What's new?

Canopy 3 is the next major release in Canopy's journey from a humble docx report generation tool, to an end-to-end solution for managing security testing and security test results. With Canopy 3, we feel we have finally arrived at a product that can really help our users manage all stages of the process: from qualifying an opportunity and scoping an engagement, right through to reporting. But we won't stop here and we're already working on new features to help our users mange the security assessment process more effectively.

Redesigned user experience

When we released Canopy 2, we were really proud of the user interface. But after a while we felt that we had almost managed to reinvent angelfire. With that in mind, we set about to create an application experience that our users would both like and would be efficient for them to use. By drawing on Google's Material Design principles, we've implemented a beautifully modern design, with optomisations for the primary users of the application (with more to come).

Projects: single and multiple phase engagements

Canopy 2 separated the concept of assessment and report. This had some advantages, as it allowed arbitrary assessments to be linked together. However, users generally want to link related assessments together, and this separation was confusing to some. We added the concept of a project container to Canopy, which contains all phases and reports relating to that project. This allows users to have single or multi-phase engagements, and to also include re-tests (see below) within the same project.

Opportunities and Statements of Work

Our goal with Canopy is to bring full assessment process management. The addition of working with opportunities and statements of work brings Canopy a step closer to achieving that goal. Canopy now allows you to create an opportunity, scope phases and issue Statements of Work (SoW) to clients. It's possible to work with both the technical information and the financial information. We've stopped short of adding involving capabilities to Canopy, but we think the functionality that's there is a major improvement over most peoples manual processes.

Re-test support

Quite often, assessments are re-run in order to validate fixes or extend testing over new features. Having to perform a re-test from zero is often time consuming, involving lots of cut/paste from previous reports. In Canopy 3, it's possible to create a re-test phase and simply update the state of the finding. You can also add an optional note on any updated observations when testing the finding. It's also possible to exclude certain findings from the re-test scope. This is a very efficient way of conducting retesting.

Image paste

Importing images in Canopy 2 could slow down the user's reporting - especially where many images were needed. With Canopy 3, it's possible to simply drag and drop or cut and paste images directly into the WYSIWYG fields.

Status tracking

Tracking a finding's state is an important task as testing moves towards supporting more agile teams. It may be required to update a findings state during a single phase engagement, as well as during multi-phase engagements with retests. With Canopy it's trivial to update the status of a single or multiple findings, and use this information in reports.

Document review workflow

Document review takes a major step forward in Canopy 3. It's now possible to request a technical peer review and pass a report on for quality control

Native charting

Canopy 3 adds native charting support for reports. Up until now, Canopy presented charts as images that could be inserted into reports. This was both limited in the number of charts supported, and stylistically problematic - as our images used fixed styling. With native chart support, users can design their own charts that match their styles. It's even possible to combine the native chart support with the plugin system to create more complex charts than we support out-of-the-box.

All of Word's charts are supported. However, chart templates are not currently supported. However, you're probably wondering what they are - and so were we when we started implementing support for charts. If you have a requirement for chart template support, please get in touch!

Custom fields

Canopy's goal of adapting to user requirements has been largely solved on the reporting side. However, sometimes there are requirements to extend Canopy's data model. This is now possible via the custom field settings in the Canopy administration section. This currently supports adding custom fields to a finding or a KB entry. It's a great way of capturing additional data points during your assessments, or adding custom fields for specific clients.

Plugin system

We make significant use of the plugin system for importing data from tools and for supporting customised rating systems. And now our users can do the same. Documentation and guidelines for the plugin system will be released soon, along with some examples. This is an exciting feature for us, and when combined with the API server (see below), it will make Canopy a highly flexible and customisable solution for our users.

API server

Extending Canopy was a major feature request in version 2. For Canopy 3, we not only added an API backend, we're also using it as our primary interface for working with Canopy's data. This will mean that the API is maintained and improves over time. The API server is RESTful, and supports Basic Auth and OAuth authentication methods.

Word support improvements

Beyond adding support for charting in our Word generation library, we've also added support for a number of features in Word documents which our users find important. Such improvements include:

  • Improved style reference support
  • Cross-referencing support via page references
  • Support for styled list types
  • Image margin and styled border support
  • Improved table style support

Further improvements to Word support are planned over the next few months.

New Methodologies interface

In Canopy 2, methodologies were a useful way of tracking how users were progressing during an assessment (if a methodology was used). Canopy 3 improves this by making it easier to work with methodologies and quickly get a summary of methodology progress. It's also possible to link methodologies and KB findings together, making it easy to add findings relating to methodology items and update the status of methodology items from findings added from the KB or manually. This is a great way of driving reports from a methodology, and could even be used to indicate positive feedback for users.

User-defined taxonomies

Canopy 2 shipped with three fixed taxonomies: OWASP Top 10 2013, SANS Top 25 and WASC. This was useful to a number of our users, as it became simple to automatically classify findings and draw stats based on those classifiers. Now it's possible for users to add their own taxonomies. Do you work with a client that has an in-house standard you want to tracked their findings against? Now it's easy to do with Canopy. This can allow reports to be highly relevant in providing feedback for key clients.

And more ...

A bunch of other changes have occurred also. Here are some more mentions, although there are far too many to include everything here:

  • In-app and email notifications
  • Role-based access controls supporting global and per-object permissions
  • Activity and audit logs
  • Native operating system installers
  • Simplified management commands and application log aggregation for easier administration
  • Reduced code complexity and improved test coverage


A number of planned roadmap items are either underway and will be released over the year. The following key features are in development or planning stages:

  • Redesigned scheduler
  • Multi-team support
  • Active directory integration
  • Two-factor authentication
  • Client portal
  • Analytics
  • And much more

We'll be preparing new approaches for working with our clients on identifying and evaluating new and improved features over the coming year. As always, if you have a request for a new feature, just send a message to the support team and we'll happily discuss it with you further.

Thanks from all the team here at CheckSec.