Dradis Pro is sponsoring BSides London 2014

Dradis Professional is sponsoring the next edition of the B-Sides London security conference:

http://www.securitybsides.org.uk/

B-Sides London 2014 will be held at the Kensington and Chelsea Town Hall on April 28, 2014 in London, UK.

We’ve put together a page for the event and are raffling a Dradis Pro license, read more at:

http://securityroots.com/dradispro/events/bsideslondon2014.html

Are you planing to attend or want to get in touch? Contact us or ping us on Twitter: @dradispro

New in Dradis Pro v1.10

Today we’re happy to announce a new release of Dradis Professional Edition: Dradis Pro v1.10.

March 2014 has been a great month: first we took part in Corelan Team’s 5th Anniversary party then we attended the first edition of the Rooted Warfare event and now we have a fresh release ready for you (yes, yes, technically we’re not in March any more, but it’s close enough!).

It’s been only 3 months since our last release, but this one is full of action:

  • A more useful Project Summary view (see below).
  • Tag issues and group them by tag.
  • New Project Template manager.
  • Performance improvements to several plugins (Nmap, Word, etc.)
  • Improvements to the management console (see below).
  • Several improvements on the UTF-8 and i18n front.
  • And of course bug fixes, lots of bug fixes
    (#43, #44, #64, #65, #72, #75, #77, #78, #85,… full list)

Lets get a closer look of some of the most significant enhancements…

Interface improvements

This is what the new Project Summary page looks like:

A screenshot showing the new Project Summary view. Includes an issue chart and a methodology progress meter

All in all, the new Project Summary gives you a nice big picture overview of what is going on with the project. This is great for team leaders and technical directors wanting to keep an eye on the projects across the board. And if the client asks for an update, you’ll have all the information you need in a single screen. Nice and easy.

Lets delve into the key components of this new summary view.

Finding tagging

First of all, it is now possible to group and tag your findings. You can define your own categories and colors or you can use the default ones, up to you.

In terms of doing the real assigning, a nice drag-and-drop interface makes it a very straightforward and intuitive process:

A screenshot showing the interface that allows you to drag issues and drop them into the right category

Track methodology progress

Testing methodology support was introduced some time ago. However in this release we’re making it a lot easier to keep track of how much progress you and your team have made.

A screenshot showing the new graph that keeps track of your progress in the methodologies of the project.

You can of course create your own testing methodologies. But remember that to help you get started there are quite a few already available in the Resources section of our Users Portal:

https://portal.securityroots.com/resources

Management console improvements

We’ve some good news on the Dradis CIC as well.

There are a few services ticking along in the background to make sure you have a great Dradis Pro experience. Every once in a while however, you may want to restart some of this services (e.g. you developed a new custom plugin, you made a change to your MySQL config, etc.). Before you had to roll up your sleeves and prepare for some good old console goodness. Not any more! From now on, it is possible to check the status of the different services and restart them from the web interface itself:

A screenshot of Dradis' Admin Console showing an interface that lets you re-start the different services the app depends on.

How to upgrade to Dradis Pro v1.10

Just head over to the release page and follow the instructions:

https://portal.securityroots.com/releases/1.10.0

Still not a Dradis user?

These are some of the benefits you will get:

Read more about Dradis Pro’s time-saving features.

Happy 5th Birthday to Corelan Team from Dradis Pro

Corelan Teams's logo
&
Dradis Professional Edition logo
 

Today is the 5th anniversary of the amazing Corelan Team. Through their blog, their articles, their tools and their forums they have contributed like very few other communities to spread and enhance the knowledge of the security community at large.

We’ve prepared a few anniversary presents for the team and their community. To find out more, please head on over to the official blog post at:

Keep up the good work guys, everyone is looking forward to what the next 5 years will bring!

Protecting your Rails application with fail2ban

This article describes how to connect Rails to fail2ban to detect simple attacks that cause exceptions in your application.

The less sophisticated attacks

One of the characteristics of the more naive attacks are that they are usually started with a bulk scan of your server. This less sophisticated attackers don’t even bother fine-tuning their scanners either which results in lots of weird requests hitting your Rails app (e.g. for .aspx or .jsp pages). One of the very first things you do when putting an app out there is to have some sort of exception notification plugin that reports application-level error to either a central console or via email.

