OWASP - User contributions [en]

GSoC2019 Ideas

2019-03-25T07:00:31Z

Foobar: /* OWASP-SKF */

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''
'''* Read the [[GSoC SAT]] '''
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]
* Contact us through the mailing list or irc channel.
* Check our [https://github.com/OWASP github organization]

==OWASP-SKF==

=== Idea 1 Improving the Machine Learning chatbot: ===
We want to extend the functionality of SKF Bot. (Security Knowledge Framework Chatbot):

Some improvements or the suggestions which we can do to improve the functionality are:

1. Create a desktop version of the chatbot. Where people can install the setup file on their local machine.

2. Create a Plugin or website bot which we can add in the website for better chat experience for the user.

3. Extend the bots capability to do the google search (using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.

4. Add basic conversation flow which makes SKF Bot friendly and provides the better user experience. Example: Replies to the general queries like How are you? What is your Name etc?

5. Extend the bot capability to reply to what security controls should be followed from the ASVS and MASVS or other custom checklists that are present in SKF.
# Extend the bot to different platforms like Facebook, telegram, slack, Google Assistant etc.
Existing chatbot implementation is on Gitter. You can test the bot by typing @skfchatbot on Gitter Community.

'''Getting started:'''

· Get familiar with the architecture and code base of SKF (Security Knowledge Framework)

· Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results

· Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''

· Python 3+, Flask, Coffee Script

'''Mentors and Leaders'''

Glenn ten Cate (Mentor, Project leader)

Riccardo ten Cate (Mentor, Project leader)

Priyanka Jain (Mentor)

=== Idea 2 Improving and building Lab challenges and write-ups: ===
Build lab examples and write-ups (how to test) for different vulnerabilities over different technology stacks. These challenges are to be delivered in Docker so they can be

easily deployed.

In the current situation the security knowledge framework ultimately presents a list of security controls with correlating knowledge base items that contain a description and

a solution. The new labs are used to give the software developers or application security specialists a more in depth understanding and approach on how to test the

vulnerabilities in their own code.
* For example we have now around 20 lab challenges in Docker container build in Python:
** A Local File Inclusion Docker app example:
*** https://github.com/blabla1337/skf-labs/tree/master/LFI
** A write-up example:
*** https://owasp-skf.gitbook.io/asvs-write-ups/filename-injection
The images that are pushed to the Github repository are already automatically build and pushed to a docker registry where the SKF users can easily pull the images from to get their

labs running. Of course they can download it and build it themselves from source by pulling the original repository.

=== Idea 3 Addition of exploitation framework + labs + challenges and write ups ===
The proposal for SKF (Security Knowledge Framework) involves addition of “Exploit Development Framework” , the idea revolves around how does one start with Linux exploit development from basic string format attacks to advance buffer overflows.

The idea is to develop an addition (framework) which intergrates SKF, that now gives you an hands on experience for writing exploit code deployed over various containers with the help of dockers for easy and instant deployment.

The framework will involve a browser based environmental (shell) and inbuilt chat utility that will be guiding you on how to go from an absolute beginner with gdb basics to all the way to how to bypass various protections like ASLR/NX/Canaries on Linux environment.

Each challenge will have a dedicated container to easily maintain various challenges, also it will give you an option to connect to binary running on a particular port if you want to access it via your own machine, and also the source to the vulnerable code. This idea gives user a flexibility to experiment with the idea and even automate the attacks in python via socket programs or user intermediate framework like pwntools.

The whole idea of challenges isn’t limited to stack based buffer overflows, but includes various challenges like format string attacks, double frees, heap overflows and privilege escalations.

Total number will be deploying 20 challenges, the whole idea isn’t limited to exploit development but also to try out some very advance exploitation techniques like blind ROPs and lots of experimentation.

The whole add on also comes with a dedicated document with very well written ways to exploit challenges in various flavours like manual, automated, advanced.

Upon completion of labs and write ups the NLP model can be trained now to know not just web, but also all about various languages like C / C++ coding best practices and risk involved with calls like free (); puts(); and not just only tell the theory on why is it bad but also train you and guide you why it is bad and how you can write an exploit from a vulnerable code.

Upon completion of labs with ASLR turned off on (non ASLR) stages they can be turned on and lead to ROP with ASLR and even more challenging questions.

'''Mentors and Leaders'''

Glenn ten Cate (Mentor, Project leader)

Riccardo ten Cate (Mentor, Project leader)

Priyanka Jain (Mentor, SKF Contributor)

== OWASP DefectDojo ==
OWASP DefectDojo is a popular open source vulnerability management tool and is used as the backbone for security programs. It is easy to get started with to work on! We welcome volunteers of all experience levels and are happy to provide mentorship.

'''Issue Tracking:'''

Enhancement [https://github.com/DefectDojo/django-DefectDojo/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement requests] and [https://github.com/DefectDojo/django-DefectDojo/issues?q=is%3Aissue+is%3Aopen+label%3Abug bugfixes] are located in Github issues. This project could implement a whole bunch of new features one by one and release them over the course of several small releases.

'''Expected Results:'''
* 5 or more new features or functional enhancements of significant scope for OWASP DefectDojo
* Each feature comes with full functional unit and integration tests
'''Getting started:'''
* Get familiar with the architecture and code base of the application built on Django
* Review the application functionality and familiarize yourself with Products, Engagements, Tests and Findings.
* Get familiar with the CI/CD process based on Travis-CI
'''Knowledge Prerequisites:'''
* Python, Django, Javascript, Unit/Integration testing.
'''Potential Mentors:'''
* [[Mailto:aaron.weaver2+gsoc@gmail.com|Aaron Weaver]] - DefectDojo Project Leader
* [[Mailto:greg.anderson@owasp.org|Greg Anderson]] - DefectDojo Project Leader
* [[Mailto:matt.tesauro@owasp.org|Matt Tesauro]] - DefectDojo Project Leader
'''Option 1: Unit Tests - Difficulty: Easy'''
* If you're new to programming, unit tests are short scripts designed to test a specific function of an application.
* The project needs additional unit tests to ensure that new code functions properly.
* Review the current [https://github.com/DefectDojo/django-DefectDojo/tree/dev/dojo/unittests unit tests]
* Complete Code Coverage Testing
** Validate Tests exist for the following (create any that are missing):
*** Finding, Test, Engagement, Reports, Endpoints
*** Import from all scanners
'''Option 2: Python3 Completion'''
* DefectDojo is finishing up a migration to Python3
Test the current [https://github.com/DefectDojo/django-DefectDojo/tree/python3/dojo/unittests state] of Python3
* Ensure all features work
* Travis testing works correctly
'''Option 3: Scan 2.0 / Launch Containers'''

Scan 2.0 consists of automating the scanning orchestration within DefectDojo. Several proof of concepts exist for this using the AppSecpPipeline to launch containers and then push those finding into the appropriate product.
* Use the [https://github.com/appsecpipeline/AppSecPipeline-Specification AppSecPipeline] containers to build a scanning pipeline built on top of [https://www.openfaas.com/ OpenFaaS]
* Scans should be able to be scheduled by DefectDojo and then invoked via the REST API call to OpenFaaS
* Upon scan completion the results will be posted back to DefectDojo via DefectDojo's REST API and consumed as an engagement/test.
* Pick 2 or 3 popular open source scanners such as NMAP, ZAP and Nikto to start out with.

== OHP (OWASP Honeypot) ==

[[OWASP_Python_Honeypot|OWASP Honeypot]] is an open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 2.x and 3.x and tested on Windows, Mac OS X and Linux.

=== Getting Start ===

It's best to start from [https://github.com/zdresearch/OWASP-Honeypot/wiki GitHub wiki page], we are looking forward to adding more modules and optimize the core.

=== Technologies ===

Currently we are using

* Docker
* Python
* MongoDB
* TShark
* Flask
* ChartJS
* And more linux services

=== Expected Results ===

* Zero Bugs: Currently we may have several bugs in different conditions, and it's best to test the all functions and fix them
* Monitoring: Right now monitoring limited to the connections (send&recieve) and it's best to store and analysis the contents for farther investigations and recognizing incoming attacks.
* Duplicated codes: codes are complicated and duplicated in engine, should be fixed/clean up
* New modules: add some creative ICS/Network/Web modules andvulnerable web applications, services and stuff
* API: update API sync to all features
* WebUI: Demonstrate and add API on WebUI and Live version with all features
* WebUI Special Reports: Track the attacks more creative and provide high risk IPs
* Database: Better database structure, faster and use queue
* Data analysis: Analysis stored data and attack signatures
* OWASP Top 10: Preparing useful processed/raw data for OWASP top 10 project

=== Students Requirements ===

* Python
* Packet Analysis & Tshark & Libpcap
* Docker
* Database
* Web Development Skills
* Honeypot and Deception knowledge

=== Mentors and Leaders ===

* [mailto:ali.razmjoo@owasp.org Ali Razmjoo] (Mentor & Project Leader)
* [mailto:ehsan@nezami.me Ehsan Nezami] (Mentor & Project Leader)
* [mailto:reza.espargham@owasp.org Reza Espargham](Mentor)
* [mailto:abiusx@owasp.org Abbas Naderi] (Mentor)

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.
The best way to get in touch with us is the '''community chat on https://gitter.im/bkimminich/juice-shop<nowiki/>.''' You can also send PMs to the potential mentors (@bkimminich, @J12934 and @CaptainFreak) there if you like!

To receive early feedback please '''put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page''' in ''Draft Shared'' mode. Please pick '''''juice shop'' as Proposal Tag''' to make them easier to find for us. '''Thank you!'''

=== Feature Pack 2019 ===

'''Brief Explanation:'''

Ideas for potential new functionality and "business" features are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Afeature GitHub issues labeled "feature"]. This project could implement a whole bunch of new features one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

''Coming up with good additional ideas for features and new functionality in the proposal could make the difference between being selected or declined as a student for this project!''

'''Expected Results:'''
* 5 or more new features or functional enhancements of significant scope for OWASP Juice Shop (not necessarily including corresponding challenges)
* Each feature comes with full functional unit and integration tests
* Extending the functional walk-through chapter of the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, security knowledge is optional.

'''Potential Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)

=== Juice Shop Mobile ===

'''Brief Explanation:'''

A complete mobile client for Juice-Shop API which will serve a legit mobile experience for Juice-Shop user as well as a plethora of Mobile app vulnerabilities and challenges around them to solve. Should in the best case translate the idea of Juice Shop's hacking challenges with a score board and success notifications into the mobile world.

''Coming up with a sophisticated proposal (optimally even with a good initial sample implementation) could make the difference between being selected or declined as a student for this project!''

''' Getting started '''
* Get familiar with the architecture and code base of the application's RESTful backend
* Get familiar with Native App developement
* Get familiar with Mobile vulnerabilities

'''Expected Results:'''
* A mobile App with consistent UI/UX for Juice-Shop with standard client side vulnerabilities.
* Sufficient initial release quality (en par with Juice Shop and Juice Shop CTF) to make it an official extension project hosted in its own GitHub repository ''bkimminich/juice-shop-mobile''
* Code follows existing styleguides and applies similar quality gates regarding code smells, test coverage etc. as the main project.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) React Native and NodeJS/Express, some Mobile security knowledge would be preferable.

'''Potential Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)

=== Challenge Pack 2019 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

''Coming up with good additional ideas for challenges in the proposal could make the difference between being selected or declined as a student for this project!''

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges)
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.

'''Potential Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)

=== Hacking Instructor ===

'''Brief Explanation:'''

While the Juice Shop is offering a lot of long-lasting motivation and challenges for security experts, it might be a bit daunting for newcomers and less experienced hackers.
The "Hacking Instructor" as sketched in [https://github.com/bkimminich/juice-shop/issues/440 GitHub issue #440] could guide users from this target audience through at least some of the hacking challenges. As this would be an entirely new and relatively independent feature of the Juice Shop, students should be able to bring in their own creativity and ideas a lot.

''For this project, a good proposal with a design & implementation proposal more sophisticated than the rough ideas in [https://github.com/bkimminich/juice-shop/issues/440 #440] is paramount to be selected as a student!''

'''Expected Results:'''
* A working implementation of e.g. an avatar-style "Hacking Instructor" or other solution based on the students own proposal
* Coverage of at least the trivial (1-star) and some easy (2-star) challenges
* Documentation how to configure or script the "Hacking Instructor" for challenges in general

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular, some UI/UX experience would be preferable.

'''Potential Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader

==OWASP-Securetea Tools Project ==
The OWASP SecureTea Project is an application designed to help secure a person's laptop or computer / server with IoT (Internet Of Things) and notify users (via various communication mechanisms), whenever someone accesses their computer / server. This application uses the touchpad/mouse/wireless mouse to determine activity and is developed in Python and tested on various machines (Linux, Mac & Windows).
The software is still under development, and will eventually have it's own IDS(Intrusion Detection System) / IPS(Instrusion Prevention System), firewall, anti-virus, intelligent log monitoring capabilities with web defacement detection, and support for much more communication medium.
. -
https://github.com/OWASP/SecureTea-Project/blob/master/README.md

===Brief Explanation===
We are looking any awesome idea to improve Securetea Project that is not on this list? We are expecting make this project will be useful to everyone to secure their Small IoT.

===Idea===
Below roadmap and expect results you can choose to improve Securetea Project .
if any bugs please help to fix it

===Roadmap===
See Our Roadmap 
https://github.com/OWASP/SecureTea-Project#roadmap 

===Expect Results ===
 
Securetea Protection /firewall 
Securetea Antivirus 
Notify by Whatsapp 
Notify by SMS Alerts 
Notify by Line 
Notify by Telegram 
Intelligent Log Monitoring include Web Deface Detection 
Detection of malicious devices 
Login History 
=== Students Requirements ===

* Python
* Javascript
* Angular and NodeJS/Express
* Database
* Linux

=== Mentors ===

* [mailto:ade.putra@owasp.org Ade Yoseman Putra] - (OWASP Securetea Project Leader) 
* [mailto:rejah.rehim@owasp.org Rejah Rehim.A.A]]- (OWASP Securetea Project Leader)
 

==OWASP OWTF==
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.

=== OWASP OWTF - Passive Online scanner improvements ===
'''Brief Explanation'''

OWTF allows many passive tests, such as those using third party websites like Google, Bing, etc. searches, as well as handy "Search for vulnerability" search boxes (i.e. Fingerprinting plugin). This feature involves the creation of a '''script''' that produces an interactive OWTF report with the intention of hosting it in the github.io site. The idea here is to have a passive, JavaScript-only interactive report available on the owtf.github.io site, so that people can try OWTF '''without installing anything''', simply visiting a URL.

This would be a normal OWTF interactive report where the user can:
* Enter a target
* Try passive plugins (only the parts that use no tools)
* Play with boilerplate templates from the OWTF interactive report
An old version of the passive online scanner is hosted at https://owtf.github.io/online-passive-scanner.

'''LEGAL CLARIFICATION (Just in case!)''': The passive online scanner, simply makes OWTF passive testing '''through third party websites''' more accessible to anybody, however it is the user that must 1) click the link manually + 2) do something bad with that afterwards + 3) doing 1 + 2 WITHOUT permission :). Therefore this passive online scanner does not do anything illegal [http://www.slideshare.net/abrahamaranguren/legal-and-efficient-web-app-testing-without-permission More information about why this is not illegal here] (recommended reading!)

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code]/ES6 JavaScript code in all modified code and surrounding areas.'''
* High performance
* Reliability
* Ease of use
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

A good knowledge of JavaScript and writing ES6 compliant React/TypeScript is needed. Previous exposure to security concepts and penetration testing is not required but recommended and some lack of this can be compensated with pre-GSoC involvement and will to learn.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia]

===OWASP OWTF - MiTM proxy interception and replay capabilities===
'''Brief Explanation:'''

The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).

The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible
*ability to intercept the transactions
*modify or replay transaction on the fly
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code
Bonus:
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)

*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)
*Create a browser instance and do the necessary login procedure
*Handle the browser for the URI
*When called to close the browser, do a clean logout and kill the browser instance.
'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - Web interface enhancements===
'''Brief explanation:'''

The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''
*'''CRITICAL''': Excellent reliability and performance.
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - New plugin architecture===
'''Brief explanation:'''

The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.

This issue is documented in detail at https://github.com/owtf/owtf/issues/905.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation

== OWASP iGoat (draft) ==
'''Idea 1:''' Completing OWASP iGoat documentation at https://docs.igoatapp.com/ and creating demo videos at for OWASP iGoat YouTube channel for learning purpose.

'''Idea 2:''' Adding new challenge pack / CTF for iGoat. It should be one point solution for learning iOS app security

== OWASP Seraphimdroid ==
[[OWASP SeraphimDroid Project|OWASP Seraphimdroid]] is Android security and privacy app, with features to enhance user's knowledge about security and privacy on his/her mobile device. If you are interested in this project and working on it during Google Summer of Code, please contact [[User:Nikola Milosevic|Nikola Milosevic]] and express your interest.

=== Idea 1: Anomaly detection of device state ===
The idea is that certain features of a device would be constantly monitored (battery use, internet usage, opp calls, etc.). Initially, the usual behaviour of the device would be learned. Later, anomalies normal behavior would be reported to the user. This should involve some explanations, such as which applications are causing an anomaly the device behaviors

=== Idea 2: On device machine learning of maliciousness of an app ===
Tensor-flow for on-device processing and some other libraries have been released that enable machine learning. We have previously applied a system, that based on permissions, is able to distinguish malicious apps from non-malicious. Now, we would like to learn also from other outputs and things one can monitor about application whether it can be malicious.

=== Idea 3: Enhansing privacy features ===
The vision of Seraphimdroid is to be aware of privacy threats. This may be achieved throug knowing which applications are using user accounts or other information that uthe user has on phone to send to the server, or just by knowing which applications may be doing it. Knowledgebase shouldbbeextending with the suggestions on how to improve privacy. Also, automated settings of various apps to use encryption should be proposed.
==OWASP ZAP==
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

=== Active Scanning WebSockets ===
: '''Brief Explanation:'''
: ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesn't currently support active scanning (automated attacking) of websocket traffic (messages).
: We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.
: This project will be a continuation of the work that was started as part of last year's GSoC.
: '''Expected Results:'''
:* An pluggable infrastructure that allows us to active scan websockets
:* Converting the relevant existing scan rules to work with websockets
:* Implementing new websocket specific scan rules
: '''Getting Started:'''
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
: '''Knowledge Prerequisites:'''
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Automated Authentication Detection and Configuration ===
: '''Brief Explanation:'''
: Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki>
: This is time consuming and error prone.
: Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.
: This project will be a continuation of the work that was started as part of last year's GSoC.
: '''Expected Results:'''
:* Detect login and registration pages
:* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible
:* An option to completely automate the authentication process, for as many authentication mechanisms as possible
: '''Getting Started:'''
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
: '''Knowledge Prerequisites:'''
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

== IoT Goat ==
IoT Goat will be a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf IoT Top 10 2018].

===Idea 1: Insecure firmware web application ecosystem===
'''Brief Explanation:'''

A vulnerable web application, and backend API/web services deployed in OpenWrt containing critical vulnerabilities showcasing the traditional IoT problems.

''' Getting started '''
* Have a look at the getting started page to get familiar with virtualizing OpenWrt: https://github.com/scriptingxss/IoTGoat#-getting-started-
* Create a GitHub account to be added as a collaborator to the repository
* Review the example vulnerabilities and challenges: https://github.com/scriptingxss/IoTGoat/blob/master/challenges/challenges.md

'''Expected Results:'''

Development of a simple web application user interface with web services and API's deployed locally on the OpenWrt firmware. Documented challenges of how to discover and remediate web software security vulnerabilities. The insecure web application services must contain the following vulnerabilities to be used with the IoT testing guide:
* Command injection
* SQL injection
* Local file inclusion
* XXE injection,Insufficient Authentication
* Transfer sensitive data using insecure channels
* Store sensitive data insecurely
Vulnerable SOAP web services and REST API implementations are in-scope.

