Case Study: Build or Buy?

Why one team decided to use Dradis Pro instead of building an in-house reporting tool

Who is this anonymous team?

We interviewed the security team at a mid-size information security company in Canada that primarily works with small to medium businesses offering a wide range of security services.

The security team was happy to give us an interview and discuss their experiences building their own reporting tool and using Dradis Pro, but their management was not comfortable being directly named in this case study.

Anon

Dradis

Professional Edition User

“The thing that made Dradis almost a no brainer for me is that if it saves me five hours a year, it's worth it. That's the bar that Dradis needed to hit. You need to save me five hours of work per year and it's paid for itself.”

The Problems:

This team had the typical reporting workflow. They would run scanning tools to find vulnerabilities, replace many of this vulnerability's descriptions with their own custom descriptions, and then type out a Word report that combined the tool output with manual findings.

They had two major problems with this process. It was distracting them from what they were really good at (e.g. testing) and it was creating a potential security risk.

Inefficiencies decrease strength

This team's old reporting process made them feel that they weren't focusing on their strengths.

I don't want myself or anybody else who I'd hire to be wasting time copying and pasting findings from reports. I want whatever makes them unique and special, I want them to be able to spend their time on that.

Instead of spending their time creating reports, this team wanted to be able to focus their time on the things that they were really good at.

If you excel at digging into vulnerabilities, if you excel at penetration testing, go do that. Do that and remove the tedious reporting that is relatively useless from a "let's get it onto paper" standpoint and takes far too much time.

A hidden security risk

Their old reporting process was opening up the company to a potential major security risk.

A member of their team described their experience in the industry:

At every job I've been to, consultants have hoarded reports:

"I really liked the recommendation I gave here."

"I really like the thing I did with this."

That makes you a giant target. As a security testing company, if you keep all your old reports and that's your IssueLibrary because you need to look up all this reusable data in this, your box gets popped and that gets out, you've given people a blueprint into the organization.

By collecting and reusing old reports, they risked sensitive data exposure. And, they risked accidentally including data from one client in the next client's report!

They decided it was time to move on from the old way of reporting and create an automated reporting tool.

Their main requirement was that the tool be able to take tool input (e.g. a Nessus scan) and output a Word report that used their custom finding descriptions. Sounds easy, right?

Solution #1: Let's build a reporting tool

The team charged ahead and started building an automated reporting tool. At first, it was all going so smoothly!

I said, "This can't be that hard," and sure enough, there's a Python library. With a bit of Jinja and some terrible code, you can get halfway there. You can take a Qualys Scanner, a Nessus Scanner, whatever, and dump all the findings onto a report.

Remember, they didn't want to just dump scanner data into a Word document, they wanted to make sure that they could report in a meaningful way. That meant replacing default descriptions with their own descriptions, displaying Evidence for hosts in an easy-to-understand way, and more.

So, at this point, they had all the tool output in the Word document. Halfway there, right?

Then, you reach the other half which is actually like, 90% of the work where it's like:

"Okay, how do I nicely display evidence for all my hosts"

"How do I do a custom finding description lookup?"

You're going down this rabbit hole and at some point, I'm like, "Well, how long is this going to take?"

It's fun to do this, but what do I want to be spending my time doing?

What does [Company] want me spending my time doing? Do they want to fund my development of this tool or do they want me to be testing and making them money? It's a fairly obvious answer there.

Enter Dradis Pro

Dradis Professional Edition is a software aimed at improving InfoSec reporting and collaboration. Dradis provides a centralized, standardized platform for creating reports and keeping issue descriptions up-to-date. Its features include:

  • IssueLib: a library of reusable issue descriptions that can automatically replace tool findings (Nessus, Qualys, etc).
  • Custom reports with your own branding and styles
  • Easy presentation/export of results to Word, CSV/Excel, XML, and HTML

Dradis wasn't the only tool that they considered, but it was the one that they decided to invest in.

The thing that made Dradis almost a no brainer for me is that if it saves me five hours a year, it's worth it. That's the bar that Dradis needed to hit. You need to save me five hours of work per year and it's paid for itself.