Around 02:00am on the 1st of January (a great way to start the new year) one of our servers was targeted. Nothing was broken, but thousands of exception notifications were received which is both time consuming, and unnecessary. We could have detected the request flood and prevented it further attempts, but we didn’t have the infrastructure in place. Today I decided doing something about it.

Fail2ban, exception_notification and Rails

I regularly use fail2ban to detect http 404 floods and protect the SSH service, but up until now I never linked it with an application-layer detection mechanism.

exception_notification is a nifty gem that you can use to create a chain of “notifiers” that will send exception notifications to different services.

I created a simple notifier that takes each exception and generates and dumps it in a new log file that you can easily parse with fail2ban, the meat of the code is below:

[warning, safest to use this gist for copy/pasting]


def call(exception, options={})
  env = options[:env]
  request = ActionDispatch::Request.new(env)

  # {ip} : {exception class} : {method} {path} -- {params}
  msg = "%s : %s : %s %s -- %s" % [
    request.remote_ip,
    exception.class,
    request.request_method,
    env["PATH_INFO"],
    request.filtered_parameters.inspect
  ]
  @logger.error(msg)
end

This defines the fail2ban jail (add to /etc/fail2ban/jail.local):


# Custom Rails app jail. Add to /etc/fail2ban/jail.local
[rails-app]
enabled = true
port = http,https
filter = rails-app
logpath = /path/to/app/log/fail2ban.log
bantime = 3600
findtime = 600
maxretry = 10

And this defines the filter (add to /etc/fail2ban/filters.d/rails-app.conf):


# Custom Rails app filter. Place in /etc/fail2ban/filter.d/
[Definition]
failregex = :  :
ignoreregex =

Finally, configure the new notifier in your config/environments/production.rb file:


config.middleware.use ExceptionNotification::Rack,
  :email => { ... },
  :fail2ban => {}

I’ve already submitted a pull request for this, so hopefully the next release of the gem will have the fail2ban notifier by default.

References

exception_notification Custom notifiers
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8

New in Dradis Pro v1.9

Today we’re happy to announce a new release of Dradis Professional Edition: Dradis Pro v1.9. Start thinking about what you are going to do in 2014 with all the report-writing hours that Dradis will save you from spending :)

This release brings new features and improvements at almost every level:

  • Redesigned interface (see below).
  • New management console and upgrade process (see below).
  • A faster, more reliable stack (see below).
  • Enhancements to reporting engine:
    - Custom Word tables (read more)
    - Mix Issues as Notes throughout the template
  • Drag’n'drop report template manager (read more).
  • Add methodologies and checklists to your project templates.
  • And of course bug fixes, lots of bug fixes (#7, #22, #26, #33, #34, #46, #47, #51, #59,… )

Lets get a closer look of some of the most significant enhancements…

New interface

Throughout 2013 Dradis Pro has been used by dozens of organizations around the world to manage hundreds of security engagements. Each project is a complex mix of tasks: writing up a vulnerability, processing the output of a tool, uploading a screenshot, etc. We have redesigned the Dradis interface to declutter your project workspace and make it easier to perform those tasks that you need to do several times per day.

Without further ado, the new Dradis Pro v1.9 interface:

snowcrash-01

A clean layout that lets you focus on what’s important: your findings. It’s also fluid which will help you make the most of your wide screen.

Here are a few additional close-ups, and yes, you can drag’n'drop your attachments or even paste your screenshots directly, without saving them on a file (if your browser supports it).

snowcrash-02

snowcrash-03

Management console & upgrade process

From now on upgrading your Dradis Pro install will be even easier. We’ve created a new management console that lets you apply updates without leaving your browser window.

cic-01

Apart from the new Dradis CIC, we’ve also made significant changes to the base operating system layer of the Dradis Pro virtual appliance, you should upgrade as soon as possible (review the Exporting, importing and backing up your data step-by-step guide).

New stack: Ruby 2.0, Unicorn, and Nginx goodness

With Dradis Pro v1.9 we’re upgrading the base stack that powers the application.

The new stack is significantly faster and more efficient (it’s the same one that people like Github, Airbnb or ZenDesk are using). From the user’s point of view, you’ll just notice better performance under the hood.

