Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Gateway Themes

One of the biggest changes in Dradis Pro v.4.0 is the move from a single HTML Gateway template to Liquid themes. Create a dynamic, info packed, theme to deliver assessment results dynamically in Gateway using Liquid. Multiple Gateway themes means each project can use a different theme that’s appropriate to the engagement. Two new Gateway themes are included with Dradis Pro v4.0 to get you started.

Liquid has a well supported and documented history for creating robust templates. This will make it easier for teams to create and support their own well organized, customized templates.

Are you currently using a customized Gateway HTML template? Reach out to our team with your existing template so we can help convert it to Liquid before you upgrade any production instances.

Downloadable Assets

In addition to reviewing the results of an assessment dynamically in Gateway, contributing users can securely download assets that have been added to their project. Deliver final reports, scope documents, and other assets directly from Gateway keeping everyone out of their inboxes and project details centralized.

Simple Team Setup

Getting started using Dradis Pro is simple. Once deployed to your environment, the super-admin for the instance is created during the first run and can quickly set up the rest of the team through this new guided walk-through.

Maximum Login Attempts

Configure the number of maximum login attempts to help prevent brute-force attacks on your Dradis instance. The default is set to 3 attempts before the account is locked. Admins can increase or decrease the number of attempts to align with their team’s policies.

Release Notes

• Projects:
  • Cleanup the New/Edit view
  • Create and remove the results portal from the Edit view
  • Dashboard: Add Default issue entry to menu when project is empty
  • If there is only one RTP, select it by default
• Setup: new initial Team and User wizard
• Teams: cleanup the New/Edit view
• Users: account gets locked after too many failed sign in attempts
• Upgraded gems: addressable, nokogiri, papertrail, puma
• Bugs fixed:
  • Better support for characters inside textile linked text
  • Display placeholder text for issue sorting dropdown when no field has been selected to remove confusion about default options that are not yet applied
  • Fix issue library entries action buttons not appearing due to caching
  • Fix revisions with “destroy” event not removed from the database after deleting a project
• Integration enhancements:
  • Acunetix:
    • Add support for Acunetix 360
    • Make Request and Response fields available at the Evidence level
  • Gateway 🍾
    • Moved project contributor assignment to Gateway management
    • Deliverable upload management
      • Your contributors can now download assets directly from your results portal!
    • Themes!
      • Gateway now supports theme management and the ability to apply different themes to different projects
  • IssueLib entries#index API now supports pagination
  • Nessus:
    • Add age_of_vuln, exploit_code_maturity, threat_intensity_last_28 threat_recency, and threat_sources_last_28 as available Issue fields
  • Nexpose:
    • Update HTML tag cleanup
  • Nipper:
    • Include multiple paragraphs when importing fields.
  • Remediation Tracker
    • Use Datatables for the Tickets#index table
• Reporting enhancements:
  • Word:
    • Add support for template syntax within resources exported in Word reports
    • Fix exporting node labels with links
• REST/JSON API enhancements:
  • Update the API to handle pagination
• Security Fixes:
  • Medium: Authenticated (contributor) information disclosure
    • After a contributor was assigned Gateway access to a project by an admin user they may retain access to the project after the projects team has been changed.

Not using Dradis Pro?

• Automated reports, generate the same reports your clients know and love in a fraction of the time.
• Combine the output from 19+ different tools (including Qualys, Metasploit, Burp…) into a single report.
• Deliver consistent results. Never forget any steps, always know what has been covered and what is still ahead.
• Everyone on the same page: all information available across the team.
• Dradis Pro is reliable, with over 10 years of history, and has a top-notch dedicated support team.

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

JIRA Sync

Details added to JIRA tickets will now sync back to Dradis Issues and Remediation Tracker tickets making it easier to keep all of the project details together to speed up remediation tasks.

Ruby 2.7.2 and Rails 6.1.1

Sometimes we have to roll up our sleeves and take care of the less flashy bits of development. In this version, it was due time to update Ruby, Rails, and a handful of other gems. There won’t be a noticeable difference on your side but this sets up the team to make future improvements.

Improved Caching

When the projects listing or Issue Library contained thousands of entries, it became slow to load and in some cases wouldn’t load at all. This update improves caching to make it much faster to load those long lists.

Release Notes

• Upgraded DradisPro to run on Ruby 2.7.2 and Rails 6.1.1
• Add view hooks for the export view
• Increase secondary sidebar width for medium viewports
• Projects page: Add caching to speed up slow loading when thousands of projects are present
• Upgraded gems: bundler, papertrail, rails
• Bugs fixed:
  • Correct position of sticky editor toolbar in fullscreen source view
• Integration enhancements:
  • Integrate JIRA ticket/status details into Remediation Tracker
  • IssueLib: Add caching to speed up the issuelib table when thousands of entries are present
  • Add remote JIRA Comments to Issues#show and Tickets#show
• Security Fixes:
  • Medium: Authenticated (admin) persistent cross-site scripting in Business Intelligence Custom Properties search

Not using Dradis Pro on your team?

