Author Archives: Daniel Martin

New in Dradis Pro v1.11

Today we’re happy to announce a new release of Dradis Professional Edition: Dradis Pro v1.11. Dradis is a collaboration and report generation tool for information security teams.

The community of Dradis users is very passionate about their craft and they rely on us to run their infosec practice. We live to make their lives better by moving out of their lives as much of the grudge work and repetition involved in delivering each project. Part of that effort also consists on creating great documentation to make the most out of Dradis, and we have two new manuals:

  • Working with projects: covering every module you will use on a day-to-day basis when running a project with Dradis.
  • Custom Word reports: showing you how our flexible reporting engine can be used to adapt your existing report template.

As promised a few months ago, we keep our focus on software quality and continuously raising the bar for ourselves. As a result this release is more about stability, performance, and enhancing existing functionality than it is about introducing flashy new features (not that we’re not working on flashy new features, of course we are, and they’ll blow your socks off when you see them, but they are not part of this release ;)).

Without further ado, the highlights of this release:

  • Performance improvements for really large projects. Running internal assessments with 100s of hosts and 1000s of vulnerabilities is completely painless.
  • Enhancements to the reporting engine:
    • Filter Issues by tag
    • Better screenshot support
    • Better paragraph / text styling detection
    • Better internal formatting (when inside Word tables)
    • Background report generation
  • Onboarding Tour for new users
  • In-project methodology editor
  • Drop old interface support
  • Bugs fixed: #20, #24, #50, #52, #55, #74, #142, #143, #146, #147, #151, #159

How to upgrade to Dradis Pro v1.11?

Just head over to the release page and follow the instructions:

https://portal.securityroots.com/releases/1.11.0

Still not a Dradis user?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features and pricing. Or if you want to start from the beginning, read the the 1-page summary.

Dradis Pro is sponsoring BSides London 2014

Dradis Professional is sponsoring the next edition of the B-Sides London security conference:

http://www.securitybsides.org.uk/

B-Sides London 2014 will be held at the Kensington and Chelsea Town Hall on April 28, 2014 in London, UK.

We’ve put together a page for the event and are raffling a Dradis Pro license, read more at:

http://securityroots.com/dradispro/events/bsideslondon2014.html

Are you planing to attend or want to get in touch? Contact us or ping us on Twitter: @dradispro

New in Dradis Pro v1.10

Today we’re happy to announce a new release of Dradis Professional Edition: Dradis Pro v1.10.

March 2014 has been a great month: first we took part in Corelan Team’s 5th Anniversary party then we attended the first edition of the Rooted Warfare event and now we have a fresh release ready for you (yes, yes, technically we’re not in March any more, but it’s close enough!).

It’s been only 3 months since our last release, but this one is full of action:

  • A more useful Project Summary view (see below).
  • Tag issues and group them by tag.
  • New Project Template manager.
  • Performance improvements to several plugins (Nmap, Word, etc.)
  • Improvements to the management console (see below).
  • Several improvements on the UTF-8 and i18n front.
  • And of course bug fixes, lots of bug fixes
    (#43, #44, #64, #65, #72, #75, #77, #78, #85,… full list)

Lets get a closer look of some of the most significant enhancements…

Interface improvements

This is what the new Project Summary page looks like:

A screenshot showing the new Project Summary view. Includes an issue chart and a methodology progress meter

All in all, the new Project Summary gives you a nice big picture overview of what is going on with the project. This is great for team leaders and technical directors wanting to keep an eye on the projects across the board. And if the client asks for an update, you’ll have all the information you need in a single screen. Nice and easy.

Lets delve into the key components of this new summary view.

Finding tagging

First of all, it is now possible to group and tag your findings. You can define your own categories and colors or you can use the default ones, up to you.

