own. You want to make it as painless as possible for your team to implement the changes.

Most of the quick wins we will look at will involve gathering information, whether from clients or from team members. This is usually the lowest-hanging and most valuable fruit. Asking questions and gathering information gets you clear on the direction you should be heading in and the steps you should be taking next.

Focus On Core Competencies

What does your company do best? What are your strengths? Having core competencies and a niche sets you apart from your competitors and gets you greater attention.

This can be counter-intuitive. At many companies (not just InfoSec companies), there can be the philosophy of: “Well, we have to do everything, because if we don’t do everything, we’ll miss some clients.” Or: “Our client just asked for this. We have to give it to them to make them happy.”

This leads to a marketplace where pentesting seems more of a generic commodity than it is. Your potential client may be looking at a line of near-identical InfoSec companies, all of whom claim to do everything. In such a marketplace, it can be hard to stand out.

Focusing on what you’re truly great at has several positive results:

  • You become known for being great at the specific systems and technologies at which you excel.
  • By voluntarily defining what you’re not good at, your perceived strengths become that much more believable.

In short, there is power in saying “No” to clients and defining your focus.

One example of how this can play out: If you define one of your core competencies to be SAP Security, then your client may not hire you to do an Android assessment. This may seem like a lost opportunity, and perhaps it is in the short-term.

But what will happen is that your clients and colleagues will remember what your focus is, and will respect that you have a focus and are willing to admit when something is not your specialty. Clients will be more likely to get in touch with you later when they have a problem that falls in your area of expertise. And, down the road, if you expand your core competencies to other technologies, your claims of expertise will be that much more believable and powerful.

Not only is this approach powerful for gaining respect from clients, it also gains you respect from talent you may be recruiting. Being known as a company that specializes in cryptography vulnerabilities, for example, will make it more likely that cryptography experts will want to work with you, which creates a positive feedback loop for your quality and reputation.

Quick Wins

Here are some beginning steps for establishing your company’s core competencies.

  1. Set up an internal meeting to brainstorm what your core strengths are, and how you want to position yourself in the marketplace.
  2. Ask, “Who are our ideal clients?” Getting clear about what clients make your team happy lead to realizations about what your strengths are.
  3. Ask, “Who are the clients we don’t want to serve?” Identifying the clients who aren’t right for you will help you adjust your messaging to speak to the right audience. This will create a self-selecting process, where your favorite work is attracted to you and your least favorite work is not.
  4. Research the industry to see what needs may be underserved. Can you think of a strength you have that not many companies are focused on serving?
  5. Talk to colleagues about your ideas for niche positioning. Ask for feedback about whether your ideas for positioning will be perceived as valid.
  6. Talk to new prospects as if you’ve already repositioned the company and gauge their response. For example, if you’re at a networking event, you might talk to new contacts using your new company messaging and focus, and see how they react, whether positively or with no interest. With methods like these, you can test client and industry response before acting implementing the change on a bigger scale.
  7. Talk to trusted clients and run your ideas by them. Ask questions like, “If we focused on this specific service, would this be valuable to you?”

Learn What Makes Clients Happy

As we talked about a bit in our first article, InfoSec companies can be a little out of touch with ideas of customer service. Often, companies are so focused on the project at hand and delivering the report on time, that client experience can be the last thing on your team’s mind.

But in order to differentiate and get noticed, your team, like it or not, will have to make strides in improving clients’ experience.

Part of the problem is that business owners will often make assumptions about what their clients value. You may assume that your clients value X, Y, and Z about your company. But unless you explicitly ask, you won’t know.

For example, maybe you think your clients value your technical expertise and professionalism, when the truth is that your clients value your ability to accommodate sudden changes in scheduling. Or maybe, above all else, they value a very clear Executive Summary section, which helps them make the case for IT security initiatives.

The point is: You shouldn’t assume anything about what makes your clients happy.