• Automated reports, generate the same reports your clients know and love in a fraction of the time.
• Combine the output from 19+ different tools (including Qualys, Metasploit, Burp…) into a single report.
• Deliver consistent results. Never forget any steps, always know what has been covered and what is still ahead.
• Everyone on the same page: all information available across the team.
• Dradis Pro is reliable, with over 10 years of history, and has a top-notch dedicated support team.

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

User on, User off

Users can be toggled between disabled and re-enabled. Disabled users cannot access the app, aren’t available to mention in comments, and will not receive notifications. Content from disabled users won’t be deleted and they will need to be re-enabled before modifying any permissions.

Word Report Export Tune-Up

Bunches of things happen under the hood in Dradis when you are kicked back waiting for the magic to happen to generate a Word report. Some of those inner workings got a tune-up to get Dradis in a better position for future improvements in this version. Imagine how excited we were when we saw some small performance gains as a byproduct of this refactor!

Fancy Output Logs

Export log files are not only fancier looking, but the updated formatting makes them much easier to review. Indents indicate nested items and coloured lines of text are a snap to scan to keep an eye out for any problems and when items finish successfully.

Change Project Owner

“Change is inevitable” and now, you can change project owners in Dradis. Project owners can be updated in both the web app on the “People on the Project” and through a new API endpoint.

Release Notes

• Disabled users enhancement
  • Allow admins to disable and re-enable users and contributors
  • Removed disabled users from comment mentions list
  • Stop disabled users from receiving notifications
• Main sidebar improvements:
  • Labels added under icons
  • Removed animations and transitions while expanding and collapsing
• Migrate bootstrap to v4
• Navbar dropdown menu’s are no longer locked to the right side of the browser
• New item menu in sidebar: isolate Default entry (from template) with a divider
• Update logo assets
• Project owners can now be updated
• Bugs fixed:
  • Christmas easter egg Santa hat blocking clicks on input element plugins
  • Rules Engine: make sure tag auto-complete works on page render
• New integrations:
  • dradis-nipper
• Integration enhancements:
  • Allow viewable image attachments for Gateway contributors
  • IssueLib: ability to seed with the starter set
• Reporting enhancements:
  • Performance:
    • Re-work Word export processing top to bottom
    • Faster hyperlink processing
    • Faster numbering processing
    • Faster screenshot processing
  • Remove unused nested content controls from all resource types (issues, content blocks, evidence etc.)
  • Introducing the new and improved servicesEntries and ServicesTable content controls with full support for filtering and sorting
    • When nested inside a Node control you can get direct access to Services attributes with a servicesEntries control, and child attribute controls eg. Protocol, State, Port, etc.
    • The existing services control that produces pre-formatted table-based data can now be labeled ServicesTable in your template
  • Enhance report export log in both the CLI, and Web Console
    • Indented log lines to enhance readability and make it simple to follow nested processing. ex. Evidence within a Node.
    • Colors! Make use of colours to show
      • Green: when processing is successful
      • Yellow: when filters filter out all resources
      • Red: when something bad happens like a control has no placeholder
• REST/JSON API enhancements:
  • Add new endpoint to update project owner

• Automated reports, generate the same reports your clients know and love in a fraction of the time.
• Combine the output from 19+ different tools (including Qualys, Metasploit, Burp…) into a single report.
• Deliver consistent results. Never forget any steps, always know what has been covered and what is still ahead.
• Everyone on the same page: all information available across the team.
• Dradis Pro is reliable, with over 10 years of history, and has a top-notch dedicated support team.

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

MS Word Filters – OR, NOT

Filtering content using OR and NOT hasn’t been possible until now! Now you can add OR and NOT operators to create a dizzying amount of control for your report output. As always, you can string together multiple filters to get the results you want to populate your report.

Imagine That!

We’ve added the ability to upload an image anywhere the editing toolbar appears. Dragging and dropping into the editing area works too, saving you a few steps to add images in your project to show evidence, support your statement, or even add a meme to your comment.

Even More Validation

Validating your project before generating it has long been available as a good step to preventing some of the most common report errors. Now, view additional validation in summary views and a panel to help avoid those errors as you are working with report content to catch problems early.

For an at-a-glance way to see what needs a bit more work, the issues and evidence tables include a column showing if that item contains the correct information.

Issues, evidence, and content blocks now have a validation panel that will highlight problems as you work.

