Author Archives: Daniel Martin

The importance of collaboration during security testing

Team collaboration is crucial to ensure the success in security testing. Of course this is an age-old problem, and not at all constrained to the security industry. In any meaningful task, team members need to draw upon pieces of each others vision to create a cohesive idea and achieve a significant result.

You know the feeling, you check your calendar and in a few days you start a new project, but uh oh, this is a four-man team gig. Trouble ahead, a gazillion of emails back and forth and no clear picture of where we are, what else do we need to cover or whether we left something out when everyone thought someone else was looking at it.

The first friction point is usually between different business units: does the technical team have everything they need to hit the ground running on the first day of the assessment? Getting your act together as a security services vendor is far from trivial and requires some work. I’ll write about it soon.

Anyway, back to the test proper. In order for the total results to be greater than the sum of their parts something needs to happen. It is not good enough that each team member is thorough, technically excellent and organised. Information needs to be shared, a glitch in part A of the system noticed by one tester can be exploitable from part F which is been looked at by a different tester. If each person works in isolation, this magic won’t happen.

As a team member, how are you solving this problem? How are you making sure that everyone else has a clear picture of what you’ve uncovered so far so they can build upon your findings? And conversely, how are you building upon your team mates’ findings to improve the overall results of the team?

If you are the technical director or founder of a project-based organisation, are you enabling your team to collaborate efficiently? Is the way in which they collaborate formalised or is it left to each tester and team to decide? If they are not sharing the information they’ve got effectively, are your clients getting the most out of your excellent team?

VulnDB HQ: a few small productivity boosters

We have a new Dashboard for VulnDB HQ:

It presents your private repo’s changes before anything else and we’ve also mixed Page and Methodology entries so get a proper view of recent changes.

Oh, and did you notice the handy links on the sidebar box? We’ve added some additional boxes here and there with links and contextual help:

Last but not least, something those of you with a few hundred entries will find really useful. We’ve added a super fast quick search box to the Pages module. No Ajax, no server round-trip, no nothing, it just hides everything you’re not interested in:

So that’s it for now.

Even when we are not adding brand new features we are still figuring out what bits and pieces we could improve that will make the experience a lot better. Stay tuned for updates!

And be sure to let us know your thoughts on what other improvements you’d like us to add.

The @VulndbHQ Team

Dradis Framework featured in Advanced Penetration Testing for Highly-Secure Environments

Quick post to let you know that there is extensive coverage of our project in the new Advanced Penetration Testing for Highly-Secure Environments by Lee Allen.

Coverage goes from our very own Introduction to the Dradis Framework section in Chapter 1 to several other bits and pieces throughout the rest of the book. Check it out!

Thanks to Lee and kudos to @luisfer_nandez for letting us now.

New in Dradis Pro v1.6

Today we have pushed a new version of Dradis Professional Edition. This is the result of two months of hard work. It is a shorter release cycle than usual, but there are some good reasons for it. We think it will make our user’s day-to-day work significantly more efficient.

Here are some changes:

  • Improved Word 2010 reporting (more below):
    • The styles you apply in Dradis are kept when generating the report.
    • Easy note filtering and grouping in the report (e.g. list of High-impact findings).
  • New testing methodology support (more below).
  • New Client Manager to group your projects.
  • Fresh look & feel (screenshots).
  • Lots of minor updates:
    • With the new Quick Filter locating clients, projects and users is a breeze!
    • Updated VulnDB HQ plugin to support v2 of the API.
    • Updated to Rails 3.2.8


Improved Word 2010 reporting

Creating complex pentest report templates has never been easier. You just need your copy of Word and a few minutes. Of course we have extensive documentation in our support site, but here are the highlights:

Note styles

Add notes in our WYSIWYG editor and the styles will be kept in the report:

Note filters

Word is the only tool you need to create powerful templates

Get the report without breaking a sweat:


Testing methodologies

This is a game changer. Tracking progress during an engagement is always a daunting task. No matter how experienced you are, if you don’t play close attention, you might be missing something.

Enter our testing methodology support:

You can define as many methodologies as you need (e.g. webapp, wireless, code review, etc.) and you can add them to your projects. For instance, a typical webapp assessment will have a web testing methodology and maybe a web server checks methodology.

