Earlier this week, news reports surfaced of a security hole in a popular mobile application for sharing photos. The program, called Quip, enabled iPhone users to send picture messages to any phone without using carriers’ MMS technology, which often requires an extra monthly fee. Quip sent text messages or push notifications with a link to a web page where the recipient could view the intended picture. According to the developers of Quip, users have sent over 3 million photos using the service.

But those 3 million photos did not only reach their intended viewers. The application uploaded pictures to a public web server with no encryption or authentication, and even worse, the addresses of the files followed a simple, predictable pattern. Once someone posted the information to a popular link-sharing site, Internet users began posting links to images that ranged from racy to disturbing. Intrepid voyeurs even identified people in the photos and found their accounts on various social networking sites.

Addy Mobile, the company behind Quip, reportedly shut down their servers and turned off access to the servers hosting images, but not before many of the pictures were downloaded and re-posted on other web sites. The founder of Addy Mobile issued an apology and promised to keep the service offline until they built better protection for uploaded files. He noted that the company had only three employees but said they would work quickly.

The unfortunate Quip incident provides a real-life illustration of many security lessons, but one in particular stands out: Developers need to think about security aspects of their projects from the beginning. Online resources make it very easy for anyone to learn programming, but that same ease of access can lead to a three-person product handling three million files. While mistakes happen and foolproof security can be difficult, if not impossible, to achieve, building basic precautions into Quip’s system could have avoided embarrassment and difficulty for many end users. Security is not simply a feature or add-on – in today’s connected world especially, it is an essential part of product development.

Probably one of the first things you find out when you transition from “This is fun. Let’s learn some stuff about ethical hacking,” to breaking into doing it professionally is that it’s imperative to keep track of everything. Clients are going to want a little more information than “Oh look I broke in! I’m so cool!” They are going to want an in-depth report (a whole new skill to learn). Thus keeping records of what you did as you do it becomes a vital part of the job. Additionally, whether working on a pentest, playing red at a cyber defense competition, or pretty much any other large project, chances are you will find yourself working on a team. In school after working on team based projects, “Communication among team members is vital to the success of the project,” was always at the top of my list of lessons learned. That’s where the Dradis Framework comes in to play.

The Dradis Framework is an open source tool aimed at penetration testers developed in ruby. As stated in a previous post Dradis is all set up and ready to go on Backtrack 4, though the Dradis team recently released a new version with some exciting new features, so it might be time for persistent changes on your pentest box if you haven’t already and to upgrade. If you aren’t using Backtrack 4, do not despair. Dradis runs on several versions of Linux, Windows, and Mac. Additionally the Dradis team provides excellent support for getting the framework setup. With a few prerequisites, you’ll be ready to get started conducting well organized pentests.

Dradis allows you to easily import the results from common tools such as nmap and Nessus. The newest version has added plugins for importing results for the Burp scanner and Nikto. Another useful feature is the ability to add notes to any node with comments for the rest of your team like, “I tried Metasploit module X against this, but no cigar.” This helps to cut down on overlap among team members if everyone notes what they’ve done, and what they think looks interesting but hasn’t gotten around to fully exploring.

I have found Dradis to be especially useful playing red team during cyber defense exercises. It’s a fast paced, high stressed scenario, often with multiple target networks that you need to hit as equally as possible. Also, you are often the team is made up of people you aren’t used to working with, so the rapport built through working together every day isn’t there. A centralized place where everyone can see what has been done, and what still needs to be done again reduces overlap and wasted time. So if organizing your pentests is getting you down, Dradis might just be the solution you’ve been looking for.