The first thing to do to get more clear in this area is to gather information from clients: information about what they value, what they don’t value; what works, what doesn’t work; what they like about your company specifically and what they don’t like. This information can then be used to:

  • Expose major failures in how your company is serving clients
  • Improve and standardize business procedures and pentesting methodologies
  • Decide on a new company focus (i.e., a core competency)
  • Improve the value and consistency of deliverables
  • Come up with new services (i.e., new ways to make money or add value)

Also, the nice thing about eliciting client feedback is that it helps you sell the necessary changes to your team members. If clients make it clear that they want to see changes, such communication is harder for everyone to ignore.

Quick Wins

Here are some starting steps for gathering much-needed client thoughts.

  1. Have a team meeting and think about the types of questions that would be valuable to ask your clients. Examples of valuable questions include:
  2. “How would you compare your experience with our company with your experiences at other companies?”
  3. For repeat clients: “How would you compare your most recent experience with previous experiences?”
  4. “How would you rate the value of our report?”
  5. “What would you like to see from our report that you didn’t?”
  6. What is the worst part of our reports?
  7. What is our weakest point compared to other vendors?
  8. “Have you recommended us in the past? Why or why not?”
  9. “What kinds of InfoSec services would you like to see offered but are not getting?”

For ease of use, you should try to make most questions Yes/No or a single-choice on a rating scale (e.g., a 1 to 10 scale). Requests for long responses are sometimes too much of a demand and don’t result in actionable information.

Here is an article with many examples of questions you can use to gather customer feedback. And here is an example survey, hosted with Google Forms, that you can copy and modify to hit the ground running.

  1. Using the most relevant questions, draft an email survey to send to existing and past clients. Store the responses to the survey in a format that is easy to share with your team in an ongoing manner (for example, an internal wiki).
  2. Start to create feedback loops in your delivery process for gathering client feedback. For example, you might put a section in the report template that asks them to click a link and fill out a feedback form. By making feedback-gathering part of your process, you ensure it will be done on every project.
  3. Set up a reward system for team members who get high evaluations from clients. (But don’t punish team members just because they don’t get high marks. Employee shortcomings, it has been shown time and time again, are almost always caused by a faulty process.)

Develop New Services

Your company’s relationship with your clients doesn’t end with the deliverable. But it may seem that way at many InfoSec companies, where everything is about completing a project and moving on to the next one.

Ideally, you want to be thinking of additional services that aid your clients’ understanding and deal with their vulnerabilities in an ongoing fashion. Adding additional services has a couple positive effects:

  • Services can be additional products and ways to make money.
  • They can be bundled with your existing pentesting services, as a way to provide added value and to justify your rates.
  • They differentiate you from your competitors.

Some ideas for additional services:

  • Offer clients a custom emailed newsletter that features information on security vulnerabilities for the specific technologies they use. For example, if your client uses WordPress and Magento, every month you deliver them updates and news on WP and Magento security issues. (This could be set up pretty easily in a content management system.)
  • Subscription services that allow your clients to get quick responses and input whenever they run into security problems or just want to bounce an idea off someone knowledgeable. This is essentially a support contract or retainer with guaranteed response time.
  • You could remove a common gap between discovery and remediation by providing vulnerability data in a format clients could upload directly into their bug tracker. (Of course, the format each client needs will depend on the specifics of their bug tracking system.)

These are just a few ideas for additional services.

Blue Ocean Strategy is a popular book about creating uncontested market space, and includes many ideas on how to differentiate offerings and create new services.

Quick Wins

Here are some starting steps for coming up with auxiliary, value-added services.

  1. Ask your team members for ideas on additional services.
  2. Check out competitors and see what they’re doing. Don’t copy them exactly (as the idea is, after all, differentiation) but use those ideas for inspiration.
  3. When polling your clients, ask them for additional feedback, such as: “If we started offering this additional service, would you find it valuable? Would you sign up for it? Would you pay x amount for it?”

Only the Beginning

The ideas in this article are only the beginning, of course. It can sometimes be a long road to change established processes and mindsets at any company. But hopefully we’ve given you some ideas for how to start today on improving the perceived value of your company and, by extension, set yourself apart from the pack.