Keep track of progress and split tasks amongst team members. Using a standardized testing methodology is the best way to obtain consistent results.

Still not a Dradis Pro user?

These are some of the benefits you are missing out:

  • Less time writing reports
  • Provide a consistent experience to your clients. Every time.
  • Pro is reliable, up-to-date and with comes with quality support

Read more in Why to give Dradis Professional Edition a try?

Upcoming in Dradis Pro v1.6: improved Word 2010 reporting

Reporting is always a pain point for most security specialists. That’s precisely why we are always improving Dradis Pro reporting capabilities.

In Dradis Pro v1.5 we brought you screenshot support and the ability to use custom Word properties to define elements that have to appear multiple times in the report (like client name, project name, etc.).

We are preparing some amazing improvements for Dradis Pro v1.6. For instance, the style you apply to your Dradis Pro notes gets translated into Word. That’s right, from your browser:

To Word:

In a single click.

Ever wanted to have a section that lists just the High-impact findings? Or to split the findings in groups like infrastructure layer and application layer so they can be added to different sections in the report?

Note filtering

This one is easy enough, you just need to add some filters to your template (note the Impact|High and Impact|Low filters) and presto!

One click and:

You just need to define the Impact field (or any other field you want to filter by) in your Dradis note:

Note grouping

The magic is done via the Node| filter. Lets define two sections one for Node|Infrastructure and one for Node|Application:

So you just need create the right project structure and add your notes to the node they belong:

Click export and bang!

Now start thinking about what you’re going to do with all the reporting time this is going to save you!

Still not a Dradis Pro user?

No problem! You can join dozens of organizations already benefiting from a more consistent approach to security testing.

These are some of the benefits you are missing out:

  • Less time writing reports
  • Provide a consistent experience to your customers
  • Pro is reliable, up-to-date and with comes with quality support

Read more in Why should you give Dradis Professional Edition a try?

Create a report in minutes with Dradis Pro and VulnDB HQ

How long did it take you to create your last pentest report? Days? Hours? Sounds like too much effort for something that should be 80% automated!

Lets see how you can use Dradis Pro and VulnDB HQ to create a pentest report in minutes.

Tracking progress with Dradis Pro

Everybody tracks progress and makes notes while conducting an assessment. However, using Dradis Pro has a few advantages over other methods (e.g notepad).

First you can use testing methodologies to define the steps you need to cover and track your progress:

Of course this is useful both when you’re working alone and when you’re part of team to ensure there is no overlapping.

If everyone is adding their findings to Dradis Pro’s shared repository, generating the report is one click away (keep reading!).

Adding a few findings from your VulnDB account

Say that today is your lucky day, LDAP injection on the login form! You don’t think this is in your private VulnDB HQ repository but search anyway:

Well, it was not in your private repository, but there is an LDAP injection entry in VulnDB HQ’s Public repository that you can use as a baseline. You import it.

You continue with you hack-fu, find a bunch of issues: cross-site scripting, some SQL injection, Axis2 testing servlet, header injection and a few SSL issues. For each of these, you spend 30 seconds searching VulnDB HQ, importing the issue to your project and tweaking the particulars.

Assign everything to the AdvancedWordExport ready category, and you’re done. Fairly painless, no?

And if Dradis is not your cup of tea (?!) you could always connect your VulnDB HQ account to your own tools using our RESTful API (or the convenient vulndbhq Ruby gem).

Report template

Now, the report. We want a high-quality Word 2010 document that we can easily edit and adapt as time passes.

I won’t get into the nitty-gritty details of template building here (there is a Creating Word reports with DradisReports guide in our support site with step-by-step instructions).

We will use a fairly simple approach, I’ve created a template based of one of Word’s default styles (Home > Styles > Change Style > Formal). Just add the headings you need and a few Content Controls. Here is what ours look like:

It starts with a table with some information about the project (name, client, dates, team, etc.).

Then the Exec Summary with a Conclusions section (sorry, you’ll have to adjust this with your own conclusions!) and a Summary of Findings list which will contain just the Title of each finding.