In terms of doing the real assigning, a nice drag-and-drop interface makes it a very straightforward and intuitive process:

A screenshot showing the interface that allows you to drag issues and drop them into the right category

Track methodology progress

Testing methodology support was introduced some time ago. However in this release we’re making it a lot easier to keep track of how much progress you and your team have made.

A screenshot showing the new graph that keeps track of your progress in the methodologies of the project.

You can of course create your own testing methodologies. But remember that to help you get started there are quite a few already available in the Resources section of our Users Portal:

http://securityroots.com/dradispro/extras.html

Management console improvements

We’ve some good news on the Dradis CIC as well.

There are a few services ticking along in the background to make sure you have a great Dradis Pro experience. Every once in a while however, you may want to restart some of this services (e.g. you developed a new custom plugin, you made a change to your MySQL config, etc.). Before you had to roll up your sleeves and prepare for some good old console goodness. Not any more! From now on, it is possible to check the status of the different services and restart them from the web interface itself:

A screenshot of Dradis' Admin Console showing an interface that lets you re-start the different services the app depends on.

How to upgrade to Dradis Pro v1.10

Just head over to the release page and follow the instructions:

https://portal.securityroots.com/releases/1.10.0

Still not a Dradis user?

These are some of the benefits you will get:

Read more about Dradis Pro’s time-saving features.

Happy 5th Birthday to Corelan Team from Dradis Pro

Corelan Teams's logo
&
Dradis Professional Edition logo
 

Today is the 5th anniversary of the amazing Corelan Team. Through their blog, their articles, their tools and their forums they have contributed like very few other communities to spread and enhance the knowledge of the security community at large.

We’ve prepared a few anniversary presents for the team and their community. To find out more, please head on over to the official blog post at:

Keep up the good work guys, everyone is looking forward to what the next 5 years will bring!

New in Dradis Pro v1.9

Today we’re happy to announce a new release of Dradis Professional Edition: Dradis Pro v1.9. Start thinking about what you are going to do in 2014 with all the report-writing hours that Dradis will save you from spending 🙂

This release brings new features and improvements at almost every level:

  • Redesigned interface (see below).
  • New management console and upgrade process (see below).
  • A faster, more reliable stack (see below).
  • Enhancements to reporting engine:
    – Custom Word tables (read more)
    – Mix Issues as Notes throughout the template
  • Drag’n’drop report template manager (read more).
  • Add methodologies and checklists to your project templates.
  • And of course bug fixes, lots of bug fixes (#7, #22, #26, #33, #34, #46, #47, #51, #59,… )

Lets get a closer look of some of the most significant enhancements…

New interface

Throughout 2013 Dradis Pro has been used by dozens of organizations around the world to manage hundreds of security engagements. Each project is a complex mix of tasks: writing up a vulnerability, processing the output of a tool, uploading a screenshot, etc. We have redesigned the Dradis interface to declutter your project workspace and make it easier to perform those tasks that you need to do several times per day.

Without further ado, the new Dradis Pro v1.9 interface:

snowcrash-01

A clean layout that lets you focus on what’s important: your findings. It’s also fluid which will help you make the most of your wide screen.

Here are a few additional close-ups, and yes, you can drag’n’drop your attachments or even paste your screenshots directly, without saving them on a file (if your browser supports it).

snowcrash-02

snowcrash-03

Management console & upgrade process

From now on upgrading your Dradis Pro install will be even easier. We’ve created a new management console that lets you apply updates without leaving your browser window.

cic-01

Apart from the new Dradis CIC, we’ve also made significant changes to the base operating system layer of the Dradis Pro virtual appliance, you should upgrade as soon as possible (review the Exporting, importing and backing up your data step-by-step guide).

New stack: Ruby 2.0, Unicorn, and Nginx goodness

With Dradis Pro v1.9 we’re upgrading the base stack that powers the application.

The new stack is significantly faster and more efficient (it’s the same one that people like Github, Airbnb or ZenDesk are using). From the user’s point of view, you’ll just notice better performance under the hood.

