An automated tool to assist security researchers with the vulnerability report writing process was demonstrated at Black Hat USA yesterday (August 5).
The Dradis Framework is a project management, collaboration, and reporting tool for security teams.
Launched in 2007 by Security Roots, the open source framework, Dradis Community Edition (CE) has an estimated 400 git clones each week. There is also a paid edition, Dradis Pro, which contains different subscription plans.
Yesterday at the annual security conference, Tabatha DiDomenico, product marketer at Security Roots and board member at BSides Orlando, gave attendees an insight into the framework and previewed new features for 2021.
More time to hack
Speaking to The Daily Swig, DiDomenico said that Dradis generates reports by pulling information from various third-party sources – allowing the researcher to focus on the “fun part”, which is “breaking and defending information systems”.
DiDomenico said: “Pulling together a report – even a single vulnerability write-up – can be tedious and time-consuming. Dradis helps by generating your report rather than having to pull it all together manually.”
During her talk, DiDomenico demonstrated a number of new features including multiple Kanban-style methodologies boards, a comments and notification system, and a simplified setup process.
Communication hurdles
Researchers without a background in technical writing can often struggle to produce well written vulnerability reports. This has resulted in the creation of a number of different tools to aim to aid the process.
Security consultant Andy Gill (@ZephrFish) created a GitHub repo containing multiple documents to help with the write-ups of bug bounty disclosures.
Gill told The Daily Swig that one of the biggest hurdles facing infosec researchers is the ability to explain their research to audiences with different levels of understanding.
He said: “Most researchers will be able to do the technical breakdown, but few will be able to break it down in a digestible manner for those who are less technical.”
Gill gave an insight into his three-step process for writing up a vulnerability: introduce, show, discuss.
He explained: “Regardless of the intended audience, the main difference will be the level of language used based on the level of understanding of your target audience.
“Introduce. If you are writing up a vulnerability description, explain what it is you are about to talk about what it is, where it is located, how it works – who, what, where, why, when, how.
“Show whatever it is you are writing up, be sure to include screenshots, command output, steps to reproduce, and anything else you want to show the reader.
“Discuss. Explain what you’ve just shown and explain how someone would go about remediating it, or other steps that can be taken to improve things.”
Above all, “assume no knowledge of your reader and bring them along for the journey”.
Gill said: “Tools help efficiency but having a core understanding of the statements above will let you formulate reports regardless of tooling.”
Source: https://portswigger.net/daily-swig/writers-block-tools-that-simplify-the-report-writing-process-allow-security-researchers-to-focus-on-the-fun-part