Author Archives: Rachael Carder

New in Dradis Pro v3.8

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Per-Tool Permissions

Before Dradis Pro v3.8.0, Admins had access to everything and Authors had access to a subset of features. Now, you can give specific Author users permission to use the tools they need. And, you can give them just the level of access that they need.

Give each Author tool-specific permissions

Each Author can be given access to specific projects. And, for tools like the IssueLibrary, the Rules Engine, or premium tools like the Remediation Tracker, Authors can be given action-based permissions. Do you only want Author #1 to be able to Read IssueLibrary entries but not create, update, or destroy them? You can do that! Do you want Author #2 to have full control over the Rules Engine? You can do that too!

AffectedCount and AffectedList controls

We’ve had the Affected content control for a long time. The Affected control exports a de-duplicated list of comma-separated Nodes for a specific Issue. But, what about if you needed each de-duplicated Node on a new line or in a bullet list? Or, what if you need to count the number of affected Nodes for your Issue?

We’ve rolled out 2 new content controls: AffectedList and AffectedCount. As you can see in the before/after example below, the AffectedList will export the same data as the old Affected content control, just in a list format. And, the AffectedCount will output the number of unique Nodes that the Issue is associated with.

The AffectedList and AffectedCount content controls can be used in your Word report templates

Do you need help updating your report template to use these new content controls? Email our support team and we’d be happy to help!

Project List table

We’ve also updated the Projects page to help you find that one Project you’re looking for. Your most recent projects will appear at the top of the screen as always. But, at the bottom, there’s now a sortable and filterable table. Click the column headings to sort the table by that field. Click the 2 columns dropdown to display different fields. And, type in a keyword to filter the table and display a subset of Projects.

The Projects Page now contains a sortable and filterable table

Release Notes

  • Add all activity view
  • Give dynamic columns, sorting and filtering to project list table
  • New Per-Tool Permissions
    • Premier the new project permission panel for testers
    • Introduce permission management for Issue Library, Rules Engine, and Remediation Tracker
  • Remove inconsistent content blocks breadcrumb
  • Render markup inside table columns
  • Update top navigation link styles and collapsed menu
  • Upgraded gems: rack, sanitize, sassc
  • Bugs fixed:
    • Comments:
    • Removes the edit link while editing
    • Fixes lingering comment borders after deleting comments
    • Resolves broken OVA and DUP upgrades on VM’s running in ESXi
    • Prevent icon overlap of long headers in secondary sidebar
    • Fixes overflow of long unbroken table cell text
    • Prevent text overflow on to select areas
    • Word report generation no longer errors with extra document properties
  • Integration enhancements:
    • IssueLib: markup rendered in columns
  • Reporting enhancements:
    • Excel: add Tag column
    • Word
      • New AffectedCount content control
      • New AffectedList content control (one host per line)
      • Update exported tables to have 100% width by default

Not using Dradis Pro on your team?

Year in Review – a future Dradis feature

How many Dradis projects did you create this year? How many Issues did you find? Which were the most commonly found Issues? What was the most common severity of the Issues that you found?

Credit for this script idea goes to Marc Ligthart. His teammate reached out via the support inbox to see if we could create a quick “Year in Review” script that would list out the following:

1. Count of Projects created this year
2. Total Critical/High/Medium/Low Issues (by Tag)
3. Top 10 most found Issues (by title)
4. Top 10 most found Critical/High/Medium Issues (by title)

Dradis year in review script output example
Example output from the year in review script

You can already head over to our scripting repo and check out the Year in Review script. To use it:

1. SCP the file you your instance (e.g. to the /tmp folder)

2. Run the following in the command line as “dradispro”:
$ cd /opt/dradispro/dradispro/current/
$ RAILS_ENV=production bundle exec rails runner /tmp/year_in_review.rb

The output will list out the yearly review for all of the projects present on your Dradis instance.

Now, for the fun part? We want your feedback. If you like this idea, you’ll like version 2.0 even better. We want to include this functionality as part of the existing Business Intelligence Dashboard within Dradis. But first, we want to hear from you. What else would you like to see in a summary view like this in the BI Dashboard? What other metrics would be helpful for your team or what isn’t particularly useful about the current output? Please email our support team directly with feedback! We’re excited to continue working with you in 2020 and get you some more valuable insights into your Dradis usage along the way.