'''Knowledge Prerequisites:'''
* Working Linux knowledge
* Embedded and/or web development (nice to have)
** Web application code can be developed using the following common embedded programming languages:
*** Lua
*** PHP
*** C/C++
*** JavaScript

===Idea 2: Insecure network services===
'''Brief Explanation:'''

Deliberately insecure services configured within OpenWrt such as an miniupnp daemon configured with secure_mode off (Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from), to demonstrate a port mapping attack where an attacker from inside the network exposes a service that typically should be behind a LAN to the internet).

''' Getting started '''
* Have a look at the getting started page to get familiar with virtualizing OpenWrt: https://github.com/scriptingxss/IoTGoat#-getting-started-
* Create a GitHub account to be added as a collaborator to the repository
* Review the example vulnerabilities and challenges: https://github.com/scriptingxss/IoTGoat/blob/master/challenges/challenges.md

'''Expected Results:'''

Documented challenges of how to discover and remediate insecure network service vulnerabilities. The network services can be inherently insecure or have insecure configurations that can be abused during the challenges.
* Example of network insecure services include:
** FTP
** Telnet
** miniupnpd
** HTTP
'''Knowledge Prerequisites:'''
* Working Linux knowledge
* Network security

===Idea 3: Insecure firmware build system===
'''Brief Explanation:'''

Develop custom firmware builds of the latest OpenWrt version (18.06) demonstrating the process of incorporating debug services/tools, misconfigurations, and usage of vulnerable software packages.

''' Getting started '''
* Review OpenWrt's developer guide to get familiar with creating custom firmware builds
** https://openwrt.org/docs/guide-developer/start
** https://openwrt.org/docs/guide-developer/build-system/install-buildsystem
** https://github.com/openwrt/openwrt

'''Expected Results:'''
* Provide walkthrough examples of insecure design choices for building firmware.
* Provide suggested mitigation security controls

'''Knowledge Prerequisites:'''
* Working Linux knowledge
* Embedded development (C/C++)

===Suggest your own ideas===
You may suggest additional challenges or ideas that fit this project's objectives.

=== Mentors and Leaders ===
* Aaron Guzman - OWASP IoT Goat Contributor (Project leader of the IoT and Embedded AppSec project)
* Fotios Chantzis - OWASP IoT Goat Contributor (and former GSoC Student/GSoc Mentor)
* [[User:Calderpwn|Paulino Calderon]] - OWASP IoT Goat Contributor (and former GSoC 2011 Student/GSoc Mentor in 2015 and 2017)

==OWASP Web Honeypot Project ==

The goal of the OWASP Honeypot Project is to identify emerging attacks against web applications and report them to the community, in order to facilitate protection against such targeted attacks. Within this project, Anglia Ruskin University is leading the collection, storage and analysis of threat intelligence data.

https://www.owasp.org/index.php/OWASP_Honeypot_Project

https://github.com/OWASP/Honeypot-Project/

===Brief Explanation===
The purpose of this part of the project is to capture intelligence on attacker activity against web applications and utilise this intelligence as ways to protect software against attacks. Honeypots are an established industry technique to provide a realistic target to entice a criminal, whilst encouraging them to divulge the tools and techniques they use during an attack. Like bees to a honeypot. These honeypots are safely designed to contain no information of monetary use to an attacker, and hence provide no risk to the businesses implementing them. 

The project will create honeypots that the community can distribute within their own networks. With enough honeypots globally distributed, we will be in a position to aggregate attack techniques to better understand and protect against the techniques used by attackers. With this information, we will be in a position to create educational information, such as rules and strategies, that application writers can use to ensure that any detected bugs and vulnerabilities are closed. 

===Idea===
Project progression:
* Honeypot software. The honeypot software that is to be provided to the community to place in their networks has been written. Honeypots are available in a variety of forms, to make deployment as flexible as possible and appeal to a diverse a user set as possible.
* Collection software. The centralised collection software has been written and evaluated in a student driven proof-of-concept project. Honeypots have been attacked in a laboratory situation and have reported both the steps taken by the attacker and what they have attacked, back to the collection software.
* Rollout to the Community. The project now needs a dedicated infrastructure platform in place that is available to the entire community to start collecting intelligence back from community deployed honeypots. This infrastructure will run the collector software, analysis programmes and provide a portal for communicating our finds and recommendations back to the community in a meaningful manner.
* Going Forward. Toolkits and skills used by attackers do not stand still. As existing bugs are plugged, others open. Follow up stages for the project will be to create a messaging system to automatically update the community on findings of significant risk in their existing code that requires attention.

===Expect Results ===

Some of the ideas from last year's summit

* Setup Proof of Concept to understand how Mod Security baed Honeypot/Probe interacts with a receiving console (develop a VM and/or Docker based test solution to store logs from multiple probes).
* Evaluate console options to visualise threat data received from ModSecurity Honeypots/probes in MosSecurity Audit Console, WAF-FLE, Fluent and bespoke scripts for single and multiple probes.
* Develop a mechanism to convert from stored MySQL to JSON format.
* Provide a mechanism to convert ModSecurity mlogc audit log output into JSON format.
* Provide a mechanism to convert mlogc audit log output directly into ELK (ElasticSearch/Logstash/Kibana) to visualise the data.
* Provide a mechanism to forward honest output into threat intelligence format such as STIX using something like the MISP project(https://www.misp-project.org) to share Threat data coming from the Honeypots making it easy to export/import data from formats such as STIX and TAXII., may require use of concurrent logs in a format that MISP can deal with.
* Consider new alternatives for log transfer including the use of MLOGC-NG or other possible approaches.
* Develop a new VM based honeypot/robe based on CRS v3.0.
* Develop new alternative small footprint honeypot/probe formats utilising Docker & Raspberry Pi.
* Develop machine learning approach to automatically be able to update the rule set being used by the probe based on cyber threat intelligence received.

=== Students Requirements ===

Some of the skills we are looking for:

* Apache/Tomcat
* Any experience of MISP
* MySQL & JSON
* ELK
* STIX/TAXII
* Python
* ModSecurity/mlogc
* OWASP Core RuleSet (CRS)
* Linux
* VM/Docker

=== Mentors ===

* [mailto:adrian.winckles@owasp.org Adrian Winckles] - (OWASP Web Honeypot Project Leader) 

===Suggest your own ideas===

You may suggest additional challenges or ideas that fit this project's objectives.

==OWASP Risk Assessment Framework ==
Tool projects aim to assessment more than one or many web application using owasp risk rating mathodologies.
https://github.com/OWASP/RiskAssessmentFramework

'''Idea 1:''' make dashboard with databases and can assess many website based owasp risk rating mathodologies, create graph and report in pdf,word & excel format.
=== Mentors ===
* [mailto:ade.putra@owasp.org Ade Yoseman] -

GSoC2019 Ideas

2019-03-25T06:53:06Z

Foobar: /* OWASP-SKF */

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''
'''* Read the [[GSoC SAT]] '''
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]
* Contact us through the mailing list or irc channel.
* Check our [https://github.com/OWASP github organization]

==OWASP-SKF==

=== Idea 1 Improving the Machine Learning chatbot: ===
We want to extend the functionality of SKF Bot. (Security Knowledge Framework Chatbot):

Some improvements or the suggestions which we can do to improve the functionality are:

1. Create a desktop version of the chatbot. Where people can install the setup file on their local machine.

2. Create a Plugin or website bot which we can add in the website for better chat experience for the user.

3. Extend the bots capability to do the google search (using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.

4. Add basic conversation flow which makes SKF Bot friendly and provides the better user experience. Example: Replies to the general queries like How are you? What is your Name etc?

5. Extend the bot capability to reply to what security controls should be followed from the ASVS and MASVS or other custom checklists that are present in SKF.
# Extend the bot to different platforms like Facebook, telegram, slack, Google Assistant etc.
Existing chatbot implementation is on Gitter. You can test the bot by typing @skfchatbot on Gitter Community.

'''Getting started:'''

· Get familiar with the architecture and code base of SKF (Security Knowledge Framework)

· Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results

· Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''

· Python 3+, Flask, Coffee Script

'''Mentors and Leaders'''

Glenn ten Cate (Mentor, Project leader)

Riccardo ten Cate (Mentor, Project leader)

Priyanka Jain (Mentor)

=== Idea 2 Improving and building Lab challenges and write-ups: ===
Build lab examples and write-ups (how to test) for different vulnerabilities over different technology stacks. These challenges are to be delivered in Docker so they can be

easily deployed.

In the current situation the security knowledge framework ultimately presents a list of security controls with correlating knowledge base items that contain a description and

a solution. The new labs are used to give the software developers or application security specialists a more in depth understanding and approach on how to test the

vulnerabilities in their own code.
* For example we have now around 20 lab challenges in Docker container build in Python:
** A Local File Inclusion Docker app example:
*** https://github.com/blabla1337/skf-labs/tree/master/LFI
** A write-up example:
*** https://owasp-skf.gitbook.io/asvs-write-ups/filename-injection
The images that are pushed to the Github repository are already automatically build and pushed to a docker registry where the SKF users can easily pull the images from to get their

labs running. Of course they can download it and build it themselves from source by pulling the original repository.

===== Idea 3 Addition of exploitation framework + labs + challenges and write ups =====
The proposal for SKF (Security Knowledge Framework) involves addition of “Exploit Development Framework” , the idea revolves around how does one start with Linux exploit development from basic string format attacks to advance buffer overflows.

The idea is to develop an addition (framework) which intergrates SKF, that now gives you an hands on experience for writing exploit code deployed over various containers with the help of dockers for easy and instant deployment.

The framework will involve a browser based environmental (shell) and inbuilt chat utility that will be guiding you on how to go from an absolute beginner with gdb basics to all the way to how to bypass various protections like ASLR/NX/Canaries on Linux environment.

Each challenge will have a dedicated container to easily maintain various challenges, also it will give you an option to connect to binary running on a particular port if you want to access it via your own machine, and also the source to the vulnerable code. This idea gives user a flexibility to experiment with the idea and even automate the attacks in python via socket programs or user intermediate framework like pwntools.

The whole idea of challenges isn’t limited to stack based buffer overflows, but includes various challenges like format string attacks, double frees, heap overflows and privilege escalations.

Total number will be deploying 20 challenges, the whole idea isn’t limited to exploit development but also to try out some very advance exploitation techniques like blind ROPs and lots of experimentation.

The whole add on also comes with a dedicated document with very well written ways to exploit challenges in various flavours like manual, automated, advanced.

Upon completion of labs and write ups the NLP model can be trained now to know not just web, but also all about various languages like C / C++ coding best practices and risk involved with calls like free (); puts(); and not just only tell the theory on why is it bad but also train you and guide you why it is bad and how you can write an exploit from a vulnerable code.

Upon completion of labs with ASLR turned off on (non ASLR) stages they can be turned on and lead to ROP with ASLR and even more challenging questions.

'''Mentors and Leaders'''

Glenn ten Cate (Mentor, Project leader)

Riccardo ten Cate (Mentor, Project leader)

== OWASP DefectDojo ==
OWASP DefectDojo is a popular open source vulnerability management tool and is used as the backbone for security programs. It is easy to get started with to work on! We welcome volunteers of all experience levels and are happy to provide mentorship.

'''Issue Tracking:'''

Enhancement [https://github.com/DefectDojo/django-DefectDojo/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement requests] and [https://github.com/DefectDojo/django-DefectDojo/issues?q=is%3Aissue+is%3Aopen+label%3Abug bugfixes] are located in Github issues. This project could implement a whole bunch of new features one by one and release them over the course of several small releases.

'''Expected Results:'''
* 5 or more new features or functional enhancements of significant scope for OWASP DefectDojo
* Each feature comes with full functional unit and integration tests
'''Getting started:'''
* Get familiar with the architecture and code base of the application built on Django
* Review the application functionality and familiarize yourself with Products, Engagements, Tests and Findings.
* Get familiar with the CI/CD process based on Travis-CI
'''Knowledge Prerequisites:'''
* Python, Django, Javascript, Unit/Integration testing.
'''Potential Mentors:'''
* [[Mailto:aaron.weaver2+gsoc@gmail.com|Aaron Weaver]] - DefectDojo Project Leader
* [[Mailto:greg.anderson@owasp.org|Greg Anderson]] - DefectDojo Project Leader
* [[Mailto:matt.tesauro@owasp.org|Matt Tesauro]] - DefectDojo Project Leader
'''Option 1: Unit Tests - Difficulty: Easy'''
* If you're new to programming, unit tests are short scripts designed to test a specific function of an application.
* The project needs additional unit tests to ensure that new code functions properly.
* Review the current [https://github.com/DefectDojo/django-DefectDojo/tree/dev/dojo/unittests unit tests]
* Complete Code Coverage Testing
** Validate Tests exist for the following (create any that are missing):
*** Finding, Test, Engagement, Reports, Endpoints
*** Import from all scanners
'''Option 2: Python3 Completion'''
* DefectDojo is finishing up a migration to Python3
Test the current [https://github.com/DefectDojo/django-DefectDojo/tree/python3/dojo/unittests state] of Python3
* Ensure all features work
* Travis testing works correctly
'''Option 3: Scan 2.0 / Launch Containers'''

Scan 2.0 consists of automating the scanning orchestration within DefectDojo. Several proof of concepts exist for this using the AppSecpPipeline to launch containers and then push those finding into the appropriate product.
* Use the [https://github.com/appsecpipeline/AppSecPipeline-Specification AppSecPipeline] containers to build a scanning pipeline built on top of [https://www.openfaas.com/ OpenFaaS]
* Scans should be able to be scheduled by DefectDojo and then invoked via the REST API call to OpenFaaS
* Upon scan completion the results will be posted back to DefectDojo via DefectDojo's REST API and consumed as an engagement/test.
* Pick 2 or 3 popular open source scanners such as NMAP, ZAP and Nikto to start out with.

== OHP (OWASP Honeypot) ==

[[OWASP_Python_Honeypot|OWASP Honeypot]] is an open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 2.x and 3.x and tested on Windows, Mac OS X and Linux.

=== Getting Start ===

It's best to start from [https://github.com/zdresearch/OWASP-Honeypot/wiki GitHub wiki page], we are looking forward to adding more modules and optimize the core.

=== Technologies ===

Currently we are using

* Docker
* Python
* MongoDB
* TShark
* Flask
* ChartJS
* And more linux services

=== Expected Results ===

* Zero Bugs: Currently we may have several bugs in different conditions, and it's best to test the all functions and fix them
* Monitoring: Right now monitoring limited to the connections (send&recieve) and it's best to store and analysis the contents for farther investigations and recognizing incoming attacks.
* Duplicated codes: codes are complicated and duplicated in engine, should be fixed/clean up
* New modules: add some creative ICS/Network/Web modules andvulnerable web applications, services and stuff
* API: update API sync to all features
* WebUI: Demonstrate and add API on WebUI and Live version with all features
* WebUI Special Reports: Track the attacks more creative and provide high risk IPs
* Database: Better database structure, faster and use queue
* Data analysis: Analysis stored data and attack signatures
* OWASP Top 10: Preparing useful processed/raw data for OWASP top 10 project

=== Students Requirements ===

* Python
* Packet Analysis & Tshark & Libpcap
* Docker
* Database
* Web Development Skills
* Honeypot and Deception knowledge

=== Mentors and Leaders ===

* [mailto:ali.razmjoo@owasp.org Ali Razmjoo] (Mentor & Project Leader)
* [mailto:ehsan@nezami.me Ehsan Nezami] (Mentor & Project Leader)
* [mailto:reza.espargham@owasp.org Reza Espargham](Mentor)
* [mailto:abiusx@owasp.org Abbas Naderi] (Mentor)

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.
The best way to get in touch with us is the '''community chat on https://gitter.im/bkimminich/juice-shop<nowiki/>.''' You can also send PMs to the potential mentors (@bkimminich, @J12934 and @CaptainFreak) there if you like!

To receive early feedback please '''put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page''' in ''Draft Shared'' mode. Please pick '''''juice shop'' as Proposal Tag''' to make them easier to find for us. '''Thank you!'''

=== Feature Pack 2019 ===

'''Brief Explanation:'''

Ideas for potential new functionality and "business" features are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Afeature GitHub issues labeled "feature"]. This project could implement a whole bunch of new features one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

''Coming up with good additional ideas for features and new functionality in the proposal could make the difference between being selected or declined as a student for this project!''

'''Expected Results:'''
* 5 or more new features or functional enhancements of significant scope for OWASP Juice Shop (not necessarily including corresponding challenges)
* Each feature comes with full functional unit and integration tests
* Extending the functional walk-through chapter of the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, security knowledge is optional.

'''Potential Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)

=== Juice Shop Mobile ===

'''Brief Explanation:'''

A complete mobile client for Juice-Shop API which will serve a legit mobile experience for Juice-Shop user as well as a plethora of Mobile app vulnerabilities and challenges around them to solve. Should in the best case translate the idea of Juice Shop's hacking challenges with a score board and success notifications into the mobile world.

''Coming up with a sophisticated proposal (optimally even with a good initial sample implementation) could make the difference between being selected or declined as a student for this project!''

''' Getting started '''
* Get familiar with the architecture and code base of the application's RESTful backend
* Get familiar with Native App developement
* Get familiar with Mobile vulnerabilities

'''Expected Results:'''
* A mobile App with consistent UI/UX for Juice-Shop with standard client side vulnerabilities.
* Sufficient initial release quality (en par with Juice Shop and Juice Shop CTF) to make it an official extension project hosted in its own GitHub repository ''bkimminich/juice-shop-mobile''
* Code follows existing styleguides and applies similar quality gates regarding code smells, test coverage etc. as the main project.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) React Native and NodeJS/Express, some Mobile security knowledge would be preferable.

'''Potential Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)

=== Challenge Pack 2019 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

''Coming up with good additional ideas for challenges in the proposal could make the difference between being selected or declined as a student for this project!''

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges)
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.

'''Potential Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)

=== Hacking Instructor ===

'''Brief Explanation:'''

While the Juice Shop is offering a lot of long-lasting motivation and challenges for security experts, it might be a bit daunting for newcomers and less experienced hackers.
The "Hacking Instructor" as sketched in [https://github.com/bkimminich/juice-shop/issues/440 GitHub issue #440] could guide users from this target audience through at least some of the hacking challenges. As this would be an entirely new and relatively independent feature of the Juice Shop, students should be able to bring in their own creativity and ideas a lot.

''For this project, a good proposal with a design & implementation proposal more sophisticated than the rough ideas in [https://github.com/bkimminich/juice-shop/issues/440 #440] is paramount to be selected as a student!''

'''Expected Results:'''
* A working implementation of e.g. an avatar-style "Hacking Instructor" or other solution based on the students own proposal
* Coverage of at least the trivial (1-star) and some easy (2-star) challenges
* Documentation how to configure or script the "Hacking Instructor" for challenges in general

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular, some UI/UX experience would be preferable.

'''Potential Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader

==OWASP-Securetea Tools Project ==
The OWASP SecureTea Project is an application designed to help secure a person's laptop or computer / server with IoT (Internet Of Things) and notify users (via various communication mechanisms), whenever someone accesses their computer / server. This application uses the touchpad/mouse/wireless mouse to determine activity and is developed in Python and tested on various machines (Linux, Mac & Windows).
The software is still under development, and will eventually have it's own IDS(Intrusion Detection System) / IPS(Instrusion Prevention System), firewall, anti-virus, intelligent log monitoring capabilities with web defacement detection, and support for much more communication medium.
. -
https://github.com/OWASP/SecureTea-Project/blob/master/README.md

===Brief Explanation===
We are looking any awesome idea to improve Securetea Project that is not on this list? We are expecting make this project will be useful to everyone to secure their Small IoT.

