Hello guys and gals,
I’ve been silent for a while because I’ve been working on the new interface (and also been busy with my day job) but it’s time to break this streak of silence and give you some info on how things are going.
Initially, I wanted a new hotness to replace the old and busted WebUI. Something with Rails for a backend and Bootstrap for the front-end, clean, simple, nothing too complicated or fancy yet.
A few weeks ago I reached that stage, I had Scans working (including a Direct scan option, Dispatchers are now optional, yay :) ), users were allowed to manage configuration Profiles and as well as Dispatchers and Users. The deal was simple, start a Scan using one of the Profiles, monitor its progress (and watch some nice live stats, charts and an issue table) and then grab the report once the scan finishes — easy peasy.
Then I figured I better wait for Rails 4 and port the WebUI to use it and then release it, no sense in releasing it now and then having to port it in a month or so.
Since I had some time to kill I though that it’d be cool if users could share scans, thus scan sharing was born — scan owners (and admins) could allow other people read access to their scans. Then I though that users may want to discuss a certain scan, so I implemented comment functionality for scans. That lead to implementing Notifications (naturally) so that users would know when a scan has started, had a new comment or been paused or resumed or aborted.
I took a step back, everything looked good, then came back to it and wouldn’t you know it, I had another idea to implement. There’s no reason why folks shouldn’t be allowed to repeat existing scans (with a non-mandatory crawl this time, since the second scan would already have the first scan’s sitemap) and show a diff, timeline or progression of their logged issues.
Then I came back to an earlier feature, users commenting on Scans…that’s a nice feature to have but people would be more interested in discussing about a specific discovered issue than a scan — and discussing issues on the scan comments would be very cumbersome.
So I figured I better allow people to comment on Issues, which lead to the idea of managing issues and be able to flag them as ignored, false positives, alter their “requires manual verification” status (already set by Arachni) and flagging them as having been verified and include a nice textbox with step-by-step instructions of the verification process the user followed. And of course, group issues according to the above criteria when listing them.
So, taking another step back, I seemed to have digressed a little from my original goal (albeit in an awesome way) and things are now more and more resembling a web application security management and collaboration platform rather than a simple interface for running Arachni scans.
I haven’t yet implemented everything I’ve mentioned, I’m in the middle of the issue management I mentioned last and I’ll then move to the final piece of the puzzle, repeating scans.
Once I finish the Issue management stuff (at the end of the weekend probably) I’ll post some more screenshots to show you how that’d look — right now I’ve only got a draft design for showing individual issues.