We’ve also made some changes to the internals of the appliance paving the road to more advanced CIC operations (like restarting services from the administration console). We’ve also taken steps to make sure that further tweaking the stack will be a painless process, which will make things easier in the long run.

Still not a Dradis Pro user?

These are some of the benefits you are missing out:

Read more about Dradis Pro’s time-saving features.

Upcoming in Dradis Pro v1.9: report template manager

In this post we introduce another new feature of the upcoming version of Dradis Professional Edition: the new report template manager. Our previous post on the Upcoming in Dradis Pro v1.9 series was about custom Word tables.

Why do we need a report template manager?

There are several use cases for being able to manage multiple different report templates: your organisation may use different report templates for different project types (e.g. a webapp assessment vs. a vulnerability scan), or maybe some of your clients want you to use their own reporting template, or maybe you are thinking about going freelance or being a subcontractor so you have to use different templates when you are contracting for different security service vendors. The reason doesn’t really matter, what matters is that from now on, you can forget about your multiple template requirements, work as you always work in your Dradis project and then when the time to generate the report with one click comes, you can pick the right template and generate a full featured report with just 1 click.

The new template manager complements the Export Manager that we introduced in the current version to allow for more complex multi-template workflows.

Screenshots

You can use the report template manager to easily drag and drop new template files and associate them with each of the export plugins (even the custom plugins you create):

A screenshot of the new report template manager that shows a drop zone area to upload new templates and a list of already uploaded templates.

Pro tip: if you are using Chrome, you can Ctrl+c and Ctrl+v to paste the file into your browser window.

A screenshot of the report template manager showing the view you get when a given plugin doesn't have any templates yet

More information

Dradis Professional edition helps you manage your information security projects. Collate information from multiple tools and generate reports with just 1 click.

If you are not a Dradis Pro user yet, you can read more about our painless 1-click reporting, merging tool output from your favorite tools into a single report and delivering consistent results using testing methodologies with our tool. Get a subscription and start saving yourself some time today.

When is v1.9 going to be out?

Soon! We’re just working on the finishing touches. Subscribe to the newsletter below to get updates in your inbox, and follow us on Twitter: @dradispro.

Upcoming in Dradis Pro v1.9: custom Word tables

Dradis Pro v1.9 is going to be packed with useful upgrades. One of the features we’ve been working on is the ability to generate easily generate custom Word tables.

Dradis itself has had table support for a very long time, however, the table formatting was lost in the report generation process. Not any more, starting in v1.9 all the tables in your Dradis project will be recreated in your final report.

Here are some examples of beautiful tables generated with Dradis, note that you can of course customize the look & feel of each table individually. The styles can go from the more simple ones adapted to the rest of your branding:

A simple 2x2 custom Word table showing a custom orange and grey style

Tables can also appear anywhere in the document, for instance, below we show how you can keep the scoping information into your Dradis project and then exported to Word using a slightly modified Word table design:

A screenshot of a Dradis note showing a table with scoping information. Columns: Application, URL, Account and Privileges

A screenshot of a custom Word table generated from the Dradis table shown in the previous screenshot. It is using one of Word's predefined styles.

Mixing tables with plugins

We’ve also updated some of our import plugins to generate information in tabular format. For instance, the Nmap plugin now produces a nice service summary table for each host. You can use this feature to produce a nice Hosts and Services Summary section in your report:

A screenshot of a Word document showing a summary of hosts, port numbers and services in a table format

This is just one of the many features we’re preparing for the next release. Watch this space for updates over the coming days!

More information

Dradis Professional edition helps you manage your information security projects. Collate information from multiple tools and generate reports with just 1 click.

If you are not a Dradis Pro user yet, you can read more about our painless 1-click reporting, merging tool output from your favorite tools into a single report and delivering consistent results using testing methodologies with our tool. Get a subscription and start saving yourself some time today.

When is v1.9 going to be out?

Soon! We’re just working on the finishing touches. Subscribe to the newsletter below to get updates in your inbox, and follow us on Twitter: @dradispro.

