It's been a long time since we published an update about or little project, more exactly 1005 days. That's a over three years. Let me tell you why, what happened and what comes next.
TL;DR;We're alive, a new version of Dradis is ready for you to download, we've got a new forum, a new website and renewed energies. Exciting times ahead!
What happened? The freeze and restart of Dradis Community EditionThe Dradis Framework open-source project was born in 2007 and continued to evolve for a few years. Throughout the years, as it is common in an open-source project, maintainers and contributors came and went, and things dwindled down a little bit. We had some pretty amazing community support that helped us hunt down bugs and fix minor quirks, but in the end I (Daniel, @etdsoft) was the last man standing doing active development.
At some point, security consulting companies started approaching us to provide a commercially supported version of the platform, with additional features, official support channels, etc. It sounded like a really interesting opportunity / challenge. We announced Dradis Professional Edition in July 2011. Things were good and we released new versions of the Community Edition in August, October and February 2012 (see our release timeline).
Then things started to get really tricky. More and more teams were interested in Dradis Pro, and I had to make some pretty tough choices. I managed to keep fixing bugs and pushing things forward for a little bit to the point we had a never-released v2.10 version of the framework in our git repo, but without too much time in my hands I couldn't architecture things to keep both editions of the platform (Community and Professional) active, in the end the two code bases started to diverge.
By the end of 2013 I was trying to juggle a 9-to-5 job, supporting the open-source community and bootstrapping Security Roots, the company behind the new commercial edition of Dradis (oh, and having a personal life too - my first daughter was born in Aug 2012). I took a 3-month sabbatical from my corporate gig to try to get things back on track, with the idea of continuing pushing through doing everything in parallel. As soon as the break ended and I got back to work I realised it wouldn't work. I was not going to be able to do a god job at my 9-to-5, launch a business and take care of my family all at once. In February 2014 I resigned and went on to dedicate 100% of my energies to Security Roots.
Things have been great so far (touch wood everyone!), we're now serving 200+ teams in 31 countries. I no longer have to split my time between so many work streams and as a result I can get better results. More freedom and more resources is exactly what was needed to get the Community edition of Dradis back on track.
It all started with a nudge from the ToolsWatch team (thanks NJ and @maxisoler), it was time for us to get back to work on Dradis Community. Those of you that had a chance to catch up with us at the Arsenal of BlackHat last year already have seen a teaser of what would eventually become Dradis 3, for rest of you... please keep reading.
What's new in Dradis 3.0?
Pretty much everything. Dradis 3 is a complete rewrite of our code base. We've kept the same concepts you're familiar with (notes, nodes, attachments, etc.) but everything else is new.
- We've got a new look and feel, checkout the screenshots.
- We've introduced the concept of Issues and Evidence (instead of having just notes).
- The code is cleaner, more modular and easier to maintain.
- We have extracted each of our tool connectors into their own repositories. See our Add-ons page.
- We've improved the installation process: download one file and run. As good as it sounds (see below).
I think that a picture in this case explains it better, according to our GitHub activity graph, we've been busy:
Downloading Dradis 3No more dependency hell or tinkering with Ruby versions. We're now leveraging the excellent Traveling Ruby project to provide self-contained packages for Linux and Mac (Windows soon to come).
The download is bundled with a Ruby interpreter and all the libraries and dependencies that you need. Nothing to install, just extract and run. Give it a try:
A stronger communityA few months ago we also updated our community forums. Even though we were in a semi-stealth mode back then, people managed to find the forums and started having troubleshooting and feature request conversations.
We're hoping that the forums become the easiest way to exchange information with the project maintainers but also between Dradis users. Without further ado, the new home for our community:
The forums are powered by the open-source Discourse platform, which by the way, is another excellent FOSS that touches on many areas of Ruby, Rails and Docker (if you are interested in such things).
A cleaner websiteThe truth is that the code for Dradis 3.0 (or to be perfectly precise, the first release candidate) has been ready for a few days. But we couldn't bear the thought of doing the first release in 3 years and still use our old website. Don't get me wrong, we loved the website and it served us nicely, but it didn't age well.
This is why today we're also presenting a new, cleaner and modern website:
We're using the excellent Middleman static website generator and we have published the source of the site in our GitHub's page: dradis/website. If you spot an error or something that could be improved, pull requests are welcomed!
BTW, we know our blog theme still matches the old website, please give us a break! We didn't want to delay the release / news of Dradis 3 any longer, we'll get around fixing the blog soon!
What's next?Our immediate goal is to get to a Dradis 3.0 final release as soon as possible. We need your help to test and iron out the last few quirks.
