When it comes to penetration testing engagements, there is no shortage of vulnerability management and report generation tools. With so many offerings available, finding the right penetration test management tool can be difficult. In this article, I compare the features, advantages, and disadvantages of four of the most popular vulnerability management/report generation solutions.
Of the four, PlexTrac is by far the most powerful; it is easy to use and has a slick interface, but it’s not cheap. Dradis Pro offers a compelling set of functionality; it is quite a bit less expensive than PlexTrac, but is more difficult to use. DefectDojo and NamicSoft don’t offer nearly as much functionality, but can be great solutions for what they do, and they are inexpensive. For more details on each tool, read on!
The Vulnerability Management / Report Generation Tools
Infosec Trainer and Security Consultant Tanya Jenka, A.K.A SheHacksPurple, has compiled a list of tools that are capable of aggregating vulnerability scans from different tools into one central list of findings (see Figure 1). Most of these tools are also able to provide other functions and features, and were designed to provide services other than just vulnerability management. For this assessment I focused on these four tools:
- Dradis Pro
What is DefectDojo?
DefectDojo is a security tool that automates application security vulnerability management. DefectDojo streamlines the application security testing process by offering features such as importing third-party security findings, merging and de-duping, integration with Jira, templating, report generation, and security metrics.
DefectDojo streamlines the testing process through several “models” that an admin can manipulate with Python code. The core models include: “engagements,” “tests,” and “findings.” DefectDojo has supplemental models that facilitate metrics, authentication, report generation, and tools. DefectDojo is written in Python and Django.
While traceability and metrics are the ultimate end goal, at its core, DefectDojo is a bug tracker. Taking advantage of DefectDojo’s Product:Engagement model enables traceability among multiple projects and test cycles, and allows for fine-grained reporting.
Testing or installing DefectDojo is easy. If you decide to set up an instance of Dojo for your organization, there is a script that handles all dependencies, configures the database, and creates a super user.
DefectDojo integrates with Burp, Tenable Nessus, Nexpose, Veracode, or OWASP ZAP. This limits its usability, as only findings from those tools will be aggregated. Nevertheless, because it is an Open-Source Project, the price is right! If your vulnerability scanners are limited to the five listed above, you could benefit from the vulnerability aggregator and the many project management and reporting features available with DefectDojo.
Open Source – Free – BSD 3-Clause License
- Developed and Supported by OWASP
- Free and Open Source
- Easy Installation
- Supports Vulnerability Management
- Supports Report Generation
- Supports Metrics
- Limited Tool Integrations
- Limited Report Generation Formats
Where to find DefectDojo?
The code is open source, and available on GitHub. A running example is available on the demo server, using the credentials admin / defectdojo@demo#appsec. Note: The demo server is refreshed regularly and provisioned with some sample data.
What is NamicSoft?
NamicSoft provides an easy-to-use interface which helps you quickly create reports in Microsoft Word (.docx). The built-in parser also supports exporting the result to an Excel spreadsheet (.xlsx) and/or to an SQL database (SQLite). Other functions allow you to merge hosts, and to edit host and vulnerability information, and filter results on parameters such as port and severity.
NamicSoft is an intuitive and user-friendly software solution whose main function is to assist you in converting the scan results from Nessus into DOC or DOCX files, with just a few clicks.
The program is sufficiently simple to handle, allowing you to load and read the Nessus format file, then work with the retrieved results off all hosts or only specific ones, depending on your preferences. At the same time, Scan Report Assistant enables you to merge the selected hosts.
The application is able to read all the relevant information from the Nessus analysis, providing you with details about the discovered vulnerabilities, such as “Host Name,” “Description,” “Port,” “Severity,” “Protocol,” “Base Score,” or “Risk Factor.” These can be filtered according to the “Port” or “Severity” level, which requires that you select two options: “Smaller Than,” “Equal To” or “Larger Than,” and “Informational,” “Medium,” “High,” or “Open Port.”