===Idea===
Below roadmap and expect results you can choose to improve Securetea Project .
if any bugs please help to fix it

===Roadmap===
See Our Roadmap 
https://github.com/OWASP/SecureTea-Project#roadmap 

===Expect Results ===
 
Securetea Protection /firewall 
Securetea Antivirus 
Notify by Whatsapp 
Notify by SMS Alerts 
Notify by Line 
Notify by Telegram 
Intelligent Log Monitoring include Web Deface Detection 
Detection of malicious devices 
Login History 
=== Students Requirements ===

* Python
* Javascript
* Angular and NodeJS/Express
* Database
* Linux

=== Mentors ===

* [mailto:ade.putra@owasp.org Ade Yoseman Putra] - (OWASP Securetea Project Leader) 
* [mailto:rejah.rehim@owasp.org Rejah Rehim.A.A]]- (OWASP Securetea Project Leader)
 

==OWASP OWTF==
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.

=== OWASP OWTF - Passive Online scanner improvements ===
'''Brief Explanation'''

OWTF allows many passive tests, such as those using third party websites like Google, Bing, etc. searches, as well as handy "Search for vulnerability" search boxes (i.e. Fingerprinting plugin). This feature involves the creation of a '''script''' that produces an interactive OWTF report with the intention of hosting it in the github.io site. The idea here is to have a passive, JavaScript-only interactive report available on the owtf.github.io site, so that people can try OWTF '''without installing anything''', simply visiting a URL.

This would be a normal OWTF interactive report where the user can:
* Enter a target
* Try passive plugins (only the parts that use no tools)
* Play with boilerplate templates from the OWTF interactive report
An old version of the passive online scanner is hosted at https://owtf.github.io/online-passive-scanner.

'''LEGAL CLARIFICATION (Just in case!)''': The passive online scanner, simply makes OWTF passive testing '''through third party websites''' more accessible to anybody, however it is the user that must 1) click the link manually + 2) do something bad with that afterwards + 3) doing 1 + 2 WITHOUT permission :). Therefore this passive online scanner does not do anything illegal [http://www.slideshare.net/abrahamaranguren/legal-and-efficient-web-app-testing-without-permission More information about why this is not illegal here] (recommended reading!)

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code]/ES6 JavaScript code in all modified code and surrounding areas.'''
* High performance
* Reliability
* Ease of use
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

A good knowledge of JavaScript and writing ES6 compliant React/TypeScript is needed. Previous exposure to security concepts and penetration testing is not required but recommended and some lack of this can be compensated with pre-GSoC involvement and will to learn.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia]

===OWASP OWTF - MiTM proxy interception and replay capabilities===
'''Brief Explanation:'''

The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).

The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible
*ability to intercept the transactions
*modify or replay transaction on the fly
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code
Bonus:
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)

*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)
*Create a browser instance and do the necessary login procedure
*Handle the browser for the URI
*When called to close the browser, do a clean logout and kill the browser instance.
'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - Web interface enhancements===
'''Brief explanation:'''

The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''
*'''CRITICAL''': Excellent reliability and performance.
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - New plugin architecture===
'''Brief explanation:'''

The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.

This issue is documented in detail at https://github.com/owtf/owtf/issues/905.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation

== OWASP iGoat (draft) ==
'''Idea 1:''' Completing OWASP iGoat documentation at https://docs.igoatapp.com/ and creating demo videos at for OWASP iGoat YouTube channel for learning purpose.

'''Idea 2:''' Adding new challenge pack / CTF for iGoat. It should be one point solution for learning iOS app security

== OWASP Seraphimdroid ==
[[OWASP SeraphimDroid Project|OWASP Seraphimdroid]] is Android security and privacy app, with features to enhance user's knowledge about security and privacy on his/her mobile device. If you are interested in this project and working on it during Google Summer of Code, please contact [[User:Nikola Milosevic|Nikola Milosevic]] and express your interest.

=== Idea 1: Anomaly detection of device state ===
The idea is that certain features of a device would be constantly monitored (battery use, internet usage, opp calls, etc.). Initially, the usual behaviour of the device would be learned. Later, anomalies normal behavior would be reported to the user. This should involve some explanations, such as which applications are causing an anomaly the device behaviors

=== Idea 2: On device machine learning of maliciousness of an app ===
Tensor-flow for on-device processing and some other libraries have been released that enable machine learning. We have previously applied a system, that based on permissions, is able to distinguish malicious apps from non-malicious. Now, we would like to learn also from other outputs and things one can monitor about application whether it can be malicious.

=== Idea 3: Enhansing privacy features ===
The vision of Seraphimdroid is to be aware of privacy threats. This may be achieved throug knowing which applications are using user accounts or other information that uthe user has on phone to send to the server, or just by knowing which applications may be doing it. Knowledgebase shouldbbeextending with the suggestions on how to improve privacy. Also, automated settings of various apps to use encryption should be proposed.
==OWASP ZAP==
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

=== Active Scanning WebSockets ===
: '''Brief Explanation:'''
: ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesn't currently support active scanning (automated attacking) of websocket traffic (messages).
: We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.
: This project will be a continuation of the work that was started as part of last year's GSoC.
: '''Expected Results:'''
:* An pluggable infrastructure that allows us to active scan websockets
:* Converting the relevant existing scan rules to work with websockets
:* Implementing new websocket specific scan rules
: '''Getting Started:'''
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
: '''Knowledge Prerequisites:'''
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Automated Authentication Detection and Configuration ===
: '''Brief Explanation:'''
: Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki>
: This is time consuming and error prone.
: Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.
: This project will be a continuation of the work that was started as part of last year's GSoC.
: '''Expected Results:'''
:* Detect login and registration pages
:* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible
:* An option to completely automate the authentication process, for as many authentication mechanisms as possible
: '''Getting Started:'''
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
: '''Knowledge Prerequisites:'''
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

== IoT Goat ==
IoT Goat will be a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf IoT Top 10 2018].

===Idea 1: Insecure firmware web application ecosystem===
'''Brief Explanation:'''

A vulnerable web application, and backend API/web services deployed in OpenWrt containing critical vulnerabilities showcasing the traditional IoT problems.

''' Getting started '''
* Have a look at the getting started page to get familiar with virtualizing OpenWrt: https://github.com/scriptingxss/IoTGoat#-getting-started-
* Create a GitHub account to be added as a collaborator to the repository
* Review the example vulnerabilities and challenges: https://github.com/scriptingxss/IoTGoat/blob/master/challenges/challenges.md

'''Expected Results:'''

Development of a simple web application user interface with web services and API's deployed locally on the OpenWrt firmware. Documented challenges of how to discover and remediate web software security vulnerabilities. The insecure web application services must contain the following vulnerabilities to be used with the IoT testing guide:
* Command injection
* SQL injection
* Local file inclusion
* XXE injection,Insufficient Authentication
* Transfer sensitive data using insecure channels
* Store sensitive data insecurely
Vulnerable SOAP web services and REST API implementations are in-scope.

'''Knowledge Prerequisites:'''
* Working Linux knowledge
* Embedded and/or web development (nice to have)
** Web application code can be developed using the following common embedded programming languages:
*** Lua
*** PHP
*** C/C++
*** JavaScript

===Idea 2: Insecure network services===
'''Brief Explanation:'''

Deliberately insecure services configured within OpenWrt such as an miniupnp daemon configured with secure_mode off (Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from), to demonstrate a port mapping attack where an attacker from inside the network exposes a service that typically should be behind a LAN to the internet).

''' Getting started '''
* Have a look at the getting started page to get familiar with virtualizing OpenWrt: https://github.com/scriptingxss/IoTGoat#-getting-started-
* Create a GitHub account to be added as a collaborator to the repository
* Review the example vulnerabilities and challenges: https://github.com/scriptingxss/IoTGoat/blob/master/challenges/challenges.md

'''Expected Results:'''

Documented challenges of how to discover and remediate insecure network service vulnerabilities. The network services can be inherently insecure or have insecure configurations that can be abused during the challenges.
* Example of network insecure services include:
** FTP
** Telnet
** miniupnpd
** HTTP
'''Knowledge Prerequisites:'''
* Working Linux knowledge
* Network security

===Idea 3: Insecure firmware build system===
'''Brief Explanation:'''

Develop custom firmware builds of the latest OpenWrt version (18.06) demonstrating the process of incorporating debug services/tools, misconfigurations, and usage of vulnerable software packages.

''' Getting started '''
* Review OpenWrt's developer guide to get familiar with creating custom firmware builds
** https://openwrt.org/docs/guide-developer/start
** https://openwrt.org/docs/guide-developer/build-system/install-buildsystem
** https://github.com/openwrt/openwrt

'''Expected Results:'''
* Provide walkthrough examples of insecure design choices for building firmware.
* Provide suggested mitigation security controls

'''Knowledge Prerequisites:'''
* Working Linux knowledge
* Embedded development (C/C++)

===Suggest your own ideas===
You may suggest additional challenges or ideas that fit this project's objectives.

=== Mentors and Leaders ===
* Aaron Guzman - OWASP IoT Goat Contributor (Project leader of the IoT and Embedded AppSec project)
* Fotios Chantzis - OWASP IoT Goat Contributor (and former GSoC Student/GSoc Mentor)
* [[User:Calderpwn|Paulino Calderon]] - OWASP IoT Goat Contributor (and former GSoC 2011 Student/GSoc Mentor in 2015 and 2017)

==OWASP Web Honeypot Project ==

The goal of the OWASP Honeypot Project is to identify emerging attacks against web applications and report them to the community, in order to facilitate protection against such targeted attacks. Within this project, Anglia Ruskin University is leading the collection, storage and analysis of threat intelligence data.

https://www.owasp.org/index.php/OWASP_Honeypot_Project

https://github.com/OWASP/Honeypot-Project/

===Brief Explanation===
The purpose of this part of the project is to capture intelligence on attacker activity against web applications and utilise this intelligence as ways to protect software against attacks. Honeypots are an established industry technique to provide a realistic target to entice a criminal, whilst encouraging them to divulge the tools and techniques they use during an attack. Like bees to a honeypot. These honeypots are safely designed to contain no information of monetary use to an attacker, and hence provide no risk to the businesses implementing them. 

The project will create honeypots that the community can distribute within their own networks. With enough honeypots globally distributed, we will be in a position to aggregate attack techniques to better understand and protect against the techniques used by attackers. With this information, we will be in a position to create educational information, such as rules and strategies, that application writers can use to ensure that any detected bugs and vulnerabilities are closed. 

===Idea===
Project progression:
* Honeypot software. The honeypot software that is to be provided to the community to place in their networks has been written. Honeypots are available in a variety of forms, to make deployment as flexible as possible and appeal to a diverse a user set as possible.
* Collection software. The centralised collection software has been written and evaluated in a student driven proof-of-concept project. Honeypots have been attacked in a laboratory situation and have reported both the steps taken by the attacker and what they have attacked, back to the collection software.
* Rollout to the Community. The project now needs a dedicated infrastructure platform in place that is available to the entire community to start collecting intelligence back from community deployed honeypots. This infrastructure will run the collector software, analysis programmes and provide a portal for communicating our finds and recommendations back to the community in a meaningful manner.
* Going Forward. Toolkits and skills used by attackers do not stand still. As existing bugs are plugged, others open. Follow up stages for the project will be to create a messaging system to automatically update the community on findings of significant risk in their existing code that requires attention.

===Expect Results ===

Some of the ideas from last year's summit

* Setup Proof of Concept to understand how Mod Security baed Honeypot/Probe interacts with a receiving console (develop a VM and/or Docker based test solution to store logs from multiple probes).
* Evaluate console options to visualise threat data received from ModSecurity Honeypots/probes in MosSecurity Audit Console, WAF-FLE, Fluent and bespoke scripts for single and multiple probes.
* Develop a mechanism to convert from stored MySQL to JSON format.
* Provide a mechanism to convert ModSecurity mlogc audit log output into JSON format.
* Provide a mechanism to convert mlogc audit log output directly into ELK (ElasticSearch/Logstash/Kibana) to visualise the data.
* Provide a mechanism to forward honest output into threat intelligence format such as STIX using something like the MISP project(https://www.misp-project.org) to share Threat data coming from the Honeypots making it easy to export/import data from formats such as STIX and TAXII., may require use of concurrent logs in a format that MISP can deal with.
* Consider new alternatives for log transfer including the use of MLOGC-NG or other possible approaches.
* Develop a new VM based honeypot/robe based on CRS v3.0.
* Develop new alternative small footprint honeypot/probe formats utilising Docker & Raspberry Pi.
* Develop machine learning approach to automatically be able to update the rule set being used by the probe based on cyber threat intelligence received.

=== Students Requirements ===

Some of the skills we are looking for:

* Apache/Tomcat
* Any experience of MISP
* MySQL & JSON
* ELK
* STIX/TAXII
* Python
* ModSecurity/mlogc
* OWASP Core RuleSet (CRS)
* Linux
* VM/Docker

=== Mentors ===

* [mailto:adrian.winckles@owasp.org Adrian Winckles] - (OWASP Web Honeypot Project Leader) 

===Suggest your own ideas===

You may suggest additional challenges or ideas that fit this project's objectives.

==OWASP Risk Assessment Framework ==
Tool projects aim to assessment more than one or many web application using owasp risk rating mathodologies.
https://github.com/OWASP/RiskAssessmentFramework

'''Idea 1:''' make dashboard with databases and can assess many website based owasp risk rating mathodologies, create graph and report in pdf,word & excel format.
=== Mentors ===
* [mailto:ade.putra@owasp.org Ade Yoseman] -

GSoC2019 Ideas

2019-03-03T23:12:08Z

Foobar: typo name fix

GSoC2019 Ideas

2019-03-01T03:59:29Z

Foobar: /* OWASP-SKF */

GSoC2019 Ideas

2019-03-01T03:56:24Z

Foobar: updated SKF idea's

GSoC2019 Ideas

2019-01-09T17:41:05Z

Foobar: Added 2 ideas for SKF

==== '''OWASP-SKF (draft)''' ====
Idea 1: Build lab examples and write-ups (how to test) for different code languages delivered in Docker (these must correlate with a Knowledge base item in SKF)
* For example we have now around 20 lab challenges in Docker container build in Python:
** A Local File Inclusion Docker app example:
*** https://github.com/blabla1337/skf-labs/tree/master/LFI
** A write-up example:
*** https://owasp-skf.gitbook.io/asvs-write-ups/filename-injection
Idea 2: We want to extend the Machine learning chatbot functionality in SKF.
* Create a desktop version of the chatbot. Where people can install the setup file on their local machine.
* Extend the bots capability to do the google search(using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.
* Extend the bot capability to reply what security controls should be followed from the ASVS and MASVS or other custom checklists that are present in SKF.
* Extend the bot to different platforms like Facebook, telegram, slack etc.
** Now the working chatbot implementation for example is only for Gitter

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''
'''* Read the [[GSoC SAT]] '''
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]
* Contact us through the mailing list or irc channel.
* Check our [https://github.com/OWASP github organization]

OWASP Security Knowledge Framework

2018-09-05T10:50:55Z

Foobar:

=Main=
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

* Security Requirements OWASP ASVS for development and for third party vendor applications
* Security knowledge reference (Code examples/ Knowledge Base items)
* Security is part of design with the pre-development functionality in SKF
* Use SKF to gather the right security requirements for your projects
* SKF then gives extensive knowledgebase items that correlates to the security requirements
* Developers can close "tickets" and leave an audit trail to determine possible technical depts or improvements
* Security specialist can follow the "tickets" and audit trail and verify or Fail closed items and provide feedback.

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 

==Donate==
{{#widget:PayPal Donation

|target=_blank

|budget=OWASP SKF

}}

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation

== Project Online Demo ==
'''username: admin password: test-skf'''
* https://demo.securityknowledgeframework.org 

'''Project website:'''
* http://www.secureby.design

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide OWASP Mobile Application Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Mature projects.png|https://www.owasp.org/index.php?title=OWASP_Project_Stages]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of workshop DevOpsDays 2015 Amsterdam: 
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf

= Milestones / Roadmap and Getting Involved =

==Next major release features==
* Implement the MASVS Knowledge base items in the OWASP-SKF project

* Implement MASVS process flow under the new project section
* Implement dynamic checklist creation for custom checklists to process flow under the new project section
* Add CWE to Knowledge base items
* Add how to pentest section per Knowledge base item (OWASP-Testing Guide)
* Add internationalist feature to SKF for supporting multiple human languages
* Market and brand the new AI chat-bot implementation
* Add dynamic questionnaire creation that links questions to security requirements

Check out the detailed roadmap here:

'''[https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== CI-Pipeline ==

=== Travis-ci.org: ===
<code>Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes! SKF Build details:</code>
<nowiki>https://travis-ci.org/blabla1337/skf-flask</nowiki>

=== Coveralls.io Python: ===
<code>DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite. SKF Coveralls details:</code>
<nowiki>https://coveralls.io/r/blabla1337/skf-flask</nowiki>

=== codecov.io for Angular: ===
<code>Code coverage done right. Highly integrated with GitHub, Bitbucket and GitLab. SKF codecov details:</code>
<nowiki>https://codecov.io/gh/blabla1337/skf-flask</nowiki>

=== Scrutinizer-ci.com: ===
<code>Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality. SKF Scrutinizer details:</code>
<nowiki>https://scrutinizer-ci.com/g/blabla1337/skf-flask/</nowiki>

=== Bithound.io NPM packages: ===
<code>BitHound provides your Node team with comprehensive and prioritized issues in your code and npm packages. SKF Bithound details:</code>
<nowiki>https://www.bithound.io/github/blabla1337/skf-flask</nowiki>

=== Requires.io pip packages: ===
<code>Stay Up-to-date! Stay secure! Requires.io monitors your Python projects dependencies, and notify you whenever any of your dependency is out-of-date. SKF Requires details:</code>
<nowiki>https://requires.io/github/blabla1337/skf-flask/requirements/</nowiki>

=== Black Duck Security Risk: ===
<code>Announcing Black Duck CoPilot, a new service helping open source project teams catalog and report on their project's dependencies. SKF Requires details:</code>
<nowiki>https://copilot.blackducksoftware.com/github/groups/blabla1337/locations/skf-flask/public/results</nowiki>

=== uptimerobot.com: ===
<code>Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.</code>

=== ssllabs.com & sslbadge.org: ===
<code>ssllabs.org: Bringing you the best SSL/TLS and PKI testing tools and documentation. sslbadge.org: Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.</code>

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP Security Knowledge Framework

2018-09-05T10:49:26Z

Foobar: added the Flagship status

=Main=
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

* Security Requirements OWASP ASVS for development and for third party vendor applications
* Security knowledge reference (Code examples/ Knowledge Base items)
* Security is part of design with the pre-development functionality in SKF
* Use SKF to gather the right security requirements for your projects
* SKF then gives extensive knowledgebase items that correlates to the security requirements
* Developers can close "tickets" and leave an audit trail to determine possible technical depts or improvements
* Security specialist can follow the "tickets" and audit trail and verify or Fail closed items and provide feedback.