We’ve also made some changes to the internals of the appliance paving the road to more advanced CIC operations (like restarting services from the administration console). We’ve also taken steps to make sure that further tweaking the stack will be a painless process, which will make things easier in the long run.

Still not a Dradis Pro user?

These are some of the benefits you are missing out:

Read more about Dradis Pro’s time-saving features.

Upcoming in Dradis Pro v1.9: report template manager

In this post we introduce another new feature of the upcoming version of Dradis Professional Edition: the new report template manager. Our previous post on the Upcoming in Dradis Pro v1.9 series was about custom Word tables.

Why do we need a report template manager?

There are several use cases for being able to manage multiple different report templates: your organisation may use different report templates for different project types (e.g. a webapp assessment vs. a vulnerability scan), or maybe some of your clients want you to use their own reporting template, or maybe you are thinking about going freelance or being a subcontractor so you have to use different templates when you are contracting for different security service vendors. The reason doesn’t really matter, what matters is that from now on, you can forget about your multiple template requirements, work as you always work in your Dradis project and then when the time to generate the report with one click comes, you can pick the right template and generate a full featured report with just 1 click.

The new template manager complements the Export Manager that we introduced in the current version to allow for more complex multi-template workflows.

Screenshots

You can use the report template manager to easily drag and drop new template files and associate them with each of the export plugins (even the custom plugins you create):

A screenshot of the new report template manager that shows a drop zone area to upload new templates and a list of already uploaded templates.

Pro tip: if you are using Chrome, you can Ctrl+c and Ctrl+v to paste the file into your browser window.

A screenshot of the report template manager showing the view you get when a given plugin doesn't have any templates yet

More information

Dradis Professional edition helps you manage your information security projects. Collate information from multiple tools and generate reports with just 1 click.

If you are not a Dradis Pro user yet, you can read more about our painless 1-click reporting, merging tool output from your favorite tools into a single report and delivering consistent results using testing methodologies with our tool. Get a subscription and start saving yourself some time today.

When is v1.9 going to be out?

Soon! We’re just working on the finishing touches. Subscribe to the newsletter below to get updates in your inbox, and follow us on Twitter: @dradispro.

Upcoming in Dradis Pro v1.9: custom Word tables

Dradis Pro v1.9 is going to be packed with useful upgrades. One of the features we’ve been working on is the ability to generate easily generate custom Word tables.

Dradis itself has had table support for a very long time, however, the table formatting was lost in the report generation process. Not any more, starting in v1.9 all the tables in your Dradis project will be recreated in your final report.

Here are some examples of beautiful tables generated with Dradis, note that you can of course customize the look & feel of each table individually. The styles can go from the more simple ones adapted to the rest of your branding:

A simple 2x2 custom Word table showing a custom orange and grey style

Tables can also appear anywhere in the document, for instance, below we show how you can keep the scoping information into your Dradis project and then exported to Word using a slightly modified Word table design:

A screenshot of a Dradis note showing a table with scoping information. Columns: Application, URL, Account and Privileges

A screenshot of a custom Word table generated from the Dradis table shown in the previous screenshot. It is using one of Word's predefined styles.

Mixing tables with plugins

We’ve also updated some of our import plugins to generate information in tabular format. For instance, the Nmap plugin now produces a nice service summary table for each host. You can use this feature to produce a nice Hosts and Services Summary section in your report:

A screenshot of a Word document showing a summary of hosts, port numbers and services in a table format

This is just one of the many features we’re preparing for the next release. Watch this space for updates over the coming days!

More information

Dradis Professional edition helps you manage your information security projects. Collate information from multiple tools and generate reports with just 1 click.

If you are not a Dradis Pro user yet, you can read more about our painless 1-click reporting, merging tool output from your favorite tools into a single report and delivering consistent results using testing methodologies with our tool. Get a subscription and start saving yourself some time today.

