If you're new to Canopy, there are some concepts and basics that you should know in order to use the application.
- Key Concepts: in this article we'll cover some key concepts to Canopy.
- Getting Started: this is a ~20 minute overview to help you get started on using Canopy as soon as possible.
Organising your delivery through companies, opportunities and projects
Canopy allows you to organise your data into a hierarchical model. At the top is the Company (or Client). Within a company we store opportunities, scopes, projects, phases, findings, assets reports and everything else relating to our assessments.
- Companies: companies (or clients) is a top-level container where we store all of our projects, opportunities, findings, reports and so on relating to a single company.
- Opportunities: the pre-sale phase of service delivery is very important. It's where we capture the necessary scope and information for delivering our projects, defining the commercial agreements and confirming with our clients what is to be done (e.g. statement of work). Canopy's Opportunity module allows us to manage this phase of the delivery workflow.
- Phase scopes:
- Statements of work: a statement of work (soW) is a document sent to a client to confirm to them the key details of a testing. This might include the technical scope, delivery dates and financial information.
- Projects: Canopy organises its main delivery work into projects and phases. Here we explain the key concepts and why there we take this hierarchical approach.
- Phases: Phases in Canopy are used to store the findings, assets, examples (evidence) and other data collected during the delivery. It provides a container for managing this information, which can then be used for reports.
Getting work done
Once you have our structure set up to organise your teams for deliver, it's time to get work done. Fundamentally Canopy structures its data around
- Logging in: a short guide to logging in to Canopy. Most people should be familiar with such processes, but we think it's good to cover the basics (and some of the other authentication options).
- The Dashboard: your first interaction with Canopy, and what to do next.
- Findings: Findings (or vulnerabilities in some companies) are a cornerstone of Canopy. Many of the types of projects delivered by teams that use Canopy centre around findings and the relationship of these findings to assets (be they servers, source code, physical buildings, etc.).
- Assets: Assets are another key cornerstone of Canopy. Assets are used to bind Findings to Examples (evidence). Conceptually, if a finding is found, it will relate to a give asset (be that source code, a building, etc.).
- Examples: Examples are additional data points used to show how a finding was identified. This can take the form of repeatable steps, screenshots, code or tool output and so on.
- Methodologies: methodologies help to ensure work is delivered consistency across similar projects.
- Reports: the typical end delivery from a project is a report (or many reports). Learn more about how to generate reports for delivering to your clients.
- Other concepts (references, taxonomies and more): Canopy provides a number of other (optional) features to help improve your delivery and structure your information for reporting and analysis.
Reusing content with templates
A major benefit of Canopy is that it allows you to reuse content, where you believe its appropriate. You can have stock finding write ups through the Findings Knowledge Base. Base Template reports and Template statements of work for getting a head start with writing documents. And more. This allows users of Canopy to reduce time spent rewriting the same content, and also to ensure consistency, where needed.
- Findings Knowledge Base: the findings knowledge base (KB) acts as a repository for reusable write-ups for findings. The main point of reusable content is to ensure consistency, but only where it's required. The existence of a KB shouldn't mean clients receive generic content, but it does allow users to have a starting point for tailoring content, and to use common information where it makes sense.
- Template reports: template reports are used for building the end-user reports you want to send to your clients. These are built using a simple form builder inside of Canopy, and then mapped to Word documents (see more in LINK).
- Template statements of work: much like template reports, the template statement of work (SoW) is used to produce custom, company branded, SoWs or proposals for issuing to your clients. The process is the same, although the data these document templates access is different.
- Template methodologies: methodologies are commonly used to establish best practices within service delivery organisations. The template methodology section is used to define such methodologies, which can then be used in for delivery as required.
- Template taxonomies: template taxonomies provide a way of linking findings to external (e.g. CWE) and internal/client (e.g. client-specific secure development requirements) reference material, in a way that can then be included in reports or analytics.
- Template scoping questionnaires: in order to scope projects, its typical to use questionnaires to capture mandatory and nice-to-have information for preparing for delivery. Reusable questionnaires help with consistency in this approach.