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 

==Donate==
{{#widget:PayPal Donation

|target=_blank

|budget=OWASP SKF

}}

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation

== Project Online Demo ==
'''username: admin password: test-skf'''
* https://demo.securityknowledgeframework.org 

'''Project website:'''
* http://www.secureby.design

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide OWASP Mobile Application Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-flagship-trans-85.png]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of workshop DevOpsDays 2015 Amsterdam: 
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf

= Milestones / Roadmap and Getting Involved =

==Next major release features==
* Implement the MASVS Knowledge base items in the OWASP-SKF project

* Implement MASVS process flow under the new project section
* Implement dynamic checklist creation for custom checklists to process flow under the new project section
* Add CWE to Knowledge base items
* Add how to pentest section per Knowledge base item (OWASP-Testing Guide)
* Add internationalist feature to SKF for supporting multiple human languages
* Market and brand the new AI chat-bot implementation
* Add dynamic questionnaire creation that links questions to security requirements

Check out the detailed roadmap here:

'''[https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== CI-Pipeline ==

=== Travis-ci.org: ===
<code>Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes! SKF Build details:</code>
<nowiki>https://travis-ci.org/blabla1337/skf-flask</nowiki>

=== Coveralls.io Python: ===
<code>DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite. SKF Coveralls details:</code>
<nowiki>https://coveralls.io/r/blabla1337/skf-flask</nowiki>

=== codecov.io for Angular: ===
<code>Code coverage done right. Highly integrated with GitHub, Bitbucket and GitLab. SKF codecov details:</code>
<nowiki>https://codecov.io/gh/blabla1337/skf-flask</nowiki>

=== Scrutinizer-ci.com: ===
<code>Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality. SKF Scrutinizer details:</code>
<nowiki>https://scrutinizer-ci.com/g/blabla1337/skf-flask/</nowiki>

=== Bithound.io NPM packages: ===
<code>BitHound provides your Node team with comprehensive and prioritized issues in your code and npm packages. SKF Bithound details:</code>
<nowiki>https://www.bithound.io/github/blabla1337/skf-flask</nowiki>

=== Requires.io pip packages: ===
<code>Stay Up-to-date! Stay secure! Requires.io monitors your Python projects dependencies, and notify you whenever any of your dependency is out-of-date. SKF Requires details:</code>
<nowiki>https://requires.io/github/blabla1337/skf-flask/requirements/</nowiki>

=== Black Duck Security Risk: ===
<code>Announcing Black Duck CoPilot, a new service helping open source project teams catalog and report on their project's dependencies. SKF Requires details:</code>
<nowiki>https://copilot.blackducksoftware.com/github/groups/blabla1337/locations/skf-flask/public/results</nowiki>

=== uptimerobot.com: ===
<code>Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.</code>

=== ssllabs.com & sslbadge.org: ===
<code>ssllabs.org: Bringing you the best SSL/TLS and PKI testing tools and documentation. sslbadge.org: Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.</code>

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP Security Knowledge Framework

2018-09-05T10:45:51Z

Foobar:

=Main=
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

* Security Requirements OWASP ASVS for development and for third party vendor applications
* Security knowledge reference (Code examples/ Knowledge Base items)
* Security is part of design with the pre-development functionality in SKF
* Use SKF to gather the right security requirements for your projects
* SKF then gives extensive knowledgebase items that correlates to the security requirements
* Developers can close "tickets" and leave an audit trail to determine possible technical depts or improvements
* Security specialist can follow the "tickets" and audit trail and verify or Fail closed items and provide feedback.

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 

==Donate==
{{#widget:PayPal Donation

|target=_blank

|budget=OWASP SKF

}}

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation

== Project Online Demo ==
'''username: admin password: test-skf'''
* https://demo.securityknowledgeframework.org 

'''Project website:'''
* http://www.secureby.design

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide OWASP Mobile Application Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Midlevel.png]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of workshop DevOpsDays 2015 Amsterdam: 
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf

= Milestones / Roadmap and Getting Involved =

==Next major release features==
* Implement the MASVS Knowledge base items in the OWASP-SKF project

* Implement MASVS process flow under the new project section
* Implement dynamic checklist creation for custom checklists to process flow under the new project section
* Add CWE to Knowledge base items
* Add how to pentest section per Knowledge base item (OWASP-Testing Guide)
* Add internationalist feature to SKF for supporting multiple human languages
* Market and brand the new AI chat-bot implementation
* Add dynamic questionnaire creation that links questions to security requirements

Check out the detailed roadmap here:

'''[https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== CI-Pipeline ==

=== Travis-ci.org: ===
<code>Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes! SKF Build details:</code>
<nowiki>https://travis-ci.org/blabla1337/skf-flask</nowiki>

=== Coveralls.io Python: ===
<code>DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite. SKF Coveralls details:</code>
<nowiki>https://coveralls.io/r/blabla1337/skf-flask</nowiki>

=== codecov.io for Angular: ===
<code>Code coverage done right. Highly integrated with GitHub, Bitbucket and GitLab. SKF codecov details:</code>
<nowiki>https://codecov.io/gh/blabla1337/skf-flask</nowiki>

=== Scrutinizer-ci.com: ===
<code>Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality. SKF Scrutinizer details:</code>
<nowiki>https://scrutinizer-ci.com/g/blabla1337/skf-flask/</nowiki>

=== Bithound.io NPM packages: ===
<code>BitHound provides your Node team with comprehensive and prioritized issues in your code and npm packages. SKF Bithound details:</code>
<nowiki>https://www.bithound.io/github/blabla1337/skf-flask</nowiki>

=== Requires.io pip packages: ===
<code>Stay Up-to-date! Stay secure! Requires.io monitors your Python projects dependencies, and notify you whenever any of your dependency is out-of-date. SKF Requires details:</code>
<nowiki>https://requires.io/github/blabla1337/skf-flask/requirements/</nowiki>

=== Black Duck Security Risk: ===
<code>Announcing Black Duck CoPilot, a new service helping open source project teams catalog and report on their project's dependencies. SKF Requires details:</code>
<nowiki>https://copilot.blackducksoftware.com/github/groups/blabla1337/locations/skf-flask/public/results</nowiki>

=== uptimerobot.com: ===
<code>Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.</code>

=== ssllabs.com & sslbadge.org: ===
<code>ssllabs.org: Bringing you the best SSL/TLS and PKI testing tools and documentation. sslbadge.org: Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.</code>

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP Security Knowledge Framework

2018-08-27T18:44:28Z

Foobar:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

* Security Requirements OWASP ASVS for development and for third party vendor applications
* Security knowledge reference (Code examples/ Knowledge Base items)
* Security is part of design with the pre-development functionality in SKF
* Use SKF to gather the right security requirements for your projects
* SKF then gives extensive knowledgebase items that correlates to the security requirements
* Developers can close "tickets" and leave an audit trail to determine possible technical depts or improvements
* Security specialist can follow the "tickets" and audit trail and verify or Fail closed items and provide feedback.

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 

==Donate==
<paypal>Security Knowledge Framework </paypal>

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation

== Project Online Demo ==
'''username: admin password: test-skf'''
* https://demo.securityknowledgeframework.org 

'''Project website:'''
* http://www.secureby.design

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide OWASP Mobile Application Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Midlevel.png]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of workshop DevOpsDays 2015 Amsterdam: 
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf

= Milestones / Roadmap and Getting Involved =

==Next major release features==
* Implement the MASVS Knowledge base items in the OWASP-SKF project

* Implement MASVS process flow under the new project section
* Implement dynamic checklist creation for custom checklists to process flow under the new project section
* Add CWE to Knowledge base items
* Add how to pentest section per Knowledge base item (OWASP-Testing Guide)
* Add internationalist feature to SKF for supporting multiple human languages
* Market and brand the new AI chat-bot implementation
* Add dynamic questionnaire creation that links questions to security requirements

Check out the detailed roadmap here:

'''[https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== CI-Pipeline ==

=== Travis-ci.org: ===
<code>Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes! SKF Build details:</code>
<nowiki>https://travis-ci.org/blabla1337/skf-flask</nowiki>

=== Coveralls.io Python: ===
<code>DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite. SKF Coveralls details:</code>
<nowiki>https://coveralls.io/r/blabla1337/skf-flask</nowiki>

=== codecov.io for Angular: ===
<code>Code coverage done right. Highly integrated with GitHub, Bitbucket and GitLab. SKF codecov details:</code>
<nowiki>https://codecov.io/gh/blabla1337/skf-flask</nowiki>

=== Scrutinizer-ci.com: ===
<code>Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality. SKF Scrutinizer details:</code>
<nowiki>https://scrutinizer-ci.com/g/blabla1337/skf-flask/</nowiki>

=== Bithound.io NPM packages: ===
<code>BitHound provides your Node team with comprehensive and prioritized issues in your code and npm packages. SKF Bithound details:</code>
<nowiki>https://www.bithound.io/github/blabla1337/skf-flask</nowiki>

=== Requires.io pip packages: ===
<code>Stay Up-to-date! Stay secure! Requires.io monitors your Python projects dependencies, and notify you whenever any of your dependency is out-of-date. SKF Requires details:</code>
<nowiki>https://requires.io/github/blabla1337/skf-flask/requirements/</nowiki>

=== Black Duck Security Risk: ===
<code>Announcing Black Duck CoPilot, a new service helping open source project teams catalog and report on their project's dependencies. SKF Requires details:</code>
<nowiki>https://copilot.blackducksoftware.com/github/groups/blabla1337/locations/skf-flask/public/results</nowiki>

=== uptimerobot.com: ===
<code>Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.</code>

=== ssllabs.com & sslbadge.org: ===
<code>ssllabs.org: Bringing you the best SSL/TLS and PKI testing tools and documentation. sslbadge.org: Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.</code>

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP Security Knowledge Framework

2018-08-27T18:37:27Z

Foobar: /* Video demo */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

* Security Requirements OWASP ASVS for development and for third party vendor applications
* Security knowledge reference (Code examples/ Knowledge Base items)
* Security is part of design with the pre-development functionality in SKF
* Use SKF to gather the right security requirements for your projects
* SKF then gives extensive knowledgebase items that correlates to the security requirements
* Developers can close "tickets" and leave an audit trail to determine possible technical depts or improvements
* Security specialist can follow the "tickets" and audit trail and verify or Fail closed items and provide feedback.

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 

==Donate==
<paypal>Security Knowledge Framework </paypal>

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation

== Project Online Demo ==
'''username: admin password: test-skf'''
* https://demo.securityknowledgeframework.org 

'''Project website:'''
* http://www.secureby.design 

== Video demo ==
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide OWASP Mobile Application Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Midlevel.png]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of workshop DevOpsDays 2015 Amsterdam: 
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf

= Milestones / Roadmap and Getting Involved =

==Next major release features==
* Implement the MASVS Knowledge base items in the OWASP-SKF project

* Implement MASVS process flow under the new project section
* Implement dynamic checklist creation for custom checklists to process flow under the new project section
* Add CWE to Knowledge base items
* Add how to pentest section per Knowledge base item (OWASP-Testing Guide)
* Add internationalist feature to SKF for supporting multiple human languages
* Market and brand the new AI chat-bot implementation
* Add dynamic questionnaire creation that links questions to security requirements

Check out the detailed roadmap here:

'''[https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== CI-Pipeline ==

=== Travis-ci.org: ===
<code>Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes! SKF Build details:</code>
<nowiki>https://travis-ci.org/blabla1337/skf-flask</nowiki>

=== Coveralls.io Python: ===
<code>DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite. SKF Coveralls details:</code>
<nowiki>https://coveralls.io/r/blabla1337/skf-flask</nowiki>

=== codecov.io for Angular: ===
<code>Code coverage done right. Highly integrated with GitHub, Bitbucket and GitLab. SKF codecov details:</code>
<nowiki>https://codecov.io/gh/blabla1337/skf-flask</nowiki>

=== Scrutinizer-ci.com: ===
<code>Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality. SKF Scrutinizer details:</code>
<nowiki>https://scrutinizer-ci.com/g/blabla1337/skf-flask/</nowiki>

=== Bithound.io NPM packages: ===
<code>BitHound provides your Node team with comprehensive and prioritized issues in your code and npm packages. SKF Bithound details:</code>
<nowiki>https://www.bithound.io/github/blabla1337/skf-flask</nowiki>

=== Requires.io pip packages: ===
<code>Stay Up-to-date! Stay secure! Requires.io monitors your Python projects dependencies, and notify you whenever any of your dependency is out-of-date. SKF Requires details:</code>
<nowiki>https://requires.io/github/blabla1337/skf-flask/requirements/</nowiki>

=== Black Duck Security Risk: ===
<code>Announcing Black Duck CoPilot, a new service helping open source project teams catalog and report on their project's dependencies. SKF Requires details:</code>
<nowiki>https://copilot.blackducksoftware.com/github/groups/blabla1337/locations/skf-flask/public/results</nowiki>

=== uptimerobot.com: ===
<code>Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.</code>

=== ssllabs.com & sslbadge.org: ===
<code>ssllabs.org: Bringing you the best SSL/TLS and PKI testing tools and documentation. sslbadge.org: Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.</code>

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP Security Knowledge Framework

2018-08-27T18:30:09Z

Foobar: /* Classifications */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

* Security Requirements OWASP ASVS for development and for third party vendor applications
* Security knowledge reference (Code examples/ Knowledge Base items)
* Security is part of design with the pre-development functionality in SKF
* Use SKF to gather the right security requirements for your projects
* SKF then gives extensive knowledgebase items that correlates to the security requirements
* Developers can close "tickets" and leave an audit trail to determine possible technical depts or improvements
* Security specialist can follow the "tickets" and audit trail and verify or Fail closed items and provide feedback.

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 

==Donate==
<paypal>Security Knowledge Framework </paypal>

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation

== Project Online Demo ==
'''username: admin password: test-skf'''
* https://demo.securityknowledgeframework.org 

'''Project website:'''
* http://www.secureby.design 

== Video demo ==
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Midlevel.png]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of workshop DevOpsDays 2015 Amsterdam: 
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf

= Milestones / Roadmap and Getting Involved =

==Next major release features==
* Implement the MASVS Knowledge base items in the OWASP-SKF project

* Implement MASVS process flow under the new project section
* Implement dynamic checklist creation for custom checklists to process flow under the new project section
* Add CWE to Knowledge base items
* Add how to pentest section per Knowledge base item (OWASP-Testing Guide)
* Add internationalist feature to SKF for supporting multiple human languages

Check out the detailed roadmap here:

'''[https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== CI-Pipeline ==

=== Travis-ci.org: ===
<code>Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes! SKF Build details:</code>
<nowiki>https://travis-ci.org/blabla1337/skf-flask</nowiki>

=== Coveralls.io Python: ===
<code>DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite. SKF Coveralls details:</code>
<nowiki>https://coveralls.io/r/blabla1337/skf-flask</nowiki>

=== codecov.io for Angular: ===
<code>Code coverage done right. Highly integrated with GitHub, Bitbucket and GitLab. SKF codecov details:</code>
<nowiki>https://codecov.io/gh/blabla1337/skf-flask</nowiki>

=== Scrutinizer-ci.com: ===
<code>Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality. SKF Scrutinizer details:</code>
<nowiki>https://scrutinizer-ci.com/g/blabla1337/skf-flask/</nowiki>

=== Bithound.io NPM packages: ===
<code>BitHound provides your Node team with comprehensive and prioritized issues in your code and npm packages. SKF Bithound details:</code>
<nowiki>https://www.bithound.io/github/blabla1337/skf-flask</nowiki>

=== Requires.io pip packages: ===
<code>Stay Up-to-date! Stay secure! Requires.io monitors your Python projects dependencies, and notify you whenever any of your dependency is out-of-date. SKF Requires details:</code>
<nowiki>https://requires.io/github/blabla1337/skf-flask/requirements/</nowiki>

=== Black Duck Security Risk: ===
<code>Announcing Black Duck CoPilot, a new service helping open source project teams catalog and report on their project's dependencies. SKF Requires details:</code>
<nowiki>https://copilot.blackducksoftware.com/github/groups/blabla1337/locations/skf-flask/public/results</nowiki>

=== uptimerobot.com: ===
<code>Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.</code>

=== ssllabs.com & sslbadge.org: ===
<code>ssllabs.org: Bringing you the best SSL/TLS and PKI testing tools and documentation. sslbadge.org: Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.</code>

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP Security Knowledge Framework

2018-07-02T20:32:12Z

Foobar: /* Classifications */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

* Security Requirements OWASP ASVS for development and for third party vendor applications
* Security knowledge reference (Code examples/ Knowledge Base items)
* Security is part of design with the pre-development functionality in SKF
* Use SKF to gather the right security requirements for your projects
* SKF then gives extensive knowledgebase items that correlates to the security requirements
* Developers can close "tickets" and leave an audit trail to determine possible technical depts or improvements
* Security specialist can follow the "tickets" and audit trail and verify or Fail closed items and provide feedback.

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 

==Donate==
<paypal>Security Knowledge Framework </paypal>

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation

== Project Online Demo ==
'''username: admin password: test-skf'''
* https://demo.securityknowledgeframework.org 

'''Project website:'''
* http://www.secureby.design 

== Video demo ==
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Midlevel.png]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of workshop DevOpsDays 2015 Amsterdam: 
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf

= Milestones / Roadmap and Getting Involved =

==Next major release features==
* Implement the MASVS Knowledge base items in the OWASP-SKF project

* Implement MASVS process flow under the new project section
* Add CWE to Knowledge base items
* Add how to pentest section per Knowledge base item (OWASP-Testing Guide)

Check out the detailed roadmap here:

'''[https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== CI-Pipeline ==

=== Travis-ci.org: ===
<code>Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes! SKF Build details:</code>
<nowiki>https://travis-ci.org/blabla1337/skf-flask</nowiki>

=== Coveralls.io Python: ===
<code>DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite. SKF Coveralls details:</code>
<nowiki>https://coveralls.io/r/blabla1337/skf-flask</nowiki>

=== codecov.io for Angular: ===
<code>Code coverage done right. Highly integrated with GitHub, Bitbucket and GitLab. SKF codecov details:</code>
<nowiki>https://codecov.io/gh/blabla1337/skf-flask</nowiki>

=== Scrutinizer-ci.com: ===
<code>Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality. SKF Scrutinizer details:</code>
<nowiki>https://scrutinizer-ci.com/g/blabla1337/skf-flask/</nowiki>

=== Bithound.io NPM packages: ===
<code>BitHound provides your Node team with comprehensive and prioritized issues in your code and npm packages. SKF Bithound details:</code>
<nowiki>https://www.bithound.io/github/blabla1337/skf-flask</nowiki>

=== Requires.io pip packages: ===
<code>Stay Up-to-date! Stay secure! Requires.io monitors your Python projects dependencies, and notify you whenever any of your dependency is out-of-date. SKF Requires details:</code>
<nowiki>https://requires.io/github/blabla1337/skf-flask/requirements/</nowiki>

=== Black Duck Security Risk: ===
<code>Announcing Black Duck CoPilot, a new service helping open source project teams catalog and report on their project's dependencies. SKF Requires details:</code>
<nowiki>https://copilot.blackducksoftware.com/github/groups/blabla1337/locations/skf-flask/public/results</nowiki>

=== uptimerobot.com: ===
<code>Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.</code>

=== ssllabs.com & sslbadge.org: ===
<code>ssllabs.org: Bringing you the best SSL/TLS and PKI testing tools and documentation. sslbadge.org: Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.</code>

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

GSOC2018 Ideas

2018-01-18T21:18:07Z

Foobar: /* OWASP Security Knowledge Framework */

GSOC2018 Ideas

2017-12-24T12:33:15Z

Foobar: Added OWASP-SKF project to the GSOC list

OWASP Security Knowledge Framework

2017-08-23T16:20:35Z

Foobar: Clean up wiki page roadmap section.