Comments, notifications, & subscriptions

Efficiently collaborate with your team using comments, notifications, and subscriptions inside of Dradis.

We heard you. There are times that you need to discuss a Dradis project with your team. Gone are the days of jumping on Slack or sending an email with a question or request for edits. Instead, leave a comment! Keep all of your Dradis talk inside Dradis.

Comments, notifications, and subscriptions are brand new in Dradis Community Edition (CE) v3.10 (and coming in the next release of Dradis Pro!).

Let’s jump straight into an example of how these new features improve team collaboration:

I’m working on Dradis CE (username rachkor) and have a question for another team member (username daniel). He wrote up a new Issue, but I think that the solution needs expanding. Instead of writing an email or finding him on chat, I scroll to the comment form at the bottom of the Issue:

Add comments to your Dradis Issues

Not only can I comment on the Issue, but I can also mention @daniel by name:

Mention other Dradis users in your comments

The next time Daniel logs in to Dradis, he’ll be greeted by a notification from me:

Get notifications from any mentions in Dradis comments

Comments are included in the Recent activity feed so that you can keep up with your team as a whole, even if you aren’t involved in a specific conversation.

When you comment on an Issue or a teammate mentions you in a comment, you’ll be automatically subscribed to that Issue. If you need to subscribe (or unsubscribe!) from notifications on a specific Issue, click the subscribe/unsubscribe button:

Subscribe or unsubscribe from comment notifications

We’re excited to unveil this new phase of collaboration within Dradis and can’t wait to hear what you think! Want to check it out? Grab the latest version of Dradis CE from GitHub with these instructions and test out the comments, notifications, and subscriptions. These new features will ship in the next release of Dradis Pro. If you’re a Pro user, stay tuned for a release notice soon!

Not using Dradis yet? Learn more about the Dradis Framework and all the time you could save.

Tales from the Other Side: we survived our first security review

In a dimly lit room with Doritos and Mountain Dew on my side, I was ready to begin the assessment and be like Hackerman. – Aaron

Recently, the Dradis team was presented with the opportunity to conduct a security review for a funded startup. Our original team comes from a background in security consulting. But, we also have team members who come from the software or support worlds. Basically, some of us (Aaron, Rachael, and Xavi) were n00bs and had never pwned anything before.

As someone who unintentionally adds holes in an application for a living (aka web developer), finding vulnerabilities in an app sounds like a fun activity that could give me a new perspective on my profession. – Aaron

Why did we decide to take on this project? We wanted to experience what you experience every day. The Dradis team doesn’t (usually) deliver security reports, we release software. We exhaustively test new releases and fix the bugs that you report to us. But, we rarely (if ever) get the chance to use Dradis in a real-world scenario. This time, we had a client, the team needed to collaborate despite time zone differences, and there was a deadline looming. Yes, we crossed over to the other side. And, we survived.

What we did:

  • Performed a security review on 3 components of a single web application
  • Drank a lot of coffee and/or mountain dew
  • Followed the WAHH methodology (with some custom checks added in)
  • Found, verified, and reported on roughly 3 dozen Issues
  • Generated a Word report that was organized by Risk Rating (based on the CVSSv3 score) and by affected component
  • Delivered the report to the client, answered their questions, then wished we could celebrate in person as a team

We learned a lot. We delivered a report to our client that we’re proud of and we covered a lot of ground in a short period of time. The technical team did a great job transitioning from their day jobs as Ruby developers and becoming pentesters for a week. Aaron summed up the learning curve perfectly, it was “like a scientist trying to do ballet for the first time.”. Everyone ran into at least a few walls. But, with some teamwork, fantastic resources, coffee, and a little Google, we got it all done. During the process of the security review, we learned about you, we learned about us, and we’re excited to apply these lessons as we continue building Dradis.