When is v1.9 going to be out?

Soon! We’re just working on the finishing touches. Subscribe to the newsletter below to get updates in your inbox, and follow us on Twitter: @dradispro.

Dradis Pro custom reports: 3 guides to get you started

One of the main areas we’re working on as part of the Autumn of Code (if you are a Dradis Pro subscriber you know what this is, for the rest of you, we’ll be writing up a bit more in a few days) is documentation.

We’re always working to make it even easier for our users to create Dradis Pro custom reports. You just need Word and a few minutes to go through the guides. We provide you with plenty of examples and sample templates (both built into Dradis and via our Extras section).

Over the last month, we have restyled and organised the Support site and so far we’ve added three brand new guides.

From Nessus to Word: a hands-on-example

This guide covers all the steps required to go from a Nessus export file (.nessus) to a Word report with custom look and feel. Map between the Nessus fields and the fields your organisation uses with the Plugin Manager, report findings by host, or list all the hosts affected by one vulnerability, etc.

Of course the best part is that the exact same methodology can be applied to generate custom reports from any of the other supported tools (Qualys, Nexpose, Burp, etc.). And you can mix and merge the results from multiple tools to generate a single consistent report in minutes.

Read more: From Nessus to Word: a hands-on-example

Dradis Pro custom Word reports 101

If you are a new user that is starting with Dradis Pro custom reports or if you’re checking out our reporting engine capabilities, this guide is the right starting point.

We cover how to create a template from scratch, how to provide the placeholders for the different types of information that will end up in the report, how to filter and sort your findings, how to style your notes, etc.

We go into some detail about the philosophy behind Dradis, how to make the most of the flexibility it provides. Learn about all the features we support so you can mix and match them to fit your oranisation’s reporting needs.

Read more: Dradis Pro custom Word reports 101

Connect Dradis to MediaWiki

Finally, a guide not strictly about the creating Dradis Pro custom reports, but useful for those wanting to get the most value out of Dradis: create a repository of reusable report entries in a wiki and connect it to Dradis so you can import issues from it. Never again rewrite the same issue description, just import it and tweak the details for each particular case.

Connect Dradis to MediaWiki

Stay tuned…

That’s it for now, but we will be posting more updates on the Autumn of Code in the coming weeks.

If you want to learn more about Dradis Pro benefits, the Features page is the right place to start.

New in Dradis Pro v1.8

Today we have pushed a new version of Dradis Professional Edition: Dradis Pro v1.8.

This is a shorter release cycle than usual, but we are publishing some significant improvements that we couldn’t wait to share. This is tied to the ideas on product quality we shared a few days ago. Expect a big push of improvements and fixes over the coming weeks.

Changes:

  • Fine-grained project permissions (read more)
  • New Export Manager interface (see below)
  • Bugs fixed and enhancements:
    • Updated to Rails 3.2.14
    • Fix attachment preview scale in Firefox
    • Assign name to screenshot when using Ctrl+v to upload
    • Fix project import/export to work with Issues/Evidence
    • More reliable MediaWiki import (#17)
    • Give more room to every text editor window (#9)
    • Keep the alphabetical sort after errors in the issue list (#2)
    • Fix issues rendering problem in New Notes tab (#6)

The new Export Manager

The Export Manager was one of the modules that needed a refresh after the important changes we pushed in v1.7 (read v1.7 release notes).

Before, there was no easy way to export the same project into the different formats we supported (like HTML or Word), this was because you’d have to assign your notes to different categories depending on what export plugin you wanted to use.

This is no longer the case. With the new Export Manager you can export into any format from a single screen:

Screenshot showing the 1st step of the Export Manager where you choose the export plugin you want to use

First you choose what export plugin you want to use. If the plugin provides different options as the Advanced Word Export plugin or the Project export plugin do you can select which one you want at this stage.