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

* Security Requirements OWASP ASVS for development and for third party vendor applications
* Security knowledge reference (Code examples/ Knowledge Base items)
* Security is part of design with the pre-development functionality in SKF
* Use SKF to gather the right security requirements for your projects
* SKF then gives extensive knowledgebase items that correlates to the security requirements
* Developers can close "tickets" and leave an audit trail to determine possible technical depts or improvements
* Security specialist can follow the "tickets" and audit trail and verify or Fail closed items and provide feedback.

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 

==Donate==
<paypal>Security Knowledge Framework </paypal>

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation

== Project Online Demo ==
'''username: admin password: test-skf'''
* https://demo.securityknowledgeframework.org 

'''Project website:'''
* http://www.secureby.design 

== Video demo ==
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Midlevel.png]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of workshop DevOpsDays 2015 Amsterdam: 
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf

= Roadmap and Getting Involved =

==Roadmap==

Check out the detailed roadmap here:

'''[https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== CI-Pipeline ==

=== Travis-ci.org: ===
<code>Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes! SKF Build details:</code>
<nowiki>https://travis-ci.org/blabla1337/skf-flask</nowiki>

=== Coveralls.io Python: ===
<code>DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite. SKF Coveralls details:</code>
<nowiki>https://coveralls.io/r/blabla1337/skf-flask</nowiki>

=== codecov.io for Angular: ===
<code>Code coverage done right. Highly integrated with GitHub, Bitbucket and GitLab. SKF codecov details:</code>
<nowiki>https://codecov.io/gh/blabla1337/skf-flask</nowiki>

=== Scrutinizer-ci.com: ===
<code>Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality. SKF Scrutinizer details:</code>
<nowiki>https://scrutinizer-ci.com/g/blabla1337/skf-flask/</nowiki>

=== Bithound.io NPM packages: ===
<code>BitHound provides your Node team with comprehensive and prioritized issues in your code and npm packages. SKF Bithound details:</code>
<nowiki>https://www.bithound.io/github/blabla1337/skf-flask</nowiki>

=== Requires.io pip packages: ===
<code>Stay Up-to-date! Stay secure! Requires.io monitors your Python projects dependencies, and notify you whenever any of your dependency is out-of-date. SKF Requires details:</code>
<nowiki>https://requires.io/github/blabla1337/skf-flask/requirements/</nowiki>

=== Black Duck Security Risk: ===
<code>Announcing Black Duck CoPilot, a new service helping open source project teams catalog and report on their project's dependencies. SKF Requires details:</code>
<nowiki>https://copilot.blackducksoftware.com/github/groups/blabla1337/locations/skf-flask/public/results</nowiki>

=== uptimerobot.com: ===
<code>Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.</code>

=== ssllabs.com & sslbadge.org: ===
<code>ssllabs.org: Bringing you the best SSL/TLS and PKI testing tools and documentation. sslbadge.org: Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.</code>

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

Glenn & Riccardo ten Cate

2017-07-17T07:11:23Z

Foobar:

== Project leaders of OWASP-SKF ==

[[OWASP Security Knowledge Framework]]

[[File:Glenn ten Cate.jpg|thumb]]

'''About Glenn'''

- Glenn ten Cate 
- From the Netherlands 
- More then 10 years active in Security / Hacking world 
- Specialized in web-application / server security 
- Coding experience in different languages 
- Developer / Contributor of multiple open-source security projects 
- Goal would be, creating an open-source SDLC with the tools and knowledge so everybody is empowered to do security by design and deliver high quality software 

'''Contact Info:'''glenn.ten.cate@owasp.org

[[File:Riccardo_Ten_Cate_Profile_Picture.jpg]]

'''About Riccardo:'''

As a freelance penetration tester and software developer from the Netherlands Riccardo specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages.

'''Contract Info:''' riccardo.ten.cate@owasp.org

WASPY Awards 2017

2017-07-17T07:10:33Z

Foobar: Added link to names

[[File:WASPY 2017 Banner.jpg]]

==Purpose of the Awards==

Each year there are many individuals who do amazing work, dedicating countless hours to share, improve, and strengthen the OWASP mission. Some of these individuals are well known to the community while others are not.

'''The purpose of these awards is to bring recognition to those who "FLY UNDER THE RADAR". These are the individuals who are passionate about OWASP, who contribute hours of their own free time to the organization to help improve the cyber-security world, yet seem to go unrecognized.'''

==Timeline==
Call for Nominees Opens June 7, 2017

Call for Nominees Closes June 30, 2017 - CLOSED

Announcement of Nominees per Category July 5, 2017 - DONE

Deadline for Nominee Profile Picture and Bio to be created and added to the Nominees section July 10, 2017

Voting for Board & Staff Members Opens July 17, 2017

Voting for Board & Staff Members Closes July 24, 2017

Winners are Notified July 25, 2017

Announcement of Winners to the Community July 25, 2017

Award Ceremony at AppSecUSA 2017 in Orlando, FL September 21-22, 2017

==Categories==
The WASPYs celebrate the actors in our community who grow OWASP and drive innovation to the safety and security of the world’s software. This year we are excited to offer three categories.
 

'''Best Community Supporter''' - The WASPY for COMMUNITY honors members who create dynamic INTERACTION and LEARNING opportunities for the OWASP Community. Nominees to the Community WASPY Award create collaborative and inclusive environments and grow the OWASP Community. WASPYs focus on the unsung heros of the OWASP community. Chapter Leaders and Community Members should especially consider leaders and volunteers who bring something extra to the environment, help the chapter reach out to new attendees, or carry out the tedious and repetitive tasks that make growing an OWASP Chapter possible.
 

'''Best Mission Outreach''' - The WASPY for Mission Outreach honors community members who help the community GROW. Growth can happen inside the larger OWASP community or outside it in the broader AppSec and development communities. Leaders and Members should especially consider volunteers who pushed the boundaries of the audience and reach of OWASP to provide new exposure for OWASP’s projects and chapters. New leaders and volunteers who help bring more people to your chapter, project, or actively represent OWASP at non-OWASP events, gatherings, and activities to build an active OWASP community are ideal candidates for the Mission Outreach WASPY award.
 

'''Best Innovator''' - The WASPY for Innovation is given to a community member who has contributed to the TECHNICAL advancement of OWASP in the past year. This advancement is usually through an [[:Category:OWASP Project|OWASP Project]] and can be in the form of code, an application, or anything that materially makes the AppSec community better in a unique way. WASPYs focus on the unsung heros of the OWASP community who quietly go about making the world a bit better for their work. Project Leaders and Community Members should especially consider nominating new projects, projects that have recently graduated, and project contributors for this WASPY.

==Rules==
'''Remember the purpose of these awards is to recognize the UNSUNG HEROS out there, that are barely recognized for their contributions to the OWASP Foundation.'''

1. [https://www.owasp.org/index.php/About_OWASP#2015_Global_Board_Members Board members] may not be nominated

2. [https://www.owasp.org/index.php/About_OWASP#Employees_and_Contractors_of_the_OWASP_Foundation Employees & Contractors] may not be nominated

3. All nominees will remain anonymous until July 3, 2017

4. Anyone can nominate an "unsung hero" who has contributed in some way to OWASP who they feel best fits each category

5. You may only nominate one person per category

=='''And the Nominees Are...'''==
{| cellpadding="2" border="1"
! width="150" align="center" scope="col" |Name
! width="800" align="center" scope="col" |Category & Citation
|-
| align="center" |Aatral Arasu
|'''''Best Community Supporter'''''
"A great leader always there to help responds to emails quickly loves his work works very hard every day very supportive never loses focus strong willed very technical and willing to do things himself to get the job done when asked for something he will get it to you ASAP constant learner open to suggestions and ideas on how to be better respectful honest caring and I am certain HRC will make it big very soon :)"
|-
|Sean Auriti
|'''''Best Community Supporter'''''
"Sean has not only worked as a volunteer in the local chapter building community, his code projects are useful to the mission and his outreach efforts have included funding requests for OWASP Foundation to grow its mission. Sean is a great example of a community member."
|-
|Nicole Becher
|<nowiki/>'''''Best Community Supporter'''''

"Nicole has been an amazing chapter leader. She brings knowledge and experience teaching cybersecurity to the Mentor Initiative, WIA Committee, and projects."
|-
|Ken Belva
|<nowiki/>'''''Best Community Supporter'''''

"Ken is a long time chapter leader of the NYC chapter and a former chapter leader of the Brooklyn Chapter. Ken is always willing to step in and volunteer to help with OWASP initiatives and is a frequent participant in OWASP events as both a volunteer and speaker. Ken has spoken at AppSec USA on XSS techniques (<nowiki>https://www.youtube.com/watch?v=G539NwvpL3I</nowiki>) and is the project lead for the Basic Expression and Lexicon Variation Algorithms project (<nowiki>https://www.owasp.org/index.php/OWASP_Basic_Expression_%26_Lexicon_Variation_Algorithms_(BELVA)_Project)</nowiki>."
|-
|Tony Clarke
|<nowiki/>'''''Best Community Supporter'''''
"Tony has selflessly brought the OWASP dublin chapter to great nights. He has nurtured the chapter to be inclusive and open whilst growing the average attendee count to hundreds. He has spread the word across both security industry and developer industry and has also managed to get various organisations to work together such as ISACA, IISF, ISSA and ISC2. He is a great leader and despite detractors has built the chapter and awareness of software security issues in a strong vendor neutral manner to a great place. Tony is a great example of OWASP and industry leadership."
|-
|Dinis Cruz
|<nowiki/>'''''Best Community Supporter'''''
"Diniz is a fantastic innovator and motivator. As the mastermind and organizer behind the OWASP Summit he has managed to re-energize the OWASP community - many interesting projects would not have happened (or at least, not been that successful) without his passionate work. Besides organizing the event, he also consistently supported project leaders with his experience and ideas."

'''2nd Citation:''' Dinis put ridiculous effort (<nowiki>https://github.com/OWASP/owasp-summit-2017/commits?author=DinisCruz</nowiki>) into the OWASP Summit 2017 and didn't tire promoting this event!
|-
|[[User:Dune73|Christian Folini]]
|'''''Best Community Supporter'''''

"Christian Folini is very active in the Core Rule Set project community. He responds to a ton of questions submitted by newcomers when they are stuck and he answers expert level questions with stunning detail. He joined Chaim and Walter when they revived the project in 2016 and I heard he had the idea for the famous CRS3 release poster <nowiki>https://modsecurity.org/crs/poster</nowiki> that was shared all over the net. I think it's people like him that give OWASP a human face."
|-
|[[User:Fuentes.joaquin|Joaquin Fuentes]]
|'''''Best Community Supporter'''''
"In 2015, Joaquin took it upon himself to revive the OWASP Phoenix Chapter. He created a meet-up group to gain broader visibility. Since 2015, the meeting attendance has grown from an average of 15 attendees to over 60! Joaquin dedicates a lot of time and effort into scheduling an impressive variety of presentation topics including safe hacking, vulnerability scanner deep dives, hands on web exploitation CTF, video game hacking and more. I learn something new and cool at every event.

More importantly, Joaquin works hard to foster a friendly, inclusive environment. During our hands-on web exploitation session, Joaquin recruited co-works to assist participants with the Security Shephard challenges so no one felt overwhelmed or impossibly stuck. He always takes the time meet and welcome new members. For example, my 17-year-old son attends meetings with me. He looks up to Joaquin as a mentor for a future information security career because Joaquin encourages his learning and offers career guidance.

I highly recommend Joaquin for a WASPY award!! He is a kind, soft spoken person with a passion for sharing information security and helping others!"

'''2nd Citation:''' "He resurrected the Phoenix chapter and has kept it going with great content."

'''3rd Citation:''' "For all he has done to build up the Phoenix OWASP community. Prior to Joaquin taking point the community in Phoenix was dead. Meetings weren't happening on a regular basis. The prior leaders had done a great job but I think they had burnt out. Joaquin started the community back up and got corporate support from his employer to facilitate not only regular meetings but great meetings with great content. He also implemented MeetUp. I'm not a consistent attendee because of my work/life schedule but I always know when the meetings are happening and what the subject matter will be because of Joaquin utilizing MeetUp."

'''4th Citation:''' "Put simply, due to the efforts of Joaquin Fuentes, the Phoenix chapter has risen from the ashes (some pun intended). Before Joaquin took over the chapter there were consistently between 5-10 persons in attendance, Joaquin himself being one of them, and the chapter only met about every 3 months or so. Since Joaquin took over the chapter, we have had fantastic presenters each month, paid for dinners, along with a collaborative, comfortable, and engaging environment to meet in. Even more impressive the attendance has grown to 60+ consistently. Joaquin isn't even done yet! He is more great ideas and plans for the chapter that will undoubtedly contribute to the continued growth and over all quality of this once fallen chapter. When he speaks of where this chapter has come from and his plans for the future, it is undeniable to all that he does so with the passion that a leader must possess to accomplish that which Joaquin has."

'''5th Citation:''' "I am sure someone else will write in with Joaquin's email, but I felt the need to second his name on the list. The events he puts together are top notch, have excellent speakers, always have things to eat, and are generally excellent. I almost never miss them. He is actually so gracious about the entire chapter that I am sure he does not get the credit he deserves... the whole show is put on by just him, I think. Yay Joaquin!"

'''6th Citation:''' "A few years ago, the Phoenix (AZ) OWASP group was basically defunct. As the leader of the Phoenix OWASP group, not only has Joaquin helped to resurrect the group, but we've had great presentations on reverse engineering, secure coding, a hands-on CTF contest with Security Shepherd, etc. Joaquin is a very visible member of the security community being an employee at Early Warning, which not only hosts the OWASP meetings, but also is a sponsor and makes a strong showing at CactusCon every year, the biggest security conference in Arizona.

Our local OWASP group is not strong, going from being non-existent a few years ago to now getting a regular attendance of 40-80 people. I've gotten to know Joaquin through OWASP meetings and other security events in the area I have crossed paths with him, and he is a fine representative and evangelist for the OWASP organization."

'''7th Citation:''' "Joaquin is the Phoenix OWASP Chapter leader and regularly plans amazing talks with great speakers for the Phoenix Community. Frequently, the Phoenix OWASP talks will have over 50 attendees which Joaquin manages without a problem! Joaquin also pushes for candidates he is interviewing to be familiar with OWASP before their interview."

'''8th Citation:''' "Joaquin is the leader for the Phoenix OWASP, and it is clear that through his leadership the Phoenix OWASP thrives. Joaquin organizes all the meetings, and is constantly working with folks to create an excellent sense of community in the Phoenix area."

'''9th Citation:''' "Joaquin has taken the Phoenix OWASP chapter that had not been managed for years and brought it back to life. We consistently see 50+ members coming to our Meetups to talk about AppSec related topics. Joaquin is well connected to the InfoSec groups and has had great success in pulling in new speakers, we have already had a few speakers who are prepping their BlackHat and DefCon talks by giving their presentations to our local chapter. Finally Joaquin does a great job by reaching out to the local colleges and supporting CTF activities to garner interest in pen-testing and the OWASP community. He is a true community supporter and fully deserves a WASPY for his efforts..."

'''10th Citation:''' "Joaquin has been leading the OWASP Phoenix chapter and due to his initiative, has placed Phoenix on the map as a hub for application security. I would like to nominate him because he is always bringing in new and interesting speakers that provide great content. The most recent OWASP chapter meeting had over 60 attendees!"

'''11th Citation:''' "As a leader of Phoenix OWASP chapter, Joaquin strives to organize talks and trainings to make people in the valley learn InfoSec and AppSec from experienced individuals. He has always gone a step ahead to conduct OWASP meetings that are informative and hands on. Right from giving Arizona State University (ASU) students an overview of basic InfoSec and career opportunities to organizing a hands on hacking workshop for people in the community, Joaquin has always demonstrated passion and determination to take Phoenix to a better place in the field of Cyber Security."

'''12th Citation:''' "I've attended and participated in three OWASP meetings lead by Joaquin. They are always well organized, offer a great learning experience and considerably contribute to the community. His continuous interest and dedication to the Phoenix chapter do not go unnoticed and are appreciated by all who attend."

'''13th Citation:''' "Joaquin restarted the OWASP chapter in Phoenix/Scottsdale. Chapter meetings have grown significantly to where there were about 65 attendees at the most recent meeting with hundreds more on the mailing list (I was at the meeting, but I've only heard about the mailing list). As someone who works with him, I know how dedicated he is to the work of IT security and he's been able to attract top-notch speakers for OWASP meetings.'

'''14th Citation:''' "Joaquin had successfully revived the Phoenix OWASP Chapter. Since, the chapter has excelled from zero to filled audience bringing security talent from all around to speak and educate to security professionals on the many facets of security domains.

Additionally, this has provided a great forum to network with the many security professionals around the community and share their knowledge and strengthen the security community.

Joaquin has provided his unselfish time as an OWASP Chapter leader, and has breathed new life into the Chapter."

'''15th Citation:''' "Joaquin does a bang up job of running the Phoenix OWASP chapter. He does a great job of raising awareness and bringing folks from the infosec community into the fold."

'''16th Citation:''' "Joaquin Fuentes has had a big impact in raising attendance at the Phoenix meetings to more than 100 people monthly. The quality has gotten significantly better under his leadership. He has organized many speakers, including recruiting speakers from out of the area that have significantly developed the knowledge base of the community. Joaquin is a pen testing manager at Early Warning and he shares his professional knowledge to help us all become better in the practice of information security."

'''17th Citation:''' No citation was submitted
|-
|[https://www.owasp.org/index.php/User:Brianglas Brian Glas]
|'''''Best Community Supporter'''''
"Brian has been paramount in 2 very strategic initiatives for OWASP. He is not only a Project Leader for the OWASP SAMM project but he has been instrumental in revamping the call for data and reorganizing the flagship OWASP Top Ten. Brian continues to support and speak about the benefits of supporting OWASP especially projects and participating in the Summit. Please consider Brian Glas as the Best Community Supporter for this year."
|-
|Brendan Gormley
|'''''Best Community Supporter'''''
"Throughout the Brendan has not only assisted in making the dublin chapter events happen but taken a lead role. Brendan has organised venues and speakers for these events often going above and beyond to ensure success. Brendan has also been involved in some of the outreach programs the Dublin chapter had been involved in. No task is too big or too small for Brendan and without him I don't believe the Dublin chapter would be what it is."
|-
|[https://www.owasp.org/index.php/User:Tanyajanca Tanya Janca]
|'''''Best Community Supporter'''''
"Tanya Janca has been performing “outreach” and “recruitment of women” as her main chapter leader responsibilities for the Ottawa chapter since 2015. The chapter has not only grown by over 500% in that time, but female membership has grown from 2 female members to over 70 (the chapter has grown for many reasons, some of which are her promotional efforts). Activities include starting a mentoring program that matches senior AppSec members of the community with juniors or people who are hoping to get into Application Security; attending all sorts of technology meetups (but especially female-centric ones) to talk about OWASP and personally invite them to attend; bringing OWASP products, concepts and resources to the Canadian Government (and is currently attempting to sway policy to be more application security focused as we speak); as well as performing over 40 public speaking engagements that describe OWASP as “Your new BFF” as part of the application security lesson she has taught. She has also begun speaking at conferences semi-regularly, singing OWASP’s praises as part of every presentation. She also forms female groups to attend events together, to make them more accessible, such as her all-female team for the Ottawa iHack CTP and “Learn by Breaking things” event in June 2017 and her all female CTF team for OWASP Ottawa’s first CTF in 2015. Her claim of being an “application security evangelist” certainly seems fitting."
|-
|[https://www.owasp.org/index.php/Jeremy_Long Jeremy Long]
|'''''Best Community Supporter'''''
"Jeremy is a dedicated security engineer who contributes to the community as a developer, mentor, contributor and leader. He's one of the smartest people I know - and one of the few who has patience with "the rest of us". He is generous with his time and knowledge, helping not only to contribute apps and resources, but to build up the community itself."
|-
|[[User:Makash|Akash Mahajan]]
|'''''Best Community Supporter'''''
"Akash has been backbone of OWASP bangalore chapter he has done lot of work for evangelizing OWASP. For more than 7 years now he has been working with the chapter and mentored lot of folks. No wonder he is called "the web app security guy"."
|-
|[https://www.owasp.org/index.php/Dhiraj_Mishra Dhiraj Mishra]
|'''''Best Community Supporter'''''
"Dhiraj Mishra - has been contributed and volunteered to, OWASP Mumbai Student chapter and Mumbai local chapter.