We learned a lot about you

No, not about you as a person, but we did learn a lot about our customers in the whole “walk a mile in their shoes” sense. By using Dradis to perform a real-world security review, we got insight into how we can make Dradis so much better for you in the future.

Here’s an example:

We’re a remote team. On this project, team members were collaborating between 3 different continents. Team members jumped in and worked during their own daylight hours. After about day 2 of the project, we realized that we were pasting links from the Dradis project into Slack with messages like “Hey, I don’t understand this part, can you clarify?”. Then, the author of the Issue would have to log back into Dradis, edit the content over there, and then update the Slack thread saying “I fixed it! How does that look now?”.

You know what we needed instead? The ability for all of those conversations to take place within Dradis. This wasn’t our only lightbulb moment, but it was one of the biggest. We can’t wait to roll out new features and improvements to give you the features that we were looking for!


We learned a lot about reporting (and deadlines)

Dradis is a collaboration and reporting tool. So, learning about reporting and deadlines is really the same as learning about ourselves. Some of us also learned more about our caffeine tolerance during the security review, but you want to hear about Dradis, right?

I (Rachael) spend a whole lot of time with your report templates. I’ve made friends with Microsoft Word (ok, it’s still a rocky relationship sometimes) and can break and fix just about anything you throw at me. But, I’d never experienced generating a report with Dradis while under an external deadline before. This time, I knew that there was a client waiting for me to review the findings and export the report.

We’ve always had a “we will go above and beyond for our customers” approach to support. But, the next time we get an email like “MY REPORT WAS DUE YESTERDAY AND IT’S BROKEN OH GOD PLEASE HELP ME” (not a direct quote), we can understand you even better. That extra understanding of what you’re going through was worth every hour we spent on this security review.

And it’s not just on the support side. We want to take our newfound understanding and help take away even more of the work (and stress) of the reporting process. How? By improving Dradis.

Improvements: Big and Small

We found plenty of small (and big!) improvements that we can’t wait to implement. We quickly identified a few UI tweaks. In some cases, they’re as simple as moving a button or adding different scrolling options. But, if we were internally screaming for them, we think you’ll like them too.

Some of the takeaways were bigger. For example, after going through the QA process ourselves, we feel very strongly that we need a more seamless QA process within Dradis.

Back to the other side

In the end, we all ended the security review with a deeper respect for what you all do every day. Walking the digital equivalent of a mile in your shoes left us with a list of improvements that we think will make the road a little less rocky for you next time. But, we’re ready to head back to the other side (the software development side) and leave the security reviewing to all of you again. You find the vulns, we’ll keep making Dradis better for you. Stay tuned for more Dradis improvements in the coming months!



Dradis Framework Founder’s Letter – 2017

Good Software Takes Ten Years. I didn’t know that when we started back in 2007, but I’ve come to terms with that rule since then. A lot can change in 9 years. You can go from the first commit of an internal project released as open-source to a small, independent, self-funded software team that is making a difference for 300+ teams in 34 countries around the world.

Did I have a clue about where we’d get in 9 years when I pushed that first commit? Most definitely not. Was I confident that we’d be working with 1,000s of InfoSec experts every day when I quit my security consulting job over 2 years ago to concentrate my efforts on Dradis Pro full time? Not even close. Do we have a clue about where we’re heading over the next 2 years? We have clues but most likely, we really don’t know. But that’s fine, we’re not alone in this journey. We’re bringing our entire community along with us. And most importantly, we have the freedom to choose where we’re heading.

We don’t have investors so we can keep our users front and center. Were trying to grow as slowly as possible. By focusing on the fundamentals, we’ve managed to get this far. And, we’re sticking to the same approach going forwards: do the work, keep our users happy, and care about their long term success.

