Author’s block? Tools That Streamline the Report Writing Process Allow Security Researchers to “Focus on the Fun Part”

Jessica Haworth 06 Aug 2021 at 12:24 UTC

Updated: August 09, 2021 at 15:18 UTC

The importance of communication highlighted at Black Hat USA this week

An automated tool to assist security researchers in the vulnerability report writing process was presented to Black Hat USA yesterday (August 5).

The Dradis frame is a project management, collaboration and reporting tool for security teams.

Launched in 2007 by Security Roots, the open source framework, Dradis Community Edition (CE) has around 400 git clones every week. There is also a paid edition, Dradis Pro, which contains different subscription plans.

Yesterday at the Annual Security Conference, Tabatha DiDomenico, Head of Product Marketing at Security Roots and Board Member of BSides Orlando, gave attendees an overview of the framework and outlined the new features for 2021.

More time to hack

Talk to The daily sip, DiDomenico said Dradis generates reports by extracting information from various third-party sources – allowing the researcher to focus on the “fun part,” which is “breaking and defending information systems.”

DiDomenico said: “Putting together a report – even a single vulnerability description – can be tedious and time consuming. Dradis helps you by generating your report rather than having to put everything together manually.

During his talk, DiDomenico showcased a number of new features, including several Kanban-style methodology boards, a comment and notification system, and a streamlined setup process.

Communication barriers

Researchers without technical writing training often struggle to produce well-written vulnerability reports. This resulted in the creation of a number of different tools aimed at facilitating the process.

Security Consultant Andy Gill (@ZephrFish) Created a GitHub repository containing several documents to aid in drafting bug bounty disclosures.

Gill said The daily sip that one of the biggest barriers that infosec researchers face is the ability to explain their research to audiences with different levels of understanding.

Learn more about the latest news from Black Hat USA

He said: “Most researchers will be able to do the technical breakdown, but few will be able to break it down in a way that is digestible for those who are less technical. “

Gill gave an overview of his three-step process for writing up a vulnerability: present, show, discuss.

He explained: “Regardless of the target audience, the main difference will be the level of language used depending on the level of comprehension of your target audience.

“Introduce. If you’re writing a vulnerability description, explain what you’re about to talk about, what it is, where it is, how it works – who, what, where, why, when, how.

DO NOT MISS Black Hat USA: HTTP / 2 flaws expose organizations to new wave of request smuggling attacks

“Show what you write, be sure to include screenshots, the output of the command, the steps to reproduce, and anything else you want to show the reader.

“Discuss. Explain what you just showed and explain how someone would go about fixing it, or other steps that can be taken to make things better.

Above all, “assume no knowledge of your reader and take him with you on the journey”.

Gill said, “Tools contribute to efficiency, but a basic understanding of the statements above will allow you to formulate reports regardless of tooling. “

READ MORE Scrapesy Credentials Leak Detection Tool Aims to Reduce Incident Response Times