Then a Technical Details section that contains issue descriptions for each of the vulnerabilities we’ve identified during the report.

Note that you only have to create the template the first time, and then reuse it for every project. The template you see above took me about 10 minutes to create.

One last thing: the properties

Yes, we could add the project specifics like the client name and dates and everything else by hand. However, chances are that your report template is a bit more complex than the one in this example and that you’ll have your client’s name in multiple places and that some of the other information will also be repeated.

Thankfully we can define document properties from within Dradis Pro (see the DradisReports: using custom document properties guide for more information):

There you go. Now we can re-export and voila, the report is complete:

  • Total reporting time: 1 click.
  • Overhead during the test for importing issues from your VulnDB HQ account: ~30 seconds each?

We rest our case.

Would you like to know more?

We recommend you start with:

Upcoming in Dradis Pro v1.6: checklists and methodologies

One of the main benefits of using Dradis Pro is that it simplifies the task of producing consistent results.

We have just introduced a new feature in our development release is support for checklists (yes, you get early access to features before they are shipped in each major release.

This is a big deal for a few reasons:

  • Never forget any steps. No loose ends. Useful even if you’re a freelancer.
  • Great for learning / bringing people up-to-speed.
  • You can create checklists for new technologies the first time around and reuse them months down the line when you need them again.

A few screenshots are in order:

And you can have a pool of checklists and use the one that best fits with each project:

And of course, status is maintained and shared with all team members working with you:

If you are already managing your testing methodologies with VulnDB HQ (What? Can I do that? Of course!), watch this space because seamless integration is around the corner.

Still not a Dradis Pro user?

No problem! You can join dozens of organizations already benefiting from a more consistent approach to security testing.

These are some of the benefits you are missing out:

  • Less time writing reports
  • Provide a consistent experience to your customers
  • Pro is reliable, up-to-date and with comes with quality support

Read more in Why should you give Dradis Professional Edition a try?

VulnDB HQ – Manage what you know

We have reached an important milestone in the development of VulnDB HQ: it is now possible to manage testing methodologies through the service.

Will this make people’s lives meaningfully better? We hope so! This is why we think it is a great idea:

  • These will be organic documents, easy to use and easy to update. Forget storing a Word document in a network share to never again update it.
  • Did someone in the team find a cool resource or tool? Add it so everyone uses it from now on.
  • Some testing projects are not that common (IBM MQ review anyone?), if you save your notes today, they will be available for you next time round when you need them.
  • Do you need to quickly bring up to speed someone in a new technology for a last-minute requirement? With a testing methodology to follow that’s a lot easier.

Oh, and of course, we will build up a public repository of testing methodologies and will share it with our users.

Without further ado, here are some screenshots of the methodology builder:

Excited yet? Visit us at, learn more about why you should use VulnDB HQ or take a Tour of the service.

VulnDB HQ API v2

A few days ago we released v2 of the API for VulnDB HQ, our platform to manage vulnerability databases.

A lot of work has happened in the background to pave the way to a more stable and comprehensive API. From the consumer perspective we now have a dedicated endpoint for API access (i.e. /api/) and can specify API versions via the Accept HTTP header. You can read all about it in the VulnDB HQ API v2 guide in our support site.

To make everyone’s life easier we’ve also open sourced a Ruby client-side library to make it easy for you to integrate VulnDB HQ with your own tools and systems. You can find it in our GitHub page:

We hope you find this useful!

You gotta commit

This answer from Bill Murray really hits the mark:

Bill: You gotta commit. You’ve gotta go out there and improvise and you’ve gotta be completely unafraid to die. You’ve got to be able to take a chance to die. And you have to die lots. You have to die all the time. You’re goin’ out there with just a whisper of an idea. The fear will make you clench up. That’s the fear of dying. When you start and the first few lines don’t grab and people are going like, “What’s this? I’m not laughing and I’m not interested,” then you just put your arms out like this and open way up and that allows your stuff to go out. Otherwise it’s just stuck inside you.

Bill Murray interview in Esquire via nate

When building a product and exposing it to the world, especially if you are a small organisation like us, you have to be unafraid to die. See what works and keep improving it, see what doesn’t, remove it completely and start again.