User guide¶
Welcome to the Canop user guide. This section will provide you with useful information and guides on how to perform the most important tasks as a tester or manager when using Canopy.
- About Canopy
- Assets
- Clients
- Dashboard
- Examples
- Findings
- Getting started
- Findings Knowledge Base
- Key concepts
- Logging in
- Message templates
- Methodologies
- Methodology templates
- Opportunities
- Phases
- Projects
- Public Datasets
- Report templates
- Reports
- Statement of work templates
- Substitution variables
- Taxonomy templates
- Supported tools
- Working with Jira
If you’re new to Canopy, there are some concepts and basics that you should know in order to use the application.
- Key concepts
In this article we’ll cover some key concepts to Canopy.
- Getting started
This is a ~20 minute overview to help you get started on using Canopy as soon as possible.
Organising your delivery through clients, opportunities and projects
Canopy allows you to organise your data into a hierarchical model. At the top is the Client. Within a client we store opportunities, scopes, projects, phases, findings, assets reports and everything else relating to our assessments.
Clients: Clients is a top-level container where we store all of our projects, opportunities, findings, reports and so on relating to a single client.
Opportunities: The pre-sale phase of service delivery is very important. It’s where we capture the necessary scope and information for delivering our projects, defining the commercial agreements and confirming with our clients what is to be done (e.g. statement of work). Canopy’s Opportunity module allows us to manage this phase of the delivery workflow.
Projects: Canopy organises its main delivery work into projects and phases. Here we explain the key concepts and why there we take this hierarchical approach.
Phases: Phases in Canopy are used to store the findings, assets, examples (evidence) and other data collected during the delivery. It provides a container for managing this information, which can then be used for reports.
Getting work done
Once you’ve setup you Canopy instance (see: Getting started) you can proceed with general use of the application.
The following reference information will help you understand Canopy’s functionality better.
Logging in: A short guide to logging in to Canopy. Most people should be familiar with such processes, but we think it’s good to cover the basics (and some of the other authentication options).
Dashboard: Your first interaction with Canopy, and what to do next.
Findings: Findings (or vulnerabilities in some companies) are a cornerstone of Canopy. Many of the types of projects delivered by teams that use Canopy centre around findings and the relationship of these findings to assets (be they servers, source code, physical buildings, etc.).
Assets: Assets are another key cornerstone of Canopy. Assets are used to bind Findings to Examples (evidence). Conceptually, if a finding is found, it will relate to a give asset (be that source code, a building, etc.).
Examples: Examples are additional data points used to show how a finding was identified. This can take the form of repeatable steps, screenshots, code or tool output and so on.
Methodologies: Methodologies help to ensure work is delivered consistency across similar projects.
Reports: The typical end delivery from a project is a report (or many reports). Learn more about how to generate reports for delivering to your clients.
Reusing content with templates
A major benefit of Canopy is that it allows you to reuse content, where you believe its appropriate. You can have stock finding write ups through the Findings Knowledge Base. Base report templates and statement of work templates for getting a head start with writing documents. And more. This allows users of Canopy to reduce time spent rewriting the same content, and also to ensure consistency, where needed.
Findings Knowledge Base: The findings knowledge base (KB) acts as a repository for reusable write-ups for findings. The main point of reusable content is to ensure consistency, but only where it’s required. The existence of a KB shouldn’t mean clients receive generic content, but it does allow users to have a starting point for tailoring content, and to use common information where it makes sense.
Report templates: Reports templates are used for building the end-user reports you want to send to your clients. These are built using a simple form builder inside of Canopy, and then mapped to Word documents. More information can be found in the Report templates: Template reports allow you to set up report layouts for mapping to Word templates. These templates contain sections and fields that are custom to your report needs. The structures add to Canopy’s existing data set (e.g. findings and assets), allowing you to have report-centric fields (e.g. Executive Summary, Technical Summary) to suit your reporting needs.
Statement of work templates: Much like template reports, the statement of work (SoW) template is used to produce custom, client branded SoWs or proposals for issuing to your clients. The process is the same, although the data these document templates access is different.
Methodology templates: Methodologies are commonly used to establish best practices within service delivery organisations. The methodology template section is used to define such methodologies, which can then be used in for delivery as required. Refer to Public Datasets to see what methodologies comes preloaded with Canopy.
Message templates: Message templates are used to build standard messages for user and client notification. Do you have a standard set of emails you send out before, during and after tests? This feature allows you to build those templates in Canopy.
Taxonomy templates: Taxonomy templates provide a way of linking findings to external (e.g. CWE) and internal/client (e.g. client-specific secure development requirements) reference material, in a way that can then be included in reports or analytics. Refer to Public Datasets to see what taxonomies comes preloaded with Canopy.
Other tasks
Working with Jira: How to work with Jira from Canopy to help share information between testers and development/ops teams.