He has endorse students to be part of multiple open community, however been an Sudent Chapter leader for OWASP he has discussed and shared multiple Information Security topics start from the scratch and spreading the idea's and awareness via chapter Meets, he has taken multiple session in NULL as well which runs with OWASP local chapter Mumbai, recently he invited Mozilla Club Mumbai to student chapter so that students can go to their area of interest, he always pushup/boost women in infosec. Apart from this he has taken various sessions in different colleges and have shared knowledge about Cyber Security."
|-
|Denise Murtagh-Dunne
|'''''Best Community Supporter'''''
"Denise has been a hugely active member of the Dublin chapter and has been involved in all chapter meeting throughout the year and is ever keen to role up her sleeves and get stuck into work that others shy away from. This includes everything from setting up the meeting tools, organising venues, working with sponsors, getting speakers and assisting speakers in the run up and during events. She's been a very positively influence on the community and chapter and has encouraged other people to get involved. She's constantly updating and posting content on our social media accounts and making sure our members get relevant and interesting content. While in full time employment, Denise gives up family time to contribute to the chapter and ensure OWASP Dublin remains a vibrant and relevant group that engages the developer and security community locally."
|-
|[[User:Owen_Pendlebury|Owen Pendlebury]]
|'''''Best Community Supporter'''''
"Owen Pendlebury has been a key local OWASP volunteer over the last number of years. From being on the local Dublin chapter board to leading the Dublin chapter he regularly hosted and spoke at numerous collaborative and insightful security meetups.

He has also been involved in organising AppSec EU in Rome and more recently co-organised the Belfast conference which was the biggest ever EU conference. As part of organising the conference in Belfast he negotiated that all chapters within Ireland would benefit financially getting a percentage of the conference profits to allow the chapters to bring bigger, better and more collaborative meetings to the Irish OWASP community and grow the communities across the country.

I don’t know where he has found the time but has also been part of the Women in AppSec committee mentoring a number of individuals throughout the year. He took part in the Women in AppSec events in Belfast giving some insightful opinions into how improve attendees career. Owen is an asset that helps to improve Ireland's security community’s capabilities with a real can-do attitude."
|-
|Mick Ryan
|'''''Best Community Supporter'''''
"Mick always assists with chapter meetings and works to ensure we give the community good quality sessions. Mick assists will all areas including reaching out to potential speakers, getting info and bios from them, arranging dates and venues, posting on social media and the logistics of the meetings and ensuring speakers have the right cables, meetings run to time, that speakers are happy with everything, taking photos to promote the chapter on social media, encouraging people to speak, printing the chapter and getting people to events! Thanks Mick for your contribution in 2017!"
|-
|[https://www.owasp.org/index.php/Sriram Sriram]
|'''''Best Community Supporter'''''
"[https://www.owasp.org/index.php/Sriram Sriram] has been conducting awareness program to the college students. Sriram has created awareness among 12000 Students without the support of anyone. Sriram has been tremendously supporting the OWASP Chapter by giving trainings to various college student, corporates and various chapters.."
|-
|Michelle Simpson
|'''''Best Community Supporter'''''
"Michelle has done an amazing job with the Belfast chapter and works tirelessly to improve the OWASP community and advocate strong app sec practices. This is very evident from the people attending the chapter events, organisations participating and the very successful AppSecEU conference that was held in Belfast in 2017. Michelle put a huge amount of work and effort into planning and preparation for AppSecEU to ensure the conference was of a high calibre. This was a sustained commitment over the majority of 2017 on top of local chapter commitments. I'd like to nominate Michelle for all the hard work and effort she puts into the chapter. Thanks Michelle!"
|-
|Steve Springett
|'''''Best Community Supporter'''''

"Steve has been a tremendous supporter of the OWASP dependency-check project and leader on the related dependency-track platform. He is quick to respond to community question, answering with insightful and accurate responses assisting the community in their use of the dependency-check suite of tools."
|-
|[https://www.owasp.org/index.php/John_Vargas John Vargas]
|'''''Best Community Supporter'''''

"During the last 9 years John, together with a very small group of volunteers, has been making efforts to keep the chapter of Lima, Peru. Performing activities such as monthly meetings, internal trainings and participating actively in the OWASP Latam Tour. For the chapters in Latin America to keep afloat these activities with few resources is something very complicated and deserves recognition."
|-
|Tara Williams
|'''''Best Community Supporter'''''

"Tara cares about integrity, inclusion and transparency, she is passionate about making OWASP a better place for all members of the community. With her talents in communications, she is getting the word out about OWASP's benefits to community members and attracting new members to chapter meetings, especially identifying successful pathways to transition meetup members to full members."
|-
|Aatral Arasu
|'''''Best Mission Outreach'''''
'''"'''A great leader always there to help responds to emails quickly loves his work works very hard every day very supportive never loses focus strong willed very technical and willing to do things himself to get the job done when asked for something he will get it to you ASAP constant learner open to suggestions and ideas on how to be better respectful honest caring and I am certain HRC will make it big very soon :)"
|-
|Sean Auriti
|'''''Best Mission Outreach'''''
"Sean mentors, is a speaker, leads projects, is an active chapter leader and chapter Treasurer, participating in meetup events and a great representative at global, regional and external events."
|-
|Tony Clarke
|'''''Best Mission Outreach'''''
"Tony has grown the chapter over the last year to a point where hundreds of people are attending meetings. The meetings are organised in advance now and have a theme. There were some really interesting people speaking at the chapter meetings including Simon Singh, James Lyne, Brian Honan and Jane Franklin. He has also engaged support from local companies with a lot more attending and sponsoring the chapter. There is a real buzz at chapter meetings and they're not just death by PowerPoint which they had been in the past."
|-
|[[User:cfrenz|Christopher Frenz]]
|'''''Best Mission Outreach'''''

'''"'''Christopher Frenz should be nominated for the Best Mission Outreach WASPY for his work as the Project Lead for the OWASP Anti-Ransomware Guide Project and the OWASP Secure Medical Device Deployment Standard Project. In the wake of WannaCry, anti-ransomware guidance has become more pertinent than ever and the project is regularly updated to keep abreast of the latest ransomware adaptations. Chris regularly shares his anti-ransomware knowledge with the security and healthcare communities and is an advocate for organizations conducting mock ransomware incidents. Chris has shared his knowledge of ransomware protections and of pertinent OWASP resources in numerous venues including articles (<nowiki>https://iapp.org/news/a/why-the-wannacry-outbreak-should-be-a-wake-up-call/</nowiki>) and conference presentations at both the local and international level (<nowiki>https://iapp.org/conference/iapp-canada-privacy-symposium/sessions/?id=a191a000000zrqPAAQ</nowiki>). A Spanish version of the guidance is also available. In addition, he has worked to call attention to the need for healthcare facilities to improve the security of their medical device implementations and is responsible for authoring version 1 of the OWASP Secure Medical Device Deployment Standard. The project has really worked to raise awareness of these issues and has been covered by CSO magazine (<nowiki>http://www.csoonline.com/article/3188230/security/how-to-securely-deploy-medical-devices.html</nowiki>) and other news sources. Chris has given interviews on medical device security for the Cloud Security Alliance and others and will be speaking on medical device security at the Defcon BioHacking Village. Chris is always willing to share his knowledge with all who ask and is an active member of the NYC and Brooklyn OWASP chapters."
|-
|[[User:Fuentes.joaquin|Joaquin Fuentes]]
|'''''Best Mission Outreach'''''
"For all he has done to build up the Phoenix OWASP community. Prior to Joaquin taking point the community in Phoenix was dead. Meetings weren't happening on a regular basis. The prior leaders had done a great job but I think they had burnt out. Joaquin started the community back up and got corporate support from his employer to facilitate not only regular meetings but great meetings with great content. He also implemented MeetUp. I'm not a consistent attendee because of my work/life schedule but I always know when the meetings are happening and what the subject matter will be because of Joaquin utilizing MeetUp."

'''2nd Citation:''' "Joaquin has been leading the OWASP Phoenix chapter and due to his initiative, has placed Phoenix on the map as a hub for application security. I would like to nominate him because he is always bringing in new and interesting speakers that provide great content. The most recent OWASP chapter meeting had over 60 attendees!"

'''3rd Citation''': "Joaquin Fuentes has had a big impact in raising attendance at the Phoenix meetings to more than 100 people monthly. The quality has gotten significantly better under his leadership. He has organized many speakers, including recruiting speakers from out of the area that have significantly developed the knowledge base of the community. Joaquin is a pen testing manager at Early Warning and he shares his professional knowledge to help us all become better in the practice of information security."

'''4th Citation''': "My job takes me to many different OWASP Chapters, along with ISSA, CSA, ISACA, etc.
The Phoenix OWASP Chapter was DEAD before Joaquin volunteered to lead the Chapter a few years ago.
It is now consistently one of the BEST ITSec community gatherings, and I go out of my way to be in Phoenix for their meetings.
To put it a different way, at my first Phoenix OWASP meeting there were less than 12 attendees, including myself and the speaker. Last week it was standing room only (75+) *and* there would have been more if Interstate 17 hadn't been closed in both directions at the start of rush-hour.
Part of the reason Joaquin deserves this award is that he is EXTREMELY knowledgeable about AppSec and many other aspects of data security and he is ALWAYS friendly and willing to share. His day-job is no picnic, but he finds the time to put together great meetings and do it in a way that everybody has a good time."
|-
|[https://www.owasp.org/index.php/User:Tanyajanca Tanya Janca]
|'''''Best Mission Outreach'''''
"Tanya has been instrumental in outreach in the Ottawa Ontario Canada region building membership and participation in the local OWASP chapter, as well as building bridges with other local organizations (Python user group, Ruby Rails user group, WIA, etc.). Tanya has also been a driver in getting a mentoring program setup via the Ottawa chapter. She has also encouraged participation in local CTF events, presented at local conferences (BSides, etc). Tanya's enthusiasm, support, and interaction is often contagious (in a good way :) ). Lastly, Tanya is a strong advocate or evangelist for OWASP projects, promoting such as appropriate per audience/presentation (including, but not limited to: ZAP, Top 10, SKF)."

'''2nd Citation:''' "Tanya Janca is an excellent ambassador for OWASP. Since her entry into the lead team of the OWASP Ottawa chapter, she has doubled the size of the chapter and developed the chapter into a meeting place for dozens of women interested in Application Security.
Tanya Janca is an energetic speaker who held a fantastic presentation at AppSecEU in Belfast. <nowiki>https://www.youtube.com/watch?v=mPTmuaC2lOI</nowiki> She was subsequently invited to the Swiss Cyberstorm Conference where her addition to the rooster was explained in an admiring blogpost <nowiki>https://swisscyberstorm.com/2017/05/23/Introducing_Tany_Janca.html</nowiki>
Tanya Janca has the ability to talk security to techies and management alike. She is pushing for the adoption of OWASP practices and project by the government of Canada her employer. Having been nominated for the Government of Canada’s CIO Award for “Excellent in Security” in 2016 she refused to move into the private sector, but continues to support the security community inside the public sector, where her excellent know-how is very important."

'''3rd Citation:''' "Tanya Janca has been performing “outreach” and “recruitment of women” as her main chapter leader responsibilities for the Ottawa chapter since 2015. The chapter has not only grown by over 500% in that time, but female membership has grown from 2 female members to over 70 (the chapter has grown for many reasons, some of which are her promotional efforts). Activities include starting a mentoring program that matches senior AppSec members of the community with juniors or people who are hoping to get into Application Security; attending all sorts of technology meetups (but especially female-centric ones) to talk about OWASP and personally invite them to attend; bringing OWASP products, concepts and resources to the Canadian Government (and is currently attempting to sway policy to be more application security focused as we speak); as well as performing over 40 public speaking engagements that describe OWASP as “Your new BFF” as part of the application security lesson she has taught. She has also begun speaking at conferences semi-regularly, singing OWASP’s praises as part of every presentation. She also forms female groups to attend events together, to make them more accessible, such as her all-female team for the Ottawa iHack CTP and “Learn by Breaking things” event in June 2017 and her all female CTF team for OWASP Ottawa’s first CTF in 2015. Her claim of being an “application security evangelist” certainly seems fitting."
|-
|Kitisak Jirawannakool
|'''''Best Mission Outreach'''''

"Web security is notoriously bad in Thailand, so an actives security community is sorely needed. Kitisak is a central figure in that community. He has worked on establishing the OWASP Bangkok chapter for the past six years, organizing meetups, community outreach and engaging with security experts internationally. His work has played a pivotal role in creating IT security awareness in the fast-growing South-East-Asian country."
|-
|James Manico
|'''''Best Mission Outreach'''''
"Jim's influence on OWASP materials (and therefore on application security) is amazing - he's cited on nearly every cheat sheet on OWASP Top 10 document. His name is synonymous with application security."

'''2nd Citation: "'''While Jim may not be the "unsung hero" - he is the first and foremost cheerleader/champion of OWASP. His efforts and contributions are innumerable. As anyone who knows Jim - he is not a reserved individual when touting the resources available via OWASP. He has likely done more then anyone else working with OWASP to bring together, motivate, and get individuals to contribute to OWASP. From the immensely popular checklists to motivating individuals to contribute. OWASP would not be nearly as successful as it has been without Jim."
|-
|Mateo Martinez
|'''''Best Mission Outreach'''''
"Mateo is one of the leaders in Latin America more recognized, during the last years his efforts to join the chapters chapter along with other leaders of Latam made that the community grew and that today the Latam Tour 2017 has more than 15 participating countries. He also managed to spread the spirit of owasp and help establish new chapters in the region.
The effort to maintain more communication between OWASP GLobal and local communities is reflected in each activity that encourages other leaders to ensure that they strive every day to spread Owasp projects and to grow the community."
|-
|Mark Miller
|'''''Best Mission Outreach'''''

"The OWASP Podcast is a effort that is in line with the mission of OWASP raising visability for software security. This is a VERY powerful voice in the community globally and Mark Miller should be applauded for his efforts on this
<nowiki>https://www.owasp.org/index.php/OWASP_Podcast</nowiki>"
|-
|[https://www.owasp.org/index.php/Dhiraj_Mishra Dhiraj Mishra]
|'''''Best Mission Outreach'''''

"Dhiraj was nominated for WASPY 2016, his contribution to the community is from past one 'n half year in various areas, start from the projects, local volunteering and what not, he was also listed in OWASP Hall Of Fame."
|-
|[[User:Owen_Pendlebury|Owen Pendlebury]]
|'''''Best Mission Outreach'''''
"Owen is an active participator in OWASP meetings and has been a great inspiration to me.
He has shown himself to be a great leader and OWASP advocate.
Owen has recommended other AppSec communities in which I have become involved in since moving to Dublin. He is an evangelist for women in technology and I have witnessed this first hand.
I don't hesitate to recommend Owen for this award."

'''2nd Citation:''' "Owen has introduced me to the OWASP Community in Ireland and EU. Help me to get involve with Women in AppSec and participate in the AppSec EU event in Belfast. He is a great leader, who enjoys talking about OWASP and the great community behind it.
I've moved to Ireland a couple of months ago, and getting to know Owen and the OWASP community has completely changed my life, both professionally and personally.
So, yes, I would like to nominate Owen Pendlebury because he the proof that Women in AppSec is not just a women matter. :)"
|-
|[https://www.owasp.org/index.php/Sriram Sriram Shyam]
|'''''Best Mission Outreach'''''
"Sriram has been conducting awareness program to the college students. Sriram has created awareness among 12000 Students without the support of anyone."
|-
|[[User:Nwhysel|Noreen Whysel]]
|'''''Best Mission Outreach'''''

"Noreen is helping each day to improve OWASP members' experiences bringing her expertise and knowledge as a mentor and projects as a Chapter Leader, one member at a time. She understands what members want, how to improve member benefits and is applying that knowledge to improving local and global member experiences from the ground up. Her efforts are multiplied by her sharing of knowledge and grassroots approach creating a membership groundswell."
|-
|Aatral Arasu
|'''''Best Innovator'''''
"A great leader always there to help responds to emails quickly loves his work works very hard every day very supportive never loses focus strong willed very technical and willing to do things himself to get the job done when asked for something he will get it to you ASAP constant learner open to suggestions and ideas on how to be better respectful honest caring and I am certain HRC will make it big very soon :)"
|-
|Sean Auriti
|'''''Best Innovator'''''
"Sean leads the BLT Project and is a Team Leader for the Learning Gateway project. He has helped improve the quality of web experiences, including OWASP.org ."
|-
|[https://www.owasp.org/index.php/Glenn_%26_Riccardo_ten_Cate Glenn & Riccardo ten Cate]
|'''''Best Innovator'''''
"I am hereby nominating the brothers Glenn & Riccardo ten Cate from the Netherlands for the WASPY award in this category. They are known for their work on the open-source project SKF (Security Knowledge Framework). These are two guys who are dedicated to spreading security knowledge trough the means OWASP has to offer. You might have encountered them talking at seminars, promoting their project and OWASP, or different companies where they teach development teams how to integrate the OWASP core principles in their workflow using their project. Not only professional development teams but also students of security can only be amazed at the sheer knowledge they gathered and contribute to the global OWASP community trough open source. The sheer effort they put in this project teaches, guides, structures and shows by example how to test and write secure applications by design. There is no other software out there that does this. And that is why they deserve this nomination for best innovator 2017."
|-
|Mark Deenihan
|'''''Best Innovator'''''
"Mark for his constant devotion and work on the OWASP security shepherd project and continuing to develop it and teach people globally about app sec."
|-
|Seba Deleersnyder
|'''''Best Innovator'''''
"One of the main projects to date is SAMM. Seba with the support of project colliders has made this a flagship project of OWASP. The level of maturity and the number of improvements obtained indicates that this project is one of the most mature and a great projection to the future."
|-
|[[User:cfrenz|Christopher Frenz]]
|'''''Best Innovator'''''
"Chris' projects are opening doors for OWASP in the standards development and getting the word out about important IoT with his Medical Device Deployment Standard: <nowiki>https://www.owasp.org/index.php/OWASP_Secure_Medical_Device_Deployment_Standard</nowiki> which already has a Turkish translation and attracted attention from the Turkish public health department. He has delivered presentations at meetups, and presenting to the IDESG, www.idesg.org in July. He has a "soup label" tool that gives simple guidance for the implementation of the OSMDDS. This is not Chris' first project but it is surely one of the best OWASP innovations of the year."
|-
|[[User:Fuentes.joaquin|Joaquin Fuentes]]
|'''''Best Innovator'''''
"Joaquin has been leading the OWASP Phoenix chapter and due to his initiative, has placed Phoenix on the map as a hub for application security. I would like to nominate him because he is always bringing in new and interesting speakers that provide great content. The most recent OWASP chapter meeting had over 60 attendees!"