The Results


The hidden costs of troubleshooting

Having a dedicated support team in your corner has had significant benefits that they didn't realize when they first started building an in-house reporting solution.

The hidden cost of troubleshooting your own solution is that when it breaks, it's me. It's me, and if I don't know the solution, then the project doesn't get delivered or I have to resort to manual reporting.

With the Dradis support team on their side, they can save hours and hours of troubleshooting time by just reaching out with a quick question.

If I'm in the middle of a report and I have a problem right now, I can be like,

"Hey Team. This is super strange."

"Yes, yes, crazy triangles."

and it saves me twelve hours of Googling around and staring at my computer.

If you run into an error message, the Dradis support team has probably seen it before! We take your feedback very seriously and are proud that our users are happy with their interactions with the support team.


Improved Security with the IssueLibrary

As mentioned before, this team was very concerned about the security implications of holding on to old customer reports.

The IssueLibrary allows us to take all of the useful, reusable stuff out of those old reports, but delete the client data when we're done.

There's no reason to maintain, to retain customer data anymore, which is a huge benefit in my opinion because a security testing company, if you lose all the security assessments, you're done.

Instead, they're loving the Dradis IssueLibrary which allows them to reuse the best vulnerability descriptions without risking exposing sensitive client data. And, the IssueLibrary allows them to perform automatic replacement (e.g. when this Nessus finding comes in, replace it with this IssueLibrary entry).


Looking to the future

Dradis allows this team to maintain their best work while expanding their team.

If I go through and I write the absolute best cross site scripting finding I've ever written, great. We put it in one place and we never have to worry about it again.

Gone are the days of hoarding reports and digging through to find "that one really good description". Instead, the best work is not just saved, it's automatically used in the future!

As the company looks to expand the security team in the future, they see Dradis as a valuable asset.

It's hugely worth it just for a one man army. With multiple, with an additional person, it just becomes ridiculously valuable.

When they add a new team member, they introduce them to Dradis and quickly integrate them into the team and allow that new team member to focus their time on what they do best.

Will this work for me?

Do you want the same results?

  • Automate your reporting process.
  • Get the Dradis support team in your corner.
  • Spend less time reporting and more time hacking.
  • Happier team!
  • ...

Want to ask us a question about how Dradis Pro can help your project management and report creation?

Reach out to us on our Contact page or go ahead and request a demo.

Try Dradis for 30 Days

We are confident that Dradis Pro will improve your InfoSec workflow as it did for Include Security. If you try Dradis Pro for 30 days and don’t believe you’ve gotten your money’s worth, just let us know and we’ll give you your money back.

Happiness Report

This is how our users have rated their support interactions with us

Happiness report 2016 q2

We are trusted the world over

Hundreds of InfoSec teams in over 36 countries use Dradis every day

ArgentinaArgentina
AustraliaAustralia
AustriaAustria
BelgiumBelgium
CanadaCanada
ChileChile
DenmarkDenmark
FinlandFinland
FranceFrance
GermanyGermany
Hong KongHong Kong
HungaryHungary
IcelandIceland
IrelandIreland
IsraelIsrael
JordanJordan
MalaysiaMalaysia
MexicoMexico
NetherlandsNetherlands
NorwayNorway
PolandPoland
PortugalPortugal
QatarQatar
United Arab EmiratesUnited Arab Emirates
Saudi ArabiaSaudi Arabia
SingaporeSingapore
SloveniaSlovenia
South AfricaSouth Africa
SpainSpain
SwedenSweden
SwitzerlandSwitzerland
TaiwanTaiwan
ThailandThailand
TurkeyTurkey
UKUK
USUS

We would be more than happy to put you in touch with any of our clients in your industry or country so that you can speak with them directly about their experience with our product. Send us a note at sales@securityroots.com and we’ll get back with you with the details right away.

InfoSec project delivery 5-day crash course

Learn innovative, actionable techniques and approaches for reducing the overhead that drags down InfoSec project delivery. You’ll learn how to optimize:

  • Scoping
  • Scheduling
  • Project Planning
  • Delivery
  • Intra-team Collaboration
  • Reporting and much more...

Your email is kept private. We don't do the spam thing.