Was This Article Helpful?

Security Roots’ founder Daniel Martin conceived and created the open-source collaboration tool Dradis Framework in 2007. The success of that application led to the creation of the Security Roots company and Dradis Professional Edition software.

Over the years, Security Roots has helped hundreds of InfoSec clients improve their team collaboration and report creation processes. If you have any questions about what we do or the solutions we provide, please fill out our Contact Form and we’ll be in touch soon.

If you’ve found this article helpful, please reach out and let us know how the information has worked for you. And keep an eye out for the future articles in this series.

InfoSec Experience It Not Enough…

If you work in the information security industry, you probably are already well aware of the growing competition and commoditization in the marketplace. Overseas companies and small consultancies are charging lower rates, which can make it hard for companies to show why their higher rates are justified.

The truth is that pure, technical experience is no longer enough. It may have been, a few years ago, when competition in our industry was low, but it’s not enough anymore. Even if you know for a fact that you have one of the best, most technically skilled InfoSec teams out there, it doesn’t mean anything unless you are communicating that to your potential clients.

This article (the first in a series) takes a look at some of the reasons behind the industry commoditization. It will also, hopefully, start you out on a journey of optimizing and standardizing your company’s methodology and client-facing communications.

Increasing Competition and Commoditization

You probably already know many of the factors leading to lower average rates in the industry, but here’s a quick rundown:

  • Overseas competition: There are a growing number of overseas InfoSec companies, almost all charging significantly lower rates than the rates of companies in developed countries.
  • Small companies: There are an increasing number of small InfoSec startups. Their lower overhead means they can charge lower rates.
  • Freelancers: Similarly, there are many freelancers (some perhaps are your ex-employees), doing jobs for lower-than-average rates.
  • Software applications: There are a growing number of pentesting applications and tools, which can serve to level the playing field a bit. More importantly, though, it makes it seem to potential clients as if pentesting is more of an interchangeable commodity than it actually is.

All of these factors are creating what has been called a “race to the bottom”. InfoSec companies who were having no problem charging their normal rates a few years ago are now feeling the pressure to match lower rates from competitors or overseas companies to keep their lights on.

For all of these reasons, it is no longer enough for an InfoSec company to be great. They must show and prove their greatness.

Proving Value to Clients

For many InfoSec companies, the concept of trying to communicate their strengths to clients is a foreign concept. So many InfoSec companies are focused almost entirely on staying up-to-date on technology and vulnerabilities, and working on their projects. This is understandable; the work is very important. Without high-quality work, nothing is possible.

But competing in this modern, highly competitive marketplace means you must find ways to show why the work is high-quality. For many InfoSec companies, this will mean making adjustments to their fundamental business philosophy. It will mean focusing, as an organization, on the many ways it’s possible to improve your processes and to showcase those processes.

A Cultural Shift

For many companies primarily focused on the projects right in front of them, this will be a complete cultural shift. An analogy could be made to the major cultural change that happened in American car manufacturing in the 1980s, as companies like Ford and General Motors realized it was necessary to emulate the philosophies of Continual Improvement used by Japanese industry. (If you’d like to learn more about those cultural changes, click here.)

In a similar way, InfoSec companies must adapt a new mindset focused on the client experience and client-facing communication.

Improving Processes

The biggest part of improving the client experience (and potential client experience) is in optimizing and standardizing your processes and procedures. A few examples of how process improvements will help you prove your worth to clients:

The Power of Consistency

Your methodology must be truly consistent. Many companies say things like: “Our process is standardized. We always do x, y, and z on every project we work on.” But in reality, there may be significant variance in methodology from project to project. Different team members and managers may work on every project, and they may have different methods and styles. The company may pay lip service to the idea of consistency, but it may not value it in practice.