Dradis Pro custom reports: 3 guides to get you started

One of the main areas we’re working on as part of the Autumn of Code (if you are a Dradis Pro subscriber you know what this is, for the rest of you, we’ll be writing up a bit more in a few days) is documentation.

We’re always working to make it even easier for our users to create Dradis Pro custom reports. You just need Word and a few minutes to go through the guides. We provide you with plenty of examples and sample templates (both built into Dradis and via our Extras section).

Over the last month, we have restyled and organised the Support site and so far we’ve added three brand new guides.

From Nessus to Word: a hands-on-example

This guide covers all the steps required to go from a Nessus export file (.nessus) to a Word report with custom look and feel. Map between the Nessus fields and the fields your organisation uses with the Plugin Manager, report findings by host, or list all the hosts affected by one vulnerability, etc.

Of course the best part is that the exact same methodology can be applied to generate custom reports from any of the other supported tools (Qualys, Nexpose, Burp, etc.). And you can mix and merge the results from multiple tools to generate a single consistent report in minutes.

Read more: From Nessus to Word: a hands-on-example

Dradis Pro custom Word reports 101

If you are a new user that is starting with Dradis Pro custom reports or if you’re checking out our reporting engine capabilities, this guide is the right starting point.

We cover how to create a template from scratch, how to provide the placeholders for the different types of information that will end up in the report, how to filter and sort your findings, how to style your notes, etc.

We go into some detail about the philosophy behind Dradis, how to make the most of the flexibility it provides. Learn about all the features we support so you can mix and match them to fit your oranisation’s reporting needs.

Read more: Dradis Pro custom Word reports 101

Connect Dradis to MediaWiki

Finally, a guide not strictly about the creating Dradis Pro custom reports, but useful for those wanting to get the most value out of Dradis: create a repository of reusable report entries in a wiki and connect it to Dradis so you can import issues from it. Never again rewrite the same issue description, just import it and tweak the details for each particular case.

Connect Dradis to MediaWiki

Stay tuned…

That’s it for now, but we will be posting more updates on the Autumn of Code in the coming weeks.

If you want to learn more about Dradis Pro benefits, the Features page is the right place to start.

New in Dradis Pro v1.8

Today we have pushed a new version of Dradis Professional Edition: Dradis Pro v1.8.

This is a shorter release cycle than usual, but we are publishing some significant improvements that we couldn’t wait to share. This is tied to the ideas on product quality we shared a few days ago. Expect a big push of improvements and fixes over the coming weeks.

Changes:

  • Fine-grained project permissions (read more)
  • New Export Manager interface (see below)
  • Bugs fixed and enhancements:
    • Updated to Rails 3.2.14
    • Fix attachment preview scale in Firefox
    • Assign name to screenshot when using Ctrl+v to upload
    • Fix project import/export to work with Issues/Evidence
    • More reliable MediaWiki import (#17)
    • Give more room to every text editor window (#9)
    • Keep the alphabetical sort after errors in the issue list (#2)
    • Fix issues rendering problem in New Notes tab (#6)

The new Export Manager

The Export Manager was one of the modules that needed a refresh after the important changes we pushed in v1.7 (read v1.7 release notes).

Before, there was no easy way to export the same project into the different formats we supported (like HTML or Word), this was because you’d have to assign your notes to different categories depending on what export plugin you wanted to use.

This is no longer the case. With the new Export Manager you can export into any format from a single screen:

Screenshot showing the 1st step of the Export Manager where you choose the export plugin you want to use

First you choose what export plugin you want to use. If the plugin provides different options as the Advanced Word Export plugin or the Project export plugin do you can select which one you want at this stage.

Next you choose the template you want to use, click on Export and you are ready to go:

Screenshot showing the second step of the Export Manager where the template is chosen

This is great for people that have different templates for different project types (e.g. Application vs. Infrastructure templates; Wireless Assessment template; etc.). It also lets you create and test a new template while the team is still using the current version.

The new Export Manager is more flexible and powerful than any of the alternatives we had before, we hope you enjoy it!

Still not a Dradis Pro user?

These are some of the benefits you are missing out:

Read more about Dradis Pro’s time-saving features.

Going Freelance

Thinking of going freelance but not sure if it’s for you? Here are a few things that I think are worth considering before you take the plunge.