Next you choose the template you want to use, click on Export and you are ready to go:

Screenshot showing the second step of the Export Manager where the template is chosen

This is great for people that have different templates for different project types (e.g. Application vs. Infrastructure templates; Wireless Assessment template; etc.). It also lets you create and test a new template while the team is still using the current version.

The new Export Manager is more flexible and powerful than any of the alternatives we had before, we hope you enjoy it!

Still not a Dradis Pro user?

These are some of the benefits you are missing out:

Read more about Dradis Pro’s time-saving features.

Two years of Dradis Pro

Dradis Pro turned two, but we had our heads down working and we didn’t even notice. A little over two years ago we announced our flagship product: Dradis Professional Edition. Just looking at that URL – /2011/07/ – makes me realise how much work and how many hours have been poured into the project. About 1,000 new commits with new features, bug fixes and improvements. This of course doesn’t take into account the work that goes into the Support site for writing our step-by-step guides and producing the screencasts; or in making sure the website is up to date and still relevant; or in keeping our user base informed through our blog, tending the Twitter feeds or the mailing list (which has grown from 0 to 170 conversations and 700 messages).

The Dradis Pro logo which is based on the icons in the Dradis screen of the Battlestar Galactica tv series

When we started the main goal of Dradis Pro was to provide a convenient way to use the Dradis Framework bundled in a ready to use VM. Since then, and with the feedback from dozens of organisations around the world using Dradis on a day-to-day basis we’ve evolved the tool around four basic pillars:

  • 1-click reporting: time is money and every hour you don’t spend writing a report you can spend doing something else (e.g. finding bugs, researching, updating internal methodologies, etc.).
  • Integrating tool output: with 15 plugins and counting (including Burp, Qualys, Nessus, and Nexpose), Dradis is the easiest way to merge and integrate the output of different tools.
  • Consistent results: your team’s reputation is built on your ability to provide consistent results. Dradis puts the right tools at your finger tips, create custom project templates and testing methodologies (or download the ones we’ve created for you).
  • Collaboration: all changes are automatically pushed to every person working on the project to ensure everyone is on the same page.

At the moment I think we have a good portion of the basics covered, there are still a couple of modules that we will be adding in the near future, but for the most part the functional surface is already there. Now it is the right time to reflect on what we have, what we’ve built and where we want to go from here. I’ve already outlined some of the driving forces that will inspire the future development of Dradis. Identifying and focusing on the core tasks that really make a difference to our users; raising the quality and smoothness of the experience throughout all areas; or making the interface more convenient to use are some of the key improvements we’ve already identified.

Later this year we’ll have the longest stretch ever of Dradis development since we started two years ago (actually since the open-source project started in 2007): the Autumn of Code’13. Starting in September 1st, and all the way through to November 30th, we will have 3 months of Dradis-only focussed work. The list of goals, improvements and enhancements planed for the Autumn of Code is not closed yet as I also want to give a chance to our users to have an input in the process. But there is a lot that can fit in three months of development.

Once the start date gets closer I’ll post an update with more details. But this is definitely an sensational time for the project. I hope that these three months will make a significant change in the shape and quality of the product. Needless to say I’m very excited about the prospect of devoting my full attention to Dradis Pro for such a long stretch of time.

All in all, this year has been a pretty good year: we released v1.5, v1.6 and v1.7; we sponsored BSides London; we went to Las Vegas for the summer conferences where we met with lots of users and partners and now we will wrap up the year with the Autumn of Code.

These two years have been full of hard work and challenges, but I wouldn’t have had it any other way. I wonder what the next two will be like, and the two after that. Who knows, maybe we’ll have to change our name (you knew where the Dradis name came from, right?) and maybe we’ll finally get around designing a proper company logo 🙂

In any case, I am really looking forward to what the future holds. When every now and then one of our users says that we are making a real difference for them or that they just cut their reporting time by 70% we know we’re on the right track: helping people to do more of what they want to do and less of what they don’t.