In most cases, the basis for collaboration is good communication and documenting processes, events, and results. Today, you have access to countless tools and frameworks for this process, often specialized for particular kinds of work. London-based Security Roots is the developer of the open source Dradis [1] software for IT security teams. The framework creates standardized reports specifically for security checks, helps teams prepare for penetration testing of IT infrastructures, and organizes the implementation and evaluation.

Security experts often use an expansive kit of tools, each with its specific focus, when carrying out penetration tests. Although some of these tools support standardized output formats for the results, the penetration tester is then ultimately forced to compile and organize things on their own to create a comprehensive report for all the tests. Because no uniform standards exist for organizing or creating reports from the individual results, the developers at Dradis stepped in with a web application that acts as a central interface for the penetration testing process.

The free community version allows several employees to work on one project per instance. You can use various plugins to provide data from common penetration testing tools within the scope of the project, including add-ons for Metasploit, Nessus, Nikto, and Nmap.

First Steps in the Container

Of the various installation options for viewing Dradis in action, I'll first take a quick look at the Docker image:

docker run -it --rm -p 3000:3000 dradis/dradis-ce

Of course, you can also download sources from the Git repository [2] and install the software on your local system. If you have access to Heroku or DigitalOcean, you can install Dradis there directly from the Git documentation at the push of a button.

If you now type http://localhost: 3000 in your web browser's address bar, you are first prompted to define a password. In the Community Edition, this is the team password, which all team members then use to authenticate for access to the project. If you want to have a look around, populate the setup with sample data as your second step by selecting the No, I'm a new user button.

As soon as the sample data import completes, you are redirected to the login page, where you can select an individual username and log in with the team password you selected previously. In my tests, I always had a session timeout error on the first attempt. Simply try again straightaway and be patient, because it will take a moment to call the dashboard for the first time. When done, you will see a summary of current issues, the progress of the project, and the individual activities for the sample project.

Kanban Board

If you click the Getting started with Dradis Checklist link in the middle of the project step, you are taken to a simple Kanban board in the Methodologies item in the sidebar, where you model the systematic process of your penetration testing as a methodology, which is then processed in the form of individual cards on the board. If you need further lists for your own workflow (e.g., a Backlog or a Blocked/Need input list) for work that cannot be continued at the moment, you can easily create them.

To call up edit mode, where you can assign a task to a member of your team, select a card and press Edit . Although this step can help with planning, with no overview of the tasks assigned to you, you will not find it very useful when implementing the tests. Overall, the methodology boards offer the basic functions, but you don't expect to find the same feature scope as in Trello. Nevertheless, it is worthwhile taking the time to work through the cards one after the other to dig down into Dradis.

Editing Findings

For the next step in this overview, select All issues from the left sidebar, which takes you to a table view of the issues in the system (i.e., the findings from your penetration test enriched with recommendations for action for the responsible administrators). To change the default set of fields in the table, you can click on the small arrow next to Columns icon and select, say, Description as an additional column. Significantly more information for the individual entries is displayed. You can use tags to rate the criticality of your findings in Dradis. Some of these are preconfigured, but you can also create your own tags.

Click on any entry to view more detailed information on a finding, such as the one for Apache server version 1.3. The documentation contains detailed information and suggestions for solving the problems. In the Evidence tab, you will see evidence to support the findings – typically log data from the penetration testing tool with a reference to the network nodes on which the vulnerability exists. For the sample data populated for new users, the web server on 10.0.155.160 is affected.

The tabs for CVSS and DREAD allow further specification of ratings for the severity of vulnerability in line with these specifications. Now go back to the first tab and scroll all the way down. In the footer you will see that the report was not typed by an analyst, instead the Qualys upload plugin is listed as the author – that is, the report was imported directly from the tool's output.