First, are you sure you actually want to go freelance? Is it that you want to be your own boss and manage your own work/life balance or is it just the lure of what, on the surface, appears to be good money and short hours?

I’ve been working for myself on and off for the last eight years so have quite a bit of experience of the advantages, disadvantages and things to consider when making the jump and in this article I’ll cover some of these. I hope they will be helpful to those of you thinking of making the jump or who have recently made it. A short disclaimer though, these are my experiences and opinions, they may not work for everyone and others may disagree but they will at least give you one point of view.

First off, back to the original question, do you really want to work for yourself? On the face of it, freelancers have a great life, the money is good, you can chose when to work, pick your clients and generally have a great time. The reality is that all this can be true but it takes effort, you have to put a lot of work in to get there and to stay there. Clients do not simply come banging on your door and while the daily rate can be very good you are unlikely to be working 5 days a week every week so don’t forget, you have to average that rate out over the month and year.

Here are some other things worth thinking about.

Hours

I find that I work a lot more hours working for myself than I ever did working for someone else. There are lots of reasons for this:

  • You are now running a business so have to do “business stuff” as well as the actual client work – Things like bank reconciliation, marketing/adverting and VAT returns all take time that isn’t billable so ends up being fitted in around jobs, usually in the evenings or weekends during busy periods.
  • Quality of work/reputation – Not that I didn’t care about the quality of work when I was employed but now the business is just me and the next job with a client is likely to be based on the deliverables from this job, I feel an extra pressure to do the best job possible, even if that means putting in a few extra hours. I also end up knowing the client at a more personal level as I’ve often been involved with the whole process from initial contact to final delivery and so want to deliver a higher quality product.
  • There is often no one there to stop you doing the extra hours – When working in an office the end of the day is obvious as everyone else is packing up and leaving but working on your own it is easy to get sucked into a job and lose track of time. This applies to employed people who work from home as well so not just freelancers.

Clients

Unless you are really lucky and are well known or have very specialist skills, it is unlikely that clients will simply come to you and so you’ll need to go out and win them in some way. When starting out you need to be careful how you do this. Most companies have a clause in their contract that stops you approaching any of their clients if you leave so don’t assume that if you are friendly with some of the company’s clients that you will be able to lure them away. You may also have to be careful signing up your own clients while still employed, this may breach your contract. If this is the case you may start your freelance career without any fully signed up clients which isn’t a good position to be in.

When working out where to get clients from there are a couple of options, go direct to companies and try to sell them your services or work through middlemen who resell your services for you. Which you choose is up to you and how you would rather work. Going direct to companies can be more lucrative as you get to negotiate for yourself and keep all the cash but doing this requires you to put effort in finding and winning these clients. Back to the hours worked, this isn’t billable work and you have to fit it in around paying clients. Working through a middleman means you don’t have to worry about sales and marketing and all the client schmoozing but means you lose a cut of the final invoice to the middleman.

I personally prefer using a middleman, actually a number of them, as I really don’t like having to do sales work and so am happy to give them their cut to do the work I don’t enjoy. Something I do consider here though is that if the middleman goes on holiday or has a bad month then I’ll not be getting any work that month. That is why I like to have a number of agencies that I work through as one may be on an ebb while the other is on a flow.

Until it has happened once, most freelancers don’t think about clients not paying, you just assume that you’ve done the job so the cash will come in, hopefully on time. I’ve had a couple of clients not pay, the first one hit me so badly that I ended up going back to employment as I couldn’t cover it. Telling friends their response is often “take them to court, sue them”, that is easier said than done when you find out that they haven’t paid because they’ve blown all their cash and have nothing left to pay anyone. Legal action can cost a lot of money and you are unlikely to be high on the list to get cash back if they are going belly up. Make sure you think about this and have reserves in case it happens.

Software/Hardware

As an employee you are most likely provided with all the hardware and software you require to do your job. You’ll get a laptop, Nessus licence, that kind of thing. When you are on your own you have to provide all that yourself. While a lot of security tools are free there are some instances where the commercial versions are really the best ones to choose. Make sure you add all these costs to your budget. Don’t forget the non-security tool software costs as well, a Windows licence (even if just used in a VM), Office and all the other little apps that you used to just install off the main app server without worrying about licences for.