A brief history of our project

Just to put things into perspective, here is what working on the same piece of software every single day for 9 years did:

  • Dec 2007: Start working on an internal tool for pentest collaboration.
  • Jan 2008: Release Dradis Framework as open-source.
  • …3,000 code commits.
  • Jul 2011: Launch a side-business offering additional functionality and official support (Dradis Professional announcement).
  • …work with 140 teams, 17 new releases, 2,967 commits.
  • Feb 2014: Make the side-business our main business.
  • …7 new releases, 782 commits.
  • Mar 2015: Welcome Rachael, our second full-time member of the team
  • …13 new releases, 2,503 commits…

The last 12 months

With the growth in the Dradis Pro side of things, we have been able to reinvest a lot of man-hours in Dradis Community Edition. It’s our way to give back to the community that helped us along the way. The code was refreshed and updated. Many of the enhancements that were created for the Pro edition were backported to CE. Plus, the documentation was rewritten, step-by-step guides were created, and screencasts were recorded. We also created and released OWASP, PTES, HIPAA and OSCP compliance packages with testing checklists, report templates and more.

Dradis Community edition GitHub repo commits in 2016

The activity in the Dradis CE repo shows how a lot of this effort was concentrated earlier in the year to sync the CE and Pro code bases (kudos to the GitLab team for the inspiration).

Our community is growing stronger than ever. We’re averaging 400 git clones each week. Plus, we have a thriving Slack channel and dozens of new threads in our community forums.

Dradis community edition is being downloaded an average of 400 times per weekWhat we are going to be focusing on over the next 12 months

Over the last 12 months, we’ve pushed 11 new releases of Dradis Pro. From performance and interface to functionality and stability, we’ve noticeably improved every single aspect of the app. The product today is in a completely different category from where it was 12 months ago. And still,  there is so much room to grow, refine, and improve!

2017 is exciting for us in many ways. We’re now working with over 300+ teams. This is a challenge, but we wouldn’t have it any other way. Plus, this the first time that we have a small team of very talented people working full time on taking care of product development and user experience.

I’m sure that the speed at which we’ll be making progress is going to feel break-neck. I can’t wait to see the things that we’re going to be able to build with you and for you and the rest our community.

To our best year ever,


New in Dradis Pro v2.5

Dradis Professional Edition is a collaboration and automated reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

Before the end of 2016, we’re excited to bring you Dradis Pro v2.5 with updates and upgrades across the product.

The highlights of Dradis Pro v2.5

  • Trash feature to restore deleted content (see below)
  • Hide expand button in Nodes tree when Node has no children
  • Add multiple Nodes at the same time (see below)
  • Automatically generated Issue template from Report Template Properties (see below)
  • Improved Project Validation error messages
  • Performance upgrades (Russian doll caching)
  • Add-on enhancements:
    • Include CVSSv3 scores in the Acunetix plugin
    • Accommodate Severity Recasting in the Nessus plugin
    • Update Nmap plugin Services table and NSE data
  • New add-ons:
    • Zed Attack Proxy (ZAP) upload
  • Word reports:
    • Filter Evidence content controls
  • Bugs fixed: #215, #256, #268, #327, #334, #336, #337, #338, #340

A quick video summary of what’s new in this release:

Trash Feature

Use the trash feature to recover your deleted content and restore. You can filter the Trash contents to find that one Issue that you need to restore. Then, add it back into your project with a single click.

Recover your deleted content with the trash feature in Dradis Pro v2.5


Multi-add Nodes

No more adding one Node at a time. Now you can use the new “Add multiple” option when you’re creating Nodes. Just paste in a list of Nodes to create all of them at the same time.

Add more than one Node at a time in Dradis Pro v2.5

Issue template from Report Template Properties

You’re already using the Report Template Properties for automatic validation, right? We’ve extended the Issue fields even further to help make your life easier. First, define the Issue fields in your Report Template Properties:

Use your report template properties to automatically generate an Issue template in Dradis Pro v2.5

Then, when you manually create an Issue, you’ll notice a new option in the dropdown. Select Default for template and Dradis will automatically pull in the Issue fields from your Report Template Properties to create your Issue template.

Select Default for template to automatically create an Issue template from your report template properties in Dradis v2.5

If you specified values for your text field, they’ll even appear in a list so that you can be sure that your Issue has the fields and values that your report template is looking for.

Your Issue template is automatically created from your report template's Issue Fields in Dradis Pro v2.5
Ready to upgrade to v2.5?

Still not using Dradis in your team?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the 1-page summary.