I wanted to start today’s blog post by saying thank you to everyone who has downloaded Agnitio so far! Agnitio has been downloaded 1250 times since I released v1.0 104 days ago and with people still downloading both v1.0 and v1.1 nearly everyday that number continues to rise! I must admit that when I first released Agnitio I was worried that no one would download and use it, building isn’t as sexy as breaking in information security and the same applies to the tools. Agnitio isn’t ever going to be a metasploit or SET, you can’t pop boxes with it but it will hopefully help you find and fix vulnerabilities in your web applications.
If you are currently using Agnitio I hope it has lived up to your expectations. I said when I announced the release of v1.0 that I believed Agnitio would help reviewers think more about the code they are reviewing, that Agnitio can help deliver repeatability and integrity to your review process and automatically generate the relevant audit trails and reports frequently demanded by auditors and management. I hope that if you are an Agnitio user you would agree with me, if you don’t agree with me please let me know what I can do to further improve Agnitio!
In January I released v1.1 of Agnitio which included a lot of user suggested changes and the checklist and principles of secure development guidance sections. This version of Agnitio again received a lot of great feedback, generated some cool user supplied feature suggestions, had a lot of downloads and I also received the first externally reported bug in Agnitio!
So now I’m about to release v1.2 which will be the last 1.x release and also the last release for a few months. I’ve started development on v2.0 of Agnitio which I plan to release in the summer, more specifically the first week of August. I have included more information about v2.0 at the end of this blog post and I also want feedback from anyone using Agnitio on what they would like to see in v2.0.
Ever since I finished v1.0 I wanted to make more use of the data collected during the creation of profiles and the reviews themselves. With that in mind I decided that v1.2 would bring more visibility to the security code review process. Agnitio v1.2 includes the existing features that help with enforcing repeatability and integrity in your security code review process but it adds a new feature that produces metrics based on the review data. This allows you to increase visibility and obviously observe trends over “x” reviews for your applications. Think of the kind of things you would like to see over time, instantly and easily for your security code reviews. I thought of the following things and included them in v1.2 – does Application A always have lots of questions marked as Yes/No/NA, how does the last review of Application A compare to previous reviews, is five NA answers for v2.0.0 better or worse than the average number of NA answers for Application A – I think you get the idea. If you have any other ideas then please let me know and I will include them in v2.0!
I know some people say metrics are rubbish and others think they are great, I’m somewhere in the middle. I can see the value of having them to answer questions like those I listed in the above paragraph but I’ve often found that security tools and processes very rarely make metrics easy to produce. That is a discussion for another day, probably by another blogger on a different blog though!
You did the hard work when you completed a security code review using Agnitio. You provided Agnitio with a lot of information so why should you have to do more hard work to make that information useful? If you use Agnitio v1.2 you don’t have to!
Agnitio v1.2 automatically creates metrics and reports bringing much needed visibility to the security code review process with no extra effort required from the reviewer, developers or management.
The metrics will be produced providing you have completed at least two reviews of an application and it will show metrics for up to five reviews. If you have completed more than five reviews of an application the metrics will be based on the five most recent reviews.
Thank you Steven van der Baan for reporting a bug in v1.0 and v1.1 relating to how Agnitio handled date formats in reports.
As I mentioned earlier in the blog post this release of Agnitio will be the last 1.x release. I’m currently working on v2.0 of Agnitio and I’m looking for suggestions from you all on what you would like to see in v2.0. The two biggest features I will be including in v2.0 are briefly explained below:
- Guidance data editor. This will allow you to edit the data displayed in the checklist and principles guidance sections so it can be tailored to suit the needs and standards for your organisation.
- Code analysis section. This section will be quite similar to tools such as the OWASP code crawler but with the additional benefit of linking the code analysis findings to specific checklist questions and of course the relevant guidance information. This will allow you to analyse source code, complete a security code review, produce security code review reports and metrics whilst having the guidance information you need when you need it the most all in one tool.
If you currently use Agnitio and have any suggestions for new features or changes in v2.0 please get in touch!
If you are upgrading from Agnitio v1.0.0 I cannot stress enough the importance of reading the new user guide. There is a specific set of instructions you must follow to upgrade to v1.2 without losing your data.
You can download the new version here.
As always I’d love to hear what you think of this version of Agnitio!