To generate the Word document from your Nessus report, you need to access the “Output” menu and choose the “Create Word Report” option, which will lets you set the save location and filename, include filtered items or summary tables, and opt for the preferred layout of hosts and vulnerabilities.
NamicSoft comes with many templates which can be used to create Word reports. Customers can also design their own templates using NamicSoft’s templating system.
Users normally use the templates provided with NamicSoft as a base when designing new templates. See these tutorials on how to create your own templates using our templating system.
NamicSoft has 10 integrations including NMAP, Nessus, BurpSuite, and Nexpose.
Free to try – 1-year license $80
- Low Cost
- Supports Word Document Reports
- Intuitive and Easy to Use
- Limited Integrations
- Limited Functionality – Primarily a Report Generation Engine
What is PlexTrac?
PlexTrac is a cybersecurity reporting and workflow management platform that supercharges security programs, making them more effective, efficient, and proactive. It has modules for just about every task in a penetration test. It is highly customizable and gives you the ability to automate the report preparation and delivery processes. But it is far more than a report generation tool. Many users may find that they don’t need many of the features.
Findings from scanners may be imported into PlexTrac via the supported file type exported from the scanner software. PlexTrac supports many major scanners, including Nexus, Nexpose, Qualys, and more.
- It supports the complete penetration test project delivery workflow
- Highly configurable
Product Website: PlexTrac – The Purple Teaming Platform
What is Dradis Pro?
Dradis is a framework based on Ruby on Rails that helps pen testers organize and share their results in a common database. The tool then enables you to consolidate the inputs with external databases (e.g., vulnerabilities databases) and generate reports.
You can Import findings from over 24 popular pentesting and security tools and present your findings in several formats, including Word, Excel, HTML, CSV, XML, a real-time results portal, or a custom format. Use multiple methodologies for different stages of a project, keep track of all your tasks, and deliver consistent results across your organization without fail.
Working together is easier when security project data, tool outputs, scope, results, screenshots, and notes are centralized. Track changes, leave feedback, and push updated findings to keep everyone on the same page. No need to learn any new technologies; combine the output from your favorite security tools, such as Nessus, Burp, Nmap, and more, to create custom reports using our simple yet powerful templates we help you build to create reports in just a few minutes—not days. Overcome the limitations of static security reports using Dradis Gateway. Share the results of security assessments in real-time.
DradisPro comes with 24 integrations out of the box.
1 year license per user $948
- Highly Configurable
- Fully featured pentest project management platform
- Affordable for small practices
- Extensive configuration and setup are required
- Some deployment options are still in development
Where to find it: https://dradisframework.com/
Which Tool Should I Use?
DefectDojo, NamicSoft, PlexTrac, and DradisPro are similar products in that they ingest findings, aggregate vulnerabilities from different tools, and provide the ability to generate reports from the uploaded data. But that is where the similarities end! PlexTrac and DradisPro are fully featured pentest project delivery management platforms, while DefectDojo and NamicSoft are vulnerability management and report generation tools.
PlexTrac has more features and is more user-friendly than Dradis Pro, but it is also substantially more expensive and small practices may find it difficult to justify the expense.
DradisPro is a pentest project management and delivery platform that supports 24 pentest tools integrations out of the box. It supports vulnerability management, methodology checklists, compliance packages, report generation, real-time project status, and report delivery via a client-support gateway.
Its primary drawbacks are that configuration is required and cloud deployment options are still in development. (Having said that, we have successfully deployed our DradisPro instance to Azure.)
Which tool you should use depends on how much you are trying to automate, the number and types of scanners you will be importing your findings from, your project workload, and no less important, your budget. If you have a limited budget and are trying to save time during engagements by consolidating findings and automating report generation, both DefectDojo and NamicSoft would be excellent options. If your project delivery automation goals are more ambitious, PlexTrac and Dradis Pro both offer extensive project automation features. PlexTrac is more user friendly and has a wider array of functionality but it is substantially more expensive than Dradis.