'''2nd Citation:''' "Joaquin Fuentes has had a big impact in raising attendance at the Phoenix meetings to more than 100 people monthly. The quality has gotten significantly better under his leadership. He has organized many speakers, including recruiting speakers from out of the area that have significantly developed the knowledge base of the community. Joaquin is a pen testing manager at Early Warning and he shares his professional knowledge to help us all become better in the practice of information security."
|-
|Evin Hernandez
|'''''Best Innovator'''''
"Evins focus on the core of the information security platform with Virtual Village has provided the global community with a place to experiment and leverage for testing... <nowiki>https://www.owasp.org/index.php/OWASP_Virtual_Village_Project</nowiki>"
|-
|[https://www.owasp.org/index.php/Jeremy_Long Jeremy Long]
|'''''Best Innovator'''''
"Considering how often projects have a great start and plateau, we should recognize the ongoing effort and dedication given to one of the Flagship projects in our community.
Jeremy Long has continued to not only maintain the Dependency Check project but develop and improve it each year.
This year he added Improvements in the core dependency-check platform in terms of code quality, achieved 100% for the CII Best Practices for dependency-check, continued to develop the ODC community with several contributors submitting PRs, and over the last several months he's been working on platform maturity and will be releasing 2.0.0 in the first half of July 2017.
After 2.0 is released he has planned work on Python support and expanding the tool by integrating additional data-sources such as Artifactory, Redhat Victim's, OSS-Index, etc."

'''2nd Citation:''' "Jeremy has been an avid contributor/leader for the OWASP dependency-check project. Under his leadership the project has garnered substantial community support in terms of pull requests, improved code quality via Sonarcloud, Coverity, Codacy, and CII Best Practices. While the last six months have been primarily around code quality and bug fixes; these improvements are setting the dependency-check project up for major enhancements over the coming months!"
|-
|[[User:DanielMiessler|Daniel Miessler]]
|'''''Best Innovator'''''
"Daniel seems to be everywhere at once - despite have a full-time job, he is leading or co-leading several OWASP projects, has created ideas for groups out of thin air, and has performed work in much needed areas.
This year, Daniel has lead or co-lead the Internet of Things security project, completed an IoT: Medical Devices attack surface overview, and created the Game Security project."
|-
|[https://www.owasp.org/index.php/Dhiraj_Mishra Dhiraj Mishra]
|'''''Best Innovator'''''

"Dhiraj is one of the top contributor in OWASP Cheat Sheet Project, which have security guidance in an easy read format, his contribution for SQL Injection WAF Bypass and XSS Evasion - OWASP, was mostly recommended and used by Cyber Security professional, dhiraj has contributed to Benchmark project by contributing SQLi/XSS fuzz vectors as initial contribution towards adding support for WAF/RASP scoring and many such projects."
|-
|Bernhard Mueller
|'''''Best Innovator'''''
"During the last 18 months Bernhard has been spearheading the OWASP Mobile Testing Guide Project. He has invested several man-months of writing, editing, reviewing, rallying authors, and pushing the project into new directions. This also resulted in the novel agile book writing process and book production pipeline which enables OWASP to produce a professional tech book. The project has produced a security standard and early-release ebook, and is on track become one of OWASP's main flagship projects."
|-
|Steve Springett
|'''''Best Innovator'''''
"Steve's work on dependency-track is fantastic - he's moved forward to address the next round of issues, with an innovative solution all companies can leverage."
|-
|thc202
|'''''Best Innovator'''''
"Simon Bennets "wingman" in the ZAP project, by now even the top committer in the project! (<nowiki>https://github.com/zaproxy/zaproxy/graphs/contributors</nowiki>) So "unsung of" that I do not even know his real name!"
|}

==Results==
Coming July 25, 2017

==Sponsorship Opportunities==
The support from our sponsors, is what makes these awards truly successful!

Sponsorships coming soon!

==Communication==
# June 7, 2017 Email to the Leaders & Community list. Posted to the OWASP [https://owasp.blogspot.com/2017/06/nominations-are-now-being-accepted-for.html Blog]
# June 30, 2017 Email to the Leaders & Community list.
# July 5, 2017 Email to the Nominees
# July 5, 2017 Email to the Leaders & Community list, and Blog post announcing the nominees have been announced.

=='''Past WASPY Awards'''==
[https://www.owasp.org/index.php/WASPY_Awards_2016 2016] 
[https://www.owasp.org/index.php/WASPY_Awards_2015 2015] 
[https://www.owasp.org/index.php/WASPY_Awards_2014 2014] 
[https://www.owasp.org/index.php/WASPY_Awards_2013 2013] 
[https://www.owasp.org/index.php/WASPY_Awards_2012 2012]

Glenn & Riccardo ten Cate

2017-07-17T07:09:48Z

Foobar: Update page

== Project leaders of OWASP-SKF ==

[[OWASP Security Knowledge Framework]]

[[File:Glenn ten Cate.jpg|thumb]]

'''About Glenn'''
- Glenn ten Cate 
- From the Netherlands 
- More then 10 years active in Security / Hacking world 
- Specialized in web-application / server security 
- Coding experience in different languages 
- Developer / Contributor of multiple open-source security projects 
- Goal would be, creating an open-source SDLC with the tools and knowledge so everybody is empowered to do security by design and deliver high quality software 

'''Contact Info:'''glenn.ten.cate@owasp.org

[[File:Riccardo_Ten_Cate_Profile_Picture.jpg]]

'''About Riccardo:'''

As a freelance penetration tester and software developer from the Netherlands Riccardo specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages.

'''Contract Info:''' riccardo.ten.cate@owasp.org

User:Foobar

2017-07-17T07:05:08Z

Foobar: Polished my user page

Some background information:
[[File:Glenn ten Cate.jpg|thumb]]

- Glenn ten Cate 
- From the Netherlands 
- More then 10 years active in Security / Hacking world 
- Specialized in web-application / server security 
- Coding experience in different languages 
- Developer / Contributor of multiple open-source security projects 
- Goal would be, creating an open-source SDLC with the tools and knowledge so everybody is empowered to do security by design and deliver high quality software 

Project leader of OWASP-SKF

[[OWASP Security Knowledge Framework]]

File:Glenn ten Cate.jpg

2017-07-17T07:02:17Z

Foobar:

It's me Glenn

OWASP Security Knowledge Framework

2017-07-10T20:26:51Z

Foobar: /* Project Download */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

* Security Requirements OWASP ASVS for development and for third party vendor applications
* Security knowledge reference (Code examples/ Knowledge Base items)
* Security is part of design with the pre-development functionality in SKF
* Use SKF to gather the right security requirements for your projects
* SKF then gives extensive knowledgebase items that correlates to the security requirements
* Developers can close "tickets" and leave an audit trail to determine possible technical depts or improvements
* Security specialist can follow the "tickets" and audit trail and verify or Fail closed items and provide feedback.

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 

==Donate==
<paypal>Security Knowledge Framework </paypal>

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation

== Project Online Demo ==
'''username: admin password: test-skf'''
* https://demo.securityknowledgeframework.org 

'''Project website:'''
* http://www.secureby.design 

== Video demo ==
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Midlevel.png]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of workshop DevOpsDays 2015 Amsterdam: 
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf

= Roadmap and Getting Involved =

==Roadmap==

Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

- Add code examples -> relevant knowledge-base items in results
- Add generic Selenium test cases for the pre-development and post-development security controls.
- Add current code examples and refer them in the advices of the pre-development and post-development items.
- Add CWE to checklists
- Add Python code examples
- Add Java code examples
- Explain the SDLC more in-depth on our website and OWASP wiki page.
- Add Go/Ruby/??? code examples

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== Travis-ci.org:==
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:

https://travis-ci.org/blabla1337/skf-flask

== Coveralls.io:==
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:

https://coveralls.io/r/blabla1337/skf-flask

== Scrutinizer-ci.com==
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:

https://scrutinizer-ci.com/g/blabla1337/skf-flask/

== Uptimerobot.com==
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

== ssllabs.com & sslbadge.org ==

ssllabs.org:
Bringing you the best SSL/TLS and PKI testing tools and documentation.
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org

sslbadge.org:
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.

= Contributors =

;

 
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

File:Midlevel.png

2017-07-10T20:26:38Z

Foobar:

midlevel

GSOC2017 Ideas

2017-01-24T08:41:30Z

Foobar: /* Getting started */

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check out the suggested projects below
* Contact the mentors and teams of the projects that you are interested in

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2017 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Tech Stack Update ===

'''Brief Explanation:'''

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:

* AngularJS 1.x with Bootstrap in the client
* Express on top of NodeJS on the server with
** SQLite as a database
** Sequelize as an OR-Mapper
*** sequelize-restful as an automatic API-generator on top of the DB entities
* Jasmine 1.x to specify behavioral tests
** Karma as a test runner for the client-side unit tests
** Frisby.js for API tests on a dynamically launched server
** Protractor for end-to-end testing of the challenge exploits
* NPM for running/testing the application
* Grunt for some of the custom build scripts

Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].

Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.

'''Expected Results:'''
* High-level target architecture overview including a migration plan with intermediary milestones
* Execution of migration without breaking functionality or losing tests along the way
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

== OWASP Mobile Hacking Playground ==

The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects:

* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)

In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:

* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.

It is also encouraged to use the App(s) for education purpose during trainings and workshops.

=== Creation of Android Code Samples ===

'''Brief Explanation:'''

An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated.

For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App

'''Expected Results:'''

The following categories and their test cases are not fully added to the Android App:

* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)

For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.

As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together.

''' Getting started: '''
Here are a few suggestion on how to get started.
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes.
* Browse through the MASVS and check the different areas and their defined requirements.
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).

'''Knowledge Prerequisites:'''
General interest in Mobile and Security. Basic knowledge of Android and Java.

'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader

== OWASP ZAP ==

[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.

=== Field enumeration ===

This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.

The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.

''' Expected Results '''

* User able to specify a specific field to enumerate via the ZAP UI
* A list of all valid characters to be returned from the sets of characters the user specifies
* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Scripting Code Completion ===

ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.

''' Expected Results '''

* Code completion for all of the parameters for all available functions in the standard scripts
* Implementations for JavaScript, JRuby and Jython
* Helper classes with code completion for commonly required functionality
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Your idea ===

'''Brief Explanation:'''

ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes ZAP even better
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]

'''Knowledge Prerequisites:'''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

== BLT / Bugheist ==

'''Brief Explanation:'''

Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes Bugheist even better

'''Knowledge Prerequisites:'''
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team

== OWASP Security Knowledge framework ==

===Brief Explanation===
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.

'''In a nutshell'''

- Training developers in writing secure code

- Security support pre-development ( Security by design, early feedback of possible security issues )

- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )

- Code examples for secure coding

===Your idea / Getting started===
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)

===Expected Results===
* Adding features to SKF project
* Adding more function examples to pre-development phase
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )
* Adding/updating Knowledgebase items
* Adding CWE references to knowledgebase items
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)

===Knowledge Prerequisites===

* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.
* For writing knowledgebase items only technical knowledge of application security is required
* For writing / updating code examples you need to know a programming language along with secure development.
* For writing the verification guide you need some penetration testing experience.

'''Mentors:'''

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]

GSOC2017 Ideas

2017-01-24T08:40:42Z

Foobar:

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check out the suggested projects below
* Contact the mentors and teams of the projects that you are interested in

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2017 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Tech Stack Update ===

'''Brief Explanation:'''

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:

* AngularJS 1.x with Bootstrap in the client
* Express on top of NodeJS on the server with
** SQLite as a database
** Sequelize as an OR-Mapper
*** sequelize-restful as an automatic API-generator on top of the DB entities
* Jasmine 1.x to specify behavioral tests
** Karma as a test runner for the client-side unit tests
** Frisby.js for API tests on a dynamically launched server
** Protractor for end-to-end testing of the challenge exploits
* NPM for running/testing the application
* Grunt for some of the custom build scripts

Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].

Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.

'''Expected Results:'''
* High-level target architecture overview including a migration plan with intermediary milestones
* Execution of migration without breaking functionality or losing tests along the way
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

== OWASP Mobile Hacking Playground ==

The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects:

* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)

In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:

* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.

It is also encouraged to use the App(s) for education purpose during trainings and workshops.

=== Creation of Android Code Samples ===

'''Brief Explanation:'''

An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated.

For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App

'''Expected Results:'''

The following categories and their test cases are not fully added to the Android App:

* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)

For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.

As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together.

''' Getting started: '''
Here are a few suggestion on how to get started.
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes.
* Browse through the MASVS and check the different areas and their defined requirements.
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).

'''Knowledge Prerequisites:'''
General interest in Mobile and Security. Basic knowledge of Android and Java.

'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader

== OWASP ZAP ==

[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.

=== Field enumeration ===

This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.

The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.

''' Expected Results '''

* User able to specify a specific field to enumerate via the ZAP UI
* A list of all valid characters to be returned from the sets of characters the user specifies
* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Scripting Code Completion ===

ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.

''' Expected Results '''

* Code completion for all of the parameters for all available functions in the standard scripts
* Implementations for JavaScript, JRuby and Jython
* Helper classes with code completion for commonly required functionality
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Your idea ===

'''Brief Explanation:'''

ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes ZAP even better
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]

'''Knowledge Prerequisites:'''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

== BLT / Bugheist ==

'''Brief Explanation:'''

Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes Bugheist even better

'''Knowledge Prerequisites:'''
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team

== OWASP Security Knowledge framework ==

===Brief Explanation===
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.

'''In a nutshell'''

- Training developers in writing secure code

- Security support pre-development ( Security by design, early feedback of possible security issues )

- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )

- Code examples for secure coding

===Getting started===
* Please send an email to riccardo.ten.cate@owasp.org or glenn.ten.cate@owasp.org and we would love to tell you all about it! :-)

===Expected Results===
* Adding features to SKF project
* Adding more function examples to pre-development phase
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )
* Adding/updating Knowledgebase items
* Adding CWE references to knowledgebase items
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)

===Knowledge Prerequisites===

* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.
* For writing knowledgebase items only technical knowledge of application security is required
* For writing / updating code examples you need to know a programming language along with secure development.
* For writing the verification guide you need some penetration testing experience.

'''Mentors:'''

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]

GSoC

2016-03-20T13:51:32Z

Foobar:

'''OWASP is applying to be a Google Summer of Code (“GSoC”) mentoring organization in 2016!'''



'''STUDENTS: THE PROPOSAL SUBMISSION PERIOD WILL BE OPEN UNTIL MARCH 25TH'''

[https://summerofcode.withgoogle.com/ '''Google Summer of Code Program Site''']

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.

All students currently enrolled in an accredited institution are welcome to participate in the Google Summer of Code 2016 program, hopefully along with the OWASP Foundation.

Below you could find all the instructions on how to participate.

== What is GSOC? ==

The Google Summer of Code program (“GSoC”) is designed to encourage student participation in open source development. Through GSoC, accepted student applicants will be paired with OWASP mentors that will guide them through their coding tasks.

Benefits to students include:

* Gaining exposure to real-world software development scenarios,
* An opportunity for employment in areas related to their academic pursuits and
* Google will be offering successful student contributors a 5,500 USD stipend, enabling them to focus on their coding projects for three months.

This program is done completely online. Students and mentors from more than 100 countries have participated in past years.

==Instructions common to all participants==

All participants should take a look at the [https://developers.google.com/open-source/gsoc/faq Google Summer of Code Program Site] every now and then to be informed about updates and advice. It is also important to read the [https://developers.google.com/open-source/gsoc/faq Summer of Code FAQ], as it contains useful information.
All participants will need a Google account in order to join the program. You'll save some time if you create one now.

===Programming Language===

While the majority of OWASP tools are developed using C++/Java, we do accept other languages, including (but not limited to) Python, Ruby and C#. C++ will be accepted for any project. Submissions and ideas for projects in any other language should specifically mention the choice.

==Instructions for students==

Are you a student and want to code for an OWASP project?
Here are the steps and some tips on getting started:

1) Think of a good idea – For reference see
[https://www.owasp.org/index.php/GSOC2016_Ideas GSoC 2016 Ideas]

2) Do some research yourself based on the idea, write up a proposal draft

3) Post it to the mailing list at https://groups.google.com/d/forum/owasp-gsoc for initial discussions with OWASP mentors.

4) Based on feedback, write a full proposal – See template below:
https://www.owasp.org/index.php/GSoC_SAT

5) Submit your proposal to Google from March 14th to March 25th 2016.

Students wishing to participate in GSoC must realize this is a formal commitment to produce code for the selected OWASP Project during three months. You will also take some resources from OWASP project leaders, who will dedicate a portion of their time to mentor you. Therefore, we'd like to have candidates who are committed to helping OWASP mission. You don't have to be a proven developer -- in fact, this whole program is meant to facilitate joining OWASP and other Open Source communities. However, experience in coding and applications are welcome.

You should start familiarising yourself with the components that you plan on working on before the start date. OWASP Project Mentors are available on the mailing list https://groups.google.com/d/forum/owasp-gsoc for help.

===General instructions===
First of all, please read the instructions common to all participants and the [https://developers.google.com/open-source/gsoc/faq GSoC FAQ]. Pay special attention to the '''Eligibility''' section of the FAQ.

===Getting in touch===
* Google Group: OWASP Organization Administrators and Mentors are available at https://groups.google.com/d/forum/owasp-gsoc ready to answer any questions and discuss any idea.
* Mailing list: Each project has its own development mailing list (eg. ESAPI: http://lists.owasp.org/pipermail/esapi-dev/). Feel free to subscribe in order to discuss your ideas directly with the project's contributors.
* IRC channel: You can find us at irc.freenode.net channel #owasp-gsoc

===Recommended steps===
* Read Google's instructions for participating
* Take a look at the list of ideas
* Come up with project that you're interested in
* Write a first draft proposal and get someone to review it for you
* Submit it using Google's web interface

Coming up with an interesting idea is probably the most difficult part of all. It should be something interesting for an OWASP Project, and more importantly for you. It also has to be something that you can realistically achieve in the time available to you.

Finding out what the most pressing issues are in the projects you're interested in is a good start. You can optionally join the mailing lists for that project: you can make acquaintance with developers and your potential mentor, as well as start learning the codebase. We recommend strongly doing that and we will look favourably on applications from students who have started to act like Open Source developers.

===Student proposal guidelines===
A project proposal is what you will be judged upon. So, as a general recommendation, write a clear proposal on what you plan to do, what your project is and what it is not, etc. Several websites now contain hints and other useful information on writing up such proposals.
OWASP does not require a specific format or specific list of information, but there is an application template on the OWASP page in Google Melange with some specific points that you should address in your application:
* Who are you? What are you studying?
* What exactly do you intend to do? What will not be done?
* Why are you the right person for this task?
* To what extent are you familiar with the software you're proposing to work with? Have you used it? Have you read the source? Have you modified the source?
* How many hours are you going to work on this a week? 10? 20? 30? 40?
* Do you have other commitments that we should know about? If so, please suggest a way to compensate if it will take much time away from Summer of Code.
* Are you comfortable working independently under a supervisor or mentor who is several thousand miles away, not to mention 12 time zones away? How will you work with your mentor to track your work? Have you worked in this style before?
* If your native language is not English, are you comfortable working closely with a supervisor whose native language is English? What is your native language, as that may help us find a mentor who has the same native language?
* Where do you live, and can we assign a mentor who is local to you so you can meet in a coffee shop for lunch?

After you have written your proposal, you should get it reviewed. Do not rely on the OWASP mentors to do it for you via the web interface: they will only send back a proposal if they find it lacking. Instead, ask a colleague or a developer to do it for you.

===Hints===
'''Submit your proposal early:''' early submissions get more attention from developers for the simple fact that they have more time to dedicate to reading them. The more people see it, the more it'll get known.

