Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

What is Canopy?

Canopy is a business support tool for pentest and security assessment, and audit, teams. It is what the CRM is to the sales team. Canopy helps users - both technical and non-technical - by providing a system that supports the delivery of assessments from inception (i.e. opportunity) through to delivery (i.e. reporting). A managed process for assessment delivery can greatly improved efficiency, and ultimately help to increase the revenues of the company using it.

How is access control implemented?

Canopy implements a Role-base Access Control (RBAC) solution to help provide global and granular permissions for user roles. This provides a great deal of flexibility in allowing Canopy to scale from <5 person teams to large enterprises where security and non-security people need to access the data stored by Canopy. The default access control setup is relatively secure. Senior-level users are provided with significant access throughout the system, but lower level analysts are restricted to data in the system on an "as-needed" basis.

What is a company?

A company acts as a container for all data relating to that company. Such data might include:

  • Background information about the company
  • Company contact information (i.e. basic CRM functionality)
  • Opportunities relating to a company (including scopes, financial details and statements of work)
  • Projects relating to a company (including their findings, reports, etc.)

The company acts as a central view of all of the data relating to a given client.

What is an opportunity?

An opportunity is part of the pre-sales activities which many pentest and security assessment teams manage. The opportunity is used to capture the request for an assessment, and can be expanded on through the addition of one or many phase scopes. Phase scopes can in turn be used to generate statements of work - which are effectively the agreement between the pentest or assessment team and its clients.

What is a phase scope?

A phase scope is a simple form and Q&A based component for capturing information about a potential engagement. Template questionnaires can be used to help drive the information gathering activities, and these can also be tailored on a per-engagement basis. Phase scopes can be used to build statements of work.

What is a statement of work?

A statement of work (SoW) is a document issued to clients that states the background and activities agreed for delivery purposes. It can also include financial information about projects, if required. Once an SoW has been approved, it can be used to provision a corresponding project. SoWs can be defined as flexibility as required by the user via SoW Templates.

What is a project?

A project is a container for one or more phases. The project acts as a the top-level container for phases, findings, assets, examples and more. It can be used for once off engagements or as a way of tracking longer running engagements (e.g. regular test and iterative based testing).

What is a phase?

What is a finding?

What is an asset?

What is an example?

What is a reference?

What is a taxonomy?

What is a methodology?

What is a report?

What is the knowledge base?

The knowledge base (KB) is where common, reusable, finding write-ups are stored. For example, a typical write up might relate to SQL Injection. Once an entry exists for SQL Injection and has been approved, other users of the system can use it on engagements. This provides a very quick way of adding quality content to a phase, saving the user time in writing up the standard SQL Injection finding, leaving them time to focus on exploring the issue. KB findings can also be linked to methodologies and tool importers.

What is a report template?

A report template is the matching form inside of Canopy to the Word templates used to generate reports. The report template allows users to store canned content (e.g. a default Executive Summary writeup). Again, the focus is on creating as much reusable content as possible, whilst providing a standard structure for users to follow - this helps prevent corruption of company document templates, by providing users with a web-based solution. Template reports have a corresponding Word document, which is mapped using CheckSec's Template Builder.  Once a report template has been created, it can be enabled and made accessible by other users.

What is a statement of work template?

A SoW template is a document-based form used to create a common structure and reusable content for SoWs created and generated from the system. The SoW template structure is then mapped to a corresponding Word template, and is used to create SoW documents for issuing to customers. Once a SoW template has been created, it can be enabled and made accessible by other users.

What are tool importers?

The tool importers take data from a given source (e.g. burp, nessus, qualys), parses it and imports it into a defined Canopy structure. This helps normalise the data from multiple tools into a common data structure. Tool importers are shipped with Canopy, although users are free to extend, overwrite or create importers for their own needs.


  • No labels