Oh, and please help us spread the word: Dradis 3.0 is out, everyone should check it out!
share on Twitter
We will be joining other amazing tools in the first edition of Rooted Warfare during Rooted CON - March 6, 7 and 8 in Madrid, Spain.
Read the full announcement:
Note: this is a guest post by J Wolfgang Goerlich (@jwgoerlich), Captain of the MiSec RuCTFe 2012 team.
Ten. Nine. Eight. We stand in the war room of a data center. Seven. Six. We watch the scoreboard and count down the final few seconds. Five. Four. It was a tough day, but the team really came together at the end. Three. The organizers extended it by ninety minutes. We're tired, hungry, and ready to celebrate. Two. Tomorrow, we can reflect with Dradis. One. Game over.
Let's jump back for a moment. MiSec is a loose knit group of IT security professionals and students. We regularly toss out a capture-the-flag challenge. Whoever is interested attends, and whomever attends becomes the team. The only price for admittance is the passion for learning something new and the dedication to teaching others what you learn.
This was our second time playing the RuCTFe. It is an English CTF organized by the Russian CTF team HackerDom of Ural Federal University. Limited to 150 teams world-wide and played out live for several hours once a year, it is quite the event on the MiSec calendar.
But that is not the only CTF we compete it. We put together ad hoc teams every couple of months for various events. CTFtime has us at the 119th place time in 2011 and 173rd team in 2012. That is out of 1815 CTF teams world-wide. We get a lot of play.
The challenge is coordination and information sharing. With people all over the state participating, and with an ever changing roster of teammates, you never quite know what to expect. The trick is getting people onto the same page during the incredibly fast paced CTF events.
Dradis is the answer. Each time there is a CTF, one of the team members takes point in setting up a new Dradis instance. We organize the folders by challenges. As progress is made and new things are learned, people make notes. Each Dradis instance becomes a snapshot of our team's efforts.
Back in the game, the countdown hits one. We pack up our gear. We clear the war room. The Dradis virtual machine is shutdown, copied, and distributed to the team. Over the coming days, we will review our findings and read other team's write-ups. This will culminate in a debriefing like the one below in about a week. Game over.
We would like to thank the Dradis project maintainers for their efforts and support. CTFs are crazy enough. Adding an ever changing team roster is even crazier. Toss in a mix of people all over the place dialing in at all different times. Insanity. Dradis keeps us sane and has become a fundamental part of MiSec's CTF strategy. Thanks gents.
-J Wolfgang Goerlich
Quick post to let you know that there is extensive coverage of our project in the new Advanced Penetration Testing for Highly-Secure Environments by Lee Allen.
Coverage goes from our very own Introduction to the Dradis Framework section in Chapter 1 to several other bits and pieces throughout the rest of the book. Check it out!
Thanks to Lee and kudos to @luisfer_nandez for letting us now.
Up until now, adding screenshots to your notes has been a bit problematic. You had to go to the Attachments upload the image, click, get the URL, go back to the Notes tab, open the editor and paste the link. This lead to a very upvoted feature request: Add image upload functionality to Note Editor.
Recently we've managed to sort this out and create a much cleaner solution to solve this problem: you can now drag and drop files to the Editor window, upload and copy the resulting attachment URLs to use them in the note's text. Let me show you how:
When invoking the note Editor (either from the add note button or double-clicking on an existing note), apart from the familiar Write and Preview tabs, there will be a third tab: Attachments.
This tab features a drop zone and some controls to manage the upload process. You can drag files from your desktop into the drop zone to stage them for upload:
Have you noticed the preview images you get even before uploading anything?
Anyway, you can upload them one at a time using the controls in each row or all at once using the general controls below the drop zone.
Once they are uploaded a link is provided to each attachment. You can right-click on the link to copy the attachment's URL for use in your notes.
The drag'n'drop feature is dependent on your browser, you will need Firefox 4.0+, Google Chrome or Safari 5.0+.
This feature is already available in the master branch of the Dradis Community and Dradis Professional editions.
I (@etdsoft) was given the opportunity to talk about Dradis Framework's past, present and future on Episode 11 of PaulDotCom Security Weekly en Espanol.
The podcast is in Spanish, but there is a full transcript in English in Security Root's blog:
Thanks to Carlos Perez aka "Darkoperator" (@Carlos_Perez) and the PaulDotCom team for having us in the show!
The present document describes the Best Tools and Utilities from 2011. Divided into categories, carefully separated, based on the VulnerabilityDatabase.com Scoring Criteria.
We are thankful to the @ToolsWatch team and want to send congrats to all the participants!