Release Notes

• Add a validation panel for Issues, Evidence, and Content Blocks
• Add a validation column for Issues and Evidence table
• Auto upload attachments and screenshots without requiring the use of the staging area
• Cards, Evidence, Issues, and Notes now have their own attachment support
• Displays a notification badge in the browser tab when there are unread notifications
• Editor: Allow drag & drop, copy & paste, and direct image uploading
• Increase the node properties column size by changing it to LONGTEXT
• Layout: Breadcrumbs have a fixed position
• Upload Manager: better validation
• Bugs fixed:
  • Live filtering of templates (methodologies, notes & projects) via sidebar
  • Use absolute send times in notification emails instead of relative
• Reporting enhancements:
  • Excel: Fix report generation exceeding the maximum cell limit
  • Word: Add NOT and OR operation for filtering content control
  • Word: Allow non-English localization documents to be exported

• Automated reports, generate the same reports your clients know and love in a fraction of the time.
• Combine the output from 19+ different tools (including Qualys, Metasploit, Burp…) into a single report.
• Deliver consistent results. Never forget any steps, always know what has been covered and what is still ahead.
• Everyone on the same page: all information available across the team.
• Dradis Pro is reliable, with over 10 years of history, and has a top-notch dedicated support team.

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Formatting Toolbar

Formatting text is even easier now with the editor toolbar. The toolbar makes it simple to enter and format text in an issue, evidence, notes, comments, and methodologies without needing to use Textile markup. The live preview updates with your formatting changes as you work.

Form Editor

Manually create issues and evidence using the form view, rather than using Textile field names and details. Name the form field and add in details for each item and the live preview updates as you work on the side.

If your project has a predefined template, using that template will create those form fields ready to populate.

Prefer to work with Textile? The source view is still available so you have the best of both worlds.

Dots Menu

In order to make the most of the available screen space, some item options – including edit, delete, and subscribe – have been moved to a single “dots” menu. The dots menu is located to the top right of the item and includes the actions available for that item.

Methodology Improvements

Cards in methodologies no longer require a due date. This is helpful for cards that are templates or hold information that doesn’t need to be locked to a specific date.

If a card has moved from one list to another, the original card link will redirect you to the card at its current location. Previously the link to the card would be broken, leaving you to hunt around until you found it (or didn’t and gave up looking).

Making it easier to find the board you are looking for, you can click on a methodology in the project dashboard or the board name in the activity feed to go to that board.

Release Notes

• Add author to evidence and notes views
• Add dynamic columns, sorting and filtering to Projects list
• Add team name link to project navbar
• Adjust Uploads layout to provide more visibility to the output console
• Allow renaming and deleting boards through their dots menu
• Avoid browser pre-populating password fields when editing users
• Card improvements:
  • Not require a mandatory due date
  • Redirect to new url if the card has changed lists
  • Show board name and link in the Activity Feed
• Card, Evidence, Issue, and Note form data will not be lost even if the form is not saved
  • Clear the form when the “Cancel” link is clicked
  • Remove prompt to restore data and instead persist and restore any changes seamlessly
• Comments
  • Add Textile markup
  • Not lose changes even if the comment is not saved
  • Update comments feed to show author’s name instead of email
• Display note and evidence titles in breadcrumbs
• Display the Dots-menu in all views
• Editor improvements:
  • Formatting toolbar to help with markup
  • New form-view to edit each field individually
  • Side-by-side editor preview that auto-updates
• Generate consistent URLs in emails
• Increase the size of output console
• Let Admins be added or removed after a project is created
• Link to Methodology from project summary chart
• Move resource action links to dots-menu in breadcrumbs
• Persist the state of the navigation sidebar in projects while navigating across different views
• Remove tag color from issue titles in issue summary
• Update code element style
• Use shared noscript partial
• Use user model reference for activities instead of user email
• Upgraded gems: puma, rack, rails, sass-rails
• Bugs fixed:
  • Allow Authors to set project permissions on project creation again
  • Fix Board partial broken structure
  • Fix ItemsTable extra whitespace causing unnecessary vertical scrolling
  • Fix Long items_table dropdown menus not scrollable
  • Fix Long project names interfering with search bar expansion
  • Fix breadcrumbs in cards under node boards
  • Fix textile preview not showing on issues with very long text
  • Prevent repetitive prompt when images are pasted after navigating multiple views.
  • Prevent report ‘Download’ button becoming a disabled ‘Processing…’ button once clicked
  • Render Textile preview of issues with very long text
  • Render avatars in the activity feed
  • Set :author when creating Evidence from an Issue
  • Show active state of Sidebar items properly
  • Bug tracker items: #560, #634
• Integration enhancements:
  • Issue Library: sortable columns
  • Nexpose: better cipher wrapping coverage
  • Nikto: support new nested format
• Reporting enhancements:
  • Custom Properties are now updated on document open
  • HTML reports now use main app’s markup rendering
• Security Fixes:
  • Medium: Authenticated persistent comments cross-site scripting
  • Low: Authenticated (admin) persistent methodology template cross-site scripting

Not using Dradis Pro on your team?

• Automated reports, generate the same reports your clients know and love in a fraction of the time.
• Combine the output from 19+ different tools (including Qualys, Metasploit, Burp…) into a single report.
• Deliver consistent results. Never forget any steps, always know what has been covered and what is still ahead.
• Everyone on the same page: all information available across the team.
• Dradis Pro is reliable, with over 10 years of history, and has a top-notch dedicated support team.