'''Do not leave it all to the last minute:''' while it is Google that is operating the webserver, it would be wise to expect a last-minute overload on the server. So, make sure you send your application before the final rush. Also, note that the applications submitted very late will get the least attention from mentors, so you may get a low vote because of that.

'''Keep it simple:''' we don't need a 10-page essay on the project and on you (Google won't even let you submit a text that long). You just need to be concise and precise.

'''Know what you are talking about:''' the last thing we need is for students to submit ideas that cannot be accomplished realistically or ideas that aren't even remotely related to OWASP Projects. If your idea is unusual, be sure to explain why you have chosen OWASP to be your mentoring organisation.

'''Aim wide:''' submit more than one proposal, to different OWASP Projects. We also recommend submitting to more than one organisation too. This will increase your chances of being chosen.

The PostgreSQL project has also released a list of [http://www.postgresql.org/developer/summerofcodeadvice.html hints] that you can take a look.

==Instructions for mentors==
===Ideas===
If you're a developer and you wish to participate in Summer of Code, you can do it in two ways: the first and easiest is to make a proposal in the [https://www.owasp.org/index.php/GSOC2016_Ideas ideas] page. Take a look at what the different OWASP Projects needs or what you feel should have. Feel free to submit ideas even if you cannot elaborate too much on them.

The second possibility is to be a mentor for a more specific idea. If you wish to do that, please read the instructions common to all participants and the Summer of Code FAQ. Also, please contact the project leader for your application or module and get the go-ahead from him/her. Then edit the ideas page, adding your idea.

Your idea proposal should be a brief description of what the project is, what the desired goals would be, what the student should know and your email address for contact. Please note, though, that the students are not required to follow your idea to the letter, so regard your proposal as just a suggestion.

===Mentoring===
If you wish to help us even more, you can be an OWASP mentor. We will potentially assign a student to you who has never worked on such a large project and will need some help. Make sure you're up for the task.
When subscribing yourself as a mentor, please make sure that your application or module maintainer is aware of that. Ask him/her to send the Summer of Code OWASP Administrators an email confirming to know you. This is just a formality to make sure you are a real person we can trust -- the administrators cannot know all active developers by their Google account ID.

If you would like to get an idea of what is involved in being a good mentor, be sure to read the [http://write.flossmanuals.net/gsoc-mentoring/about-this-manual/ mentoring guide].

You will be subscribed to a mailing list to discuss ideas. We will also require you to read the proposals as they come in and you will be allowed to vote on the proposals, according to rules we will publish later.

Finally, know that we will never assign you to a project you do not want to work on. We will not assign you more projects than you can/want to take on either. And you will have a backup mentor, just in case something unforeseen takes place.

===Subscribing as mentor===
To subscribe as mentor, you need to complete a few easy steps.
* Contact the OWASP GSoC administrators to let them know which project you want to mentor for
* Log in to [https://summerofcode.withgoogle.com/ Google Summer of Code Program Site]
* Apply as a mentor for OWASP
* Subscribe to https://groups.google.com/d/forum/owasp-gsoc

'''The current list of GSOC 2016 Mentors are:'''
* Abraham Aranguren
* Mennouchi Islam Azeddine
* Ryan Barnett
* Simon Bennetts
* Johanna Curiel
* Spyros Gasteratos
* Gareth Heyes
* Krzysztof Kotowicz
* Andres Morales
* Kostas Papapanagiotou
* Andres Riancho
* Guifre Ruiz
* Prasad Shenoy
* Breno Silva
* Andrew van der Stock
* Kevin W. Wall
* Tom Brennan
* Glenn ten Cate
* Riccardo ten Cate
* Martin Knobloch

==Instructions for OWASP Project Leaders==
If you are an OWASP Project Leader, you may be contacted by developers in your project about an idea he wants to submit.
You should judge whether the idea being proposed coincides with the general goals for your OWASP Project. If you feel that is not the case, you should reply to your developer and suggest that he modify the proposal.
You do not need yourself to be a mentor, but we would like you to.

==Contact OWASP GSoC Admininstrators==
To reach the OWASP administrators for Summer of Code, please send an email to the GSOC Administrators below.

'''The GSOC 2016 Administrators are:'''

* Kostas Papapanagiotou (konstantinos@owasp.org)
* Claudia Casanovas (claudia.aviles-casanovas@owasp.org)
* Fabio Cerullo (fcerullo@owasp.org)

OWASP Security Knowledge Framework

2016-03-14T13:40:08Z

Foobar: /* Contributors */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

* Security Requirements OWASP ASVS for development and for third party vendor applications
* Security knowledge reference (Code examples/ Knowledge Base items)
* Security is part of design with the pre-development functionality in SKF
* Security post-development functionality in SKF for verification with the OWASP ASVS

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 

==Donate==
<paypal>Security Knowledge Framework </paypal>

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation 

Installation guide with Chef:
* https://skf.readme.io/docs/installation#section-automated-installation-with-chef 

Installation guide for AWS:
* https://skf.readme.io/docs/installation#section-aws-installation 

== Project Online Demo ==
'''username: admin password: test-skf''' 
* https://demo.securityknowledgeframework.org 

'''Project website:''' 
* http://www.secureby.design 

== Video demo ==
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be 

== Project OWASP-SKF Pebble ==
'''Released OWASP-SKF Pebble in the Appstore for free''' 
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of workshop DevOpsDays 2015 Amsterdam: 
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf

= Roadmap and Getting Involved =

==Roadmap==

Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

- Add code examples -> relevant knowledge-base items in results
- Add generic Selenium test cases for the pre-development and post-development security controls.
- Add current code examples and refer them in the advices of the pre-development and post-development items.
- Add CWE to checklists
- Add Python code examples
- Add Java code examples
- Explain the SDLC more in-depth on our website and OWASP wiki page.
- Add Go/Ruby/??? code examples

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== Travis-ci.org:==
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:

https://travis-ci.org/blabla1337/skf-flask

== Coveralls.io:==
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:

https://coveralls.io/r/blabla1337/skf-flask

== Scrutinizer-ci.com==
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:

https://scrutinizer-ci.com/g/blabla1337/skf-flask/

== Uptimerobot.com==
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

== ssllabs.com & sslbadge.org ==

ssllabs.org:
Bringing you the best SSL/TLS and PKI testing tools and documentation.
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org

sslbadge.org:
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.

= Contributors =
[[Link title]]==Contributors==

;[[user:Foobar|Glenn ten Cate]]
;[[user:Riccardo_ten_Cate|Riccardo ten Cate]]
;Alexander Kaasjager
;John Haley
;Daniel Paulus
;Erik de Kuijper
;Roderick Schaefer
;[[user:Jmanico|Jim Manico]]
;Martijn Gijsberti Hodenpijl
;Bithin Alangot
;[[user:Knoblochmartin|Martin Knobloch]]
;Adam Fisher
;Tom wirschell
;Joerg Stephan

 
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

GSOC2016 Ideas

2016-02-20T14:37:53Z

Foobar: /* OWASP-SKF (Security Knowledge Framework) */

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check the Hackademic wiki page linked above
* Contact us through the mailing list or irc channel.
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]

== OWASP Hackademic Challenges ==

[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.

=== REST API for the sandbox ===

'''Brief Explanation:'''

During the last summer code sprint Hackademic got challenge sandboxing in the form of vagrant and docker wrappers as well as an engine to start and stop the container or vm instances.
What is needed now is a rest api which supports endpoint authentication and authorization which enables the sandbox engine to be completely independed from the rest of the project.

Ideas on the project:
Since the sandbox is written in python, you can use microframeworks such as flask to implement the api.
The endpoint authorization can be done via certificates or plain signature or username/password type authentication.
However the communication between the two has to be over a secure channel.

'''Expected Results:'''
* A REST style api which allows an authenticated remote entity control the sandbox engine.
* PEP8 compliant code
* Acceptable unit test coverage

'''Knowledge Prerequisites:'''

Python, test driven developmen, some idea what REST is, some security knowledge would be preferable.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== New CMS ===

'''Brief Explanation:'''

The CMS part of the project is really old and has accumulated a significant amount of technical debt.
In addition many design decisions are either outdated or could be improved.
Therefore it may be a good idea to leverage the power of modern web frameworks to create a new CMS.
The new cms can be written in php or python using any compoennts we agree are necesary and based on the framework we agree on.

'''Expected Results:'''
* New cms with same functionality as the old one (3 types of users -- student, teacher, admin--, 3 types of resources -- article challenge, class--, ACL type permissions, CRUD operations on every resource/user, all functionality can be extended by Plugins.
* REST endpoints in addition to classic ones
* tests covering all routes implemented
* PSR/PEP 8 code

''' Note: '''
This is a huge project, it is ok if the student implements a part of it. However whatever implemented must be up to spec.
If you decide to take on this project contact us and we can agree on a list of routes.
If you don't decide to take on this project contact us.
Generally contact us, we like it when students have insightful questions and the community is active

'''Knowledge Prerequisites:'''
Python or PHP, the framework suggested, what REST is, the technologies used, some security knowledge would be nice.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== First Course Type Challenge ===

'''Brief Explanation:'''
We have a wonderful sandbox engine which allows for complex guided challenges to be implemented.
We'd like to build a challenge that guides the user through a series of steps to an end goal and teaches more information on the subject matter on the way.
This is a very open-ended project on purpose to allow creative student to come up with nice ideas.
Bellow you will find some examples that we thought might be interesting.

Ideas on the project:
* Purposefully vulnerable web page that guides the user via javascript tooltips and hints to exploiting it using ZAP. ( Bonus: using ZAP via the ZAP api). The challenge is solved when the the student submits the contents of a text file located on the disk (obtained by exploited an RCE)

* Reversing a provided binary to extract information by providing step by step instructions to reversing using any popular reversing tool (well, you can't use IDA so gdb should have to do). Challenge is solved when the keys are extracted from the binary and submitted. Bonus points if each binary donwloaded has different keys.

* Guide to exploiting the TOP10. (Using ZAP?)

* Defensive Type challenges -- Here's how to create a patch for this kind of vulnerability -- Challenge is solved when the unit tests are run and the vulnerability isn't there.

'''Expected Results:'''

* One or more Course - style challenges provided either as a docker container or as a vagrant box.
* Concrete documentation on how to build a challenge like this.

'''Knowledge Prerequisites:'''
The technologies used.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== Advanced Sandboxed Challenges ===

'''Brief Explanation:'''

In the spirit of the challenges above, we're looking for true ctf type challenges.
This is an open ended task. We're expecting awesome fresh ideas.

Ideas on the project:
* An application vulnerable to one or more TOP 10 elements.
* A logic flaws based ctf
* Your idea here

'''Expected Results:'''
Docker containers or Vagrant boxes that contain complete new challenges.

'''Knowledge Prerequisites:'''
Knowledge of the technologies used

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== Your idea ===

'''Brief Explanation:'''

Amazing students, in our experience the best, most creative and unique ideas show up when we let students suggest their own feature in relation to the project.
The above should give you a general idea where we're going but don't let them constrain you.
Do you wanna do something that would fit into Hackademic? Send us an email!

Ideas on the project:
No idea, that's your turn to shine!

'''Expected Results:'''
If it's code, code according to our coding standards.
If it's challenges, something new and interesting.
If it's something else, then written like the person who's going to maintain your code is a raging psychopath with an axe who knows where you live.

In short we'd like some quality. ;-)

'''Knowledge Prerequisites:'''

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

== OWASP OWTF ==

=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===

'''Brief explanation:'''

Background problem to solve:

We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date.

Proposed solution:

We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.

A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf

VMS will have the following features:
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.

[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - HTTP Request Translator Improvements ===

'''Brief explanation:'''

Problem to solve:

There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.

Proposed solution:

An HTTP request translator, a *standalone* *tool* that can:

1) Be used from inside OR outside of OWTF.

2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts

3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)
* Transforms with boundary strings? (TBD)
* Individually or in bulk? (TBD)

'''Essential Function: "--output" argument'''

CRITICAL: The command/script should be generated so that the request is sent as literally as possible.

Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.

NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)
* http request in => curl command out
* http request in => bash script out
* http request in => python script out
* http request in => php script out
* http request in => ruby script out
* http request in => PowerShell script out

'''Basic additional arguments:'''

- "--proxy" argument: generates the command/script with the relevant proxy option

NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)

- "--string-search" argument: generates the command/script so that it:

1) performs the request

2) then searches for something in the response (i.e. literal match)

- "--regex-search" argument: generates the command/script so that it:
1) performs the request

2) then searches for something in the response (i.e. regex match)

'''OWTF integration'''

The idea here, is to invoke this tool from:

1) Single HTTP transactions:

For example, have a button to "export http request" + then show options equivalent to the flags

2) Multiple HTTP transactions:

Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).

'''Desired input formats:'''

* Read raw HTTP request from stdin -Suggested default behaviour! :)-

Example: cat path/to/http_request.txt | http-request-translator.py --output

* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"

Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"

Example:

1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)

2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"

3) User pastes a raw HTTP requests + hits enter

4) Tool outputs whatever is relevant for the flags + http request given

* For bulk processing: Maybe a directory of raw http request files?

'''Nice to have: Transforms'''

In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.

Example:

NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"

Step 1) The user provides a raw HTTP request like this:

GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test
Host: target.com
...

Step 2) The tool generates a bash script like the following:

#!/bin/bash

PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")
curl ...... "http://target.com/path/to/$PARAM1/test"

OR a "curl command" like the following:
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"

This feature can be valuable to shave a bit more time in script writing.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - JavaScript Library Sniper Improvements ===

'''Brief explanation:'''
This is a project that tries to resolve a very common problem during penetration tests:

The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.

To solve this problem, we propose a *standalone* *tool* that can:

1) Be run BOTH from inside AND outside of OWTF

2) Build and *update* a fingerprint JavaScript library database of:
* Library File hashes => JavaScript Library version
* Library File lengths => JavaScript Library version
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)

3) Build and *update* a vulnerability database of:
* JavaScript Library version => CVE - CVSS score - Vulnerability info

4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:
* JavaScript Library version
* List of vulnerabilities sorted in descending CVSS score order

5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:
* ALL Library/vulnerability matches described on 4)

Once the standalone tool is built and verified to be working, OWTF should be able to:

Feature 1) GREP plugin improvement (Web Application Fingerprint):

Step 1) Lookup file lengths and hashes in the "JavaScript library database"

Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user

Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):

1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-

2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)

Potential projects worth having a look for potential overlap/inspiration:
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]

How many JavaScript libraries should be included?
* As many as possible, but especially the major ones: jQuery, knockout, etc.
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-

Common JavaScript library fingerprinting techniques include:
* Parse the JavaScript file and grab the version from there
* Determine the JavaScript version based on a hash of the file
* Determine the JavaScript version based on the length of the file

Other Challenges:
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"
* When the JavaScript file does not match a specific version:
1) The commit that matches the closest should (ideally) be found
2) The NEXT library version after that commit (if present) should be found
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Off-line HTTP traffic uploader ===

'''Brief explanation:'''

Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:

* Tools that OWTF has trouble proxying right now: skipfish, hoppy
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler

This project is about implementing an off-line utility able to parse HTTP traffic:

1) Figure out how to read output files from various tools like:
skipfish, hoppy, w3af, arachni, etc.
Nice to have: ZAP database, Burp database

2) Translate that into the following clearly defined fields:

* HTTP request
* HTTP response status code
* HTTP response headers
* HTTP response body

3) IMPORTANT: Implement a plugin-based uploader system

4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database

5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.

6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)

Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)

CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Health Monitor ===

'''Brief explanation:'''

In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.

For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:

'''Feature 1) Alerting mechanisms'''

When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:
* Playing an mp3 song (both local and possibly remote locations)
* Scan status overview on the CLI
* Scan status overview on the GUI

NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.

'''Feature 2) Corrective mechanisms'''

Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:
* Stop this tool
* Freeze this process (to continue later)
* Freeze the whole scan (to continue later)

Additional mechanisms:
* Show a ranking of files that take the most space

'''Feature 3) Target monitor'''

Brief overview:

All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).

Potential approach: Check if length of 1st page changes every 60 seconds.

NOTE: It might be needed to change this on the fly.

More background

Consider the following scenario:

Current Situation aka "problem to solve":

1) Website X goes down during a scan

2) the customer notices

3) the customer tells the boss

4) the boss tells the pentester

5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)

Desired situation aka "solution":

It would be much more professional AND efficient that:

1) The pentester notices

2) The pentester tells the boss

3) The boss tells the customer

4) OWTF stops the tool because it knows that website is DEAD anyway

A target monitor could easily do this with heartbeat requests + playing mp3s

The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"

'''Feature 4) Disk space monitor'''

Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).

Proposed solution:

Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).

'''Feature 5) Network/Internet Connectivity monitor'''

Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:

1) Detects the lack of connectivity

2) Freezes all the tools (read: processes) in progress

3) Resumes the scan when the connectivity is back.

'''Feature 6) Tool crash detection'''

Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)

'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''

OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Installation Improvements and Package manager ===

'''Brief explanation:'''

This project is to implement what was suggested in the following github issue:
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]

Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?
Having a private server with:
* pre-installed files for VMs
* pre-configured and patched tools
* Merged Lists
* Pre-configured certificates
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.
Additional ideas are welcome.

-- They could be hosted on Dropbox or a private VPS :)

2 Installation Modes
* For high speed connections (Downloading the files uncompressed)
* For low speed connections (Downloading the files compressed)
and the installation crashed because i runned out of space in the vm
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Excellent reliability (i.e. proper exception handling, etc.)
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Testing Framework Improvements ===

'''Brief explanation:'''

As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.

'''Top features'''

In this improvement phase, the Testing Framework should:
* (Top Prio) Focus more on functional tests
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)
* (Top Prio) Put together a great wiki documentation section for contributors
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.
* (Top Prio) Fix the current Travis issues :)
* (Nice to have) Bring the unit tests up to speed with the codebase
This will be challenging but very worth trying after top priorities.
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.

'''General background'''

The Unit Test Framework should be able to:
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")
* Allow to regression test by test categories (i.e. "test only web plugins")
* Allow to regression test everything (i.e. plugins + framework core: "test all")
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF
* Perform well so that we can run as many tests as possible in a given period of time
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Performant and automated regression testing
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Tool utilities module ===

'''Brief explanation:'''

The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.

'''Feature 1) Vulnerable software version database:'''

Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).

Example:
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]

'''Feature 2) Nmap output file merger:'''

Unify nmap files *without* losing data: XML, text and greppable formats
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).

'''Feature 3) Nmap output file vulnerability mapper'''

From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):

1) CVEs in reverse order of CVSS score, with links.

2) Metasploit modules available for each CVE / issue

NOTE: Can supply an *old* shell script for reference

3) Servers/ports affected (i.e. all server / port combinations using that software version)

'''Feature 4) URL target list creator:'''

Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF

'''Feature 5) Hydra command creator:'''

nmap file in => Hydra command list out

grep http auth / login pages in output files to identify login interfaces => Hydra command list out

'''Feature 6) WP-scan command creator:'''

look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Excellent reliability (i.e. proper exception handling, etc.)
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

''' OWASP Mentors '''

== OWASP ZAP ==

ZAP is one of the top OWASP projects and the most active open source web security tools.

You can follow (and join in) the GSoC discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ

=== Bug tracker support ===

This would allow ZAP users to raise issues in bug trackers directly within ZAP. Ideally it would be implemented as an extension with a generic framework and then adaptors for specific trackers, like github and bugzilla.

The info included in the issues raised should be as configurable as possible so that users can include whatever they want, and set things like custom fields.

''' Expected Results '''

* Raise issues in github and bugzilla from alerts within the ZAP UI
* Support for raising alerts using the ZAP API
* High level of customization so that users can tune to their requirements

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Field enumeration ===

This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.

The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.

''