Being truly consistent means setting that principle as a real requirement on every project.
* There have to be standards in place.
* Those standards and systems need to be clearly communicated to every team member.
* Managers must communicate why those systems are in place and why they are important.
* There must be concrete measures in place to ensure guidelines are maintained so that, if there is a problem with a project or with a team member’s performance, it can be spotted and addressed.

In many InfoSec companies, the culture will make this difficult. (And we’ll talk more about ways to overcome these cultural obstacles in a future article.) But process consistency is vital. Clients want to know what to expect when they hire you and rehire you; this is especially true for the biggest clients. Consistent processes will demonstrate to your clients (especially your repeat clients) that you value consistency. And with greater consistency, it will be easier to demonstrate what exactly makes your team valuable.

The Power of Reports

Most InfoSec companies understand that reports are valuable, but they don’t truly understand just how valuable. A report is not just a way to communicate technical vulnerabilities and assessments. It is an opportunity. A report can be an opportunity to:

Showcase your consistent processes: If your methodology and business processes are fantastic, and consistent, then a report is a way to showcase your methods and how you thoroughly arrived at your results. You must find a way to work your methodology cleanly into your reports. And you must find a way to make that a part of your process that happens every time.

Proving the right team was on the job: Clients want to feel assured that you have the best people on the job. Reports are an opportunity to show to clients that the people working on their project are highly qualified. (We’ll talk more about the importance of this perception in a future article.)

Get repeat business: When you send deliverables, you are also, indirectly, pitching a client on future work. A report can showcase the benefits of your methodology, which can be a convincing sales message in itself. The report can also communicate the benefits of regular testing to make sure pentesting catches new vulnerabilities. For example, your team might notice problems outside of the scope of the investigation; the report is an opportunity to point out those issues and recommend future responses.

Collaboration and reporting platforms are becoming more and more a must-have for InfoSec companies. These programs help ensure all team members are on the same page and speed up your reporting process. They also make it easier for certain types of communications to wind up in your reports every time, which is important for showcasing your consistency.

The Power of Customer Service and Follow-up

For many InfoSec companies, the idea of customer service is foreign. Following up with clients, or asking for feedback on projects, may not be part of a company’s culture.

But this will need to change if a company wants to be optimally competitive. Companies will need to focus more on the client experience. Managers will need to communicate to team members why customer service is valuable, and what “customer service” means in our project-based, extremelytechnical industry. Clients will need to be prompted for criticisms (and, concurrently, testimonials) so that processes can be continually improved.

Managers and employees must understand that asking for feedback, and ensuring client happiness, is not a “soft” side of the business. Getting feedback from clients is part of a process of continual improvement. Without knowing what makes clients satisfied or frustrated, it’s impossible to improve your service. Or, more importantly, the perception of your product.

These are the same philosophies that helped Japanese auto manufacturers climb to dominance after World War II: a continual focus on their users’ experience and a continual focus on process improvement.

Change Is Possible

At this point, you might be thinking something like, “These are all great, lofty ideas, but you have no idea what it’s like at my company. These things would be impossible to implement here.”

But process improvements and cultural improvements are always possible. It doesn’t matter if you’re a manager or owner trying to implement a top-down improvement process, or a team member trying to convince the higher-ups that there’s a better way of doing things. Change is possible; it will just require intelligent planning and, sometimes, patience and persuasion.

In the coming articles in this series, we’ll be looking at some specific strategies and tips you can start putting in place immediately. These strategies will help you optimize your processes and differentiate your company from your competitors. We will also focus on helping you prove the value of these ideas to your own team, because that is often the most important and difficult part of any institutional change.

Was This Article Helpful?

Security Roots’ founder Daniel Martin conceived and created the open-source collaboration tool Dradis Framework in 2007. The success of that application led to the creation of the Security Roots company and Dradis Professional Edition software.

Over the years, Security Roots has helped hundreds of InfoSec clients improve their team collaboration and report creation processes. If you have any questions about what we do or the solutions we provide, please fill out our Contact Form and we’ll be in touch soon.

If you’ve found this article helpful, please reach out and let us know how the information has worked for you. And keep an eye out for the future articles in this series.