Laptops, phones and other hardware – are you going to share your personal kit with the business or are you going to get it its own dedicated set? Duplicating it all is expensive but means you can do extra hardening on the work equipment and ensure it is only used for work to lessen the risk of exposing client data.

Also consider hardware redundancy, when employed, if your laptop dies the night before a test you might be able to acquire a replacement from a colleague and if not then you can probably hand off to the project manager talking to the client and postponing the job. When you are on your own all that becomes your responsibility. I’ve been a Linux user for over 10 years but my main laptop has been running Windows 7 for over a year because I’ve not had time to take it out of service for long enough to reinstall it. I have a backup machine that I can use if I need to but being older it is a much lower spec so even when I’ve had a few days spare I haven’t risked making the swap just in case.

Legal Issues

The contract

This section could also be called Cover Your Ass and you need to give it close attention. What you need is dependent on your location and the jobs you are doing but here are the basics.

First you really should get a good contract. There are lots of contracts floating around on the net which you could take and either use as is or modify to your own requirements. This is the cheap option but not one that I went for. The reason I chose not to do it is that I wanted to know that my contract matched my business and the jobs I was doing. The contract is the thing that decides who is in the right if things go wrong, I was happy to spend money and time with a good lawyer to make sure mine was as good as I could get.

There are also a number of potential problems with random contracts found on the net:

  • It could be out-of-date – Laws and regulations change
  • Location – The contract may not be for your country/jurisdiction
  • The contract may have flaws or may simply be written by someone who was not a lawyer and just thought the words sounded good

Insurance

In terms of insurance, some may be mandatory, some may be recommended and some may be personal preference. As with contracts, what you need will be based on the kind of work you are doing and where you are doing it. The different types I’d definitely look at are:

  • Professional indemnity – Covers you if you make a mistake while on a job
  • Public liability – In case someone gets hurt as a result of you doing a job
  • Income protection – If for some reason you are unable to work there will be no money coming in, this can help in this kind of situation

When getting insurance, make sure you explain exactly what it is you will be doing to the insurance company or broker. I went through a few companies who turned me down straight till I got annoyed and asked one for an explanation as to why they wouldn’t cover me. After a discussion they realised they didn’t fully understand the job I initially described to them so changed their minds and covered me. This was quite a few years ago and as the industry has grown there are now many more options out there and companies understand the profession better but I’d still make sure you fully explain to them what it is you will be doing just in case.

Training

It’s all down to you, if you want training you have to pay for it yourself in time and money. There are a lot of free, or very cheap, courses out there and you can learn a lot from just reading articles but back to hours worked again, it isn’t billable work so you have to fit it in around your paying clients.

Holidays

No holiday pay, if you aren’t working you aren’t earning! You don’t even get paid for bank holidays.

I like to tie training and conferences with holidays, our family holiday last year started in Gent at BruCON then moved on to a more normal holiday.

Money

I can’t lie, the money as a freelancer, on the face of it, is a lot better than as an employee but, when you add in all the extra hours you’ll end up working, the lack of holiday pay, having to provide all your own hardware, software, stationary (I still send letters occasionally) and all the other non-billable things you need to do and buy it doesn’t necessarily work out that much better.

When working out your budgets don’t assume that you’ll set your day rate at X and will get 253 * X (253 is the number of working days 2013). Make realistic assumptions about how much work you think you’ll get on a good and bad month and then decide if it looks as good as it did.

Think about what will happen if you have a couple of bad months back to back, can you survive?

Conclusions

I love being freelance. I much prefer the freedom it gives, especially with two small children at home, but I’m lucky that I have a lot of very good clients and I’m able to sit at my desk from 9-5 (or however long a job takes) without getting distracted. I take regular breaks and will take a day off just to play with the kids if work is quiet but I’ll also get my head down and barely leave my office when work is there.

If you are thinking about it, make sure you look at the unglamorous side of it as well as fun looking public side and if you decide to do it, good luck, I hope you enjoy it as much as I do.

About Robin Wood

Robin is a freelance pen-tester, researcher and developer. Among his projects are Karma, KreiosC2 and Jasager. He is based in the UK.

Find him on Twitter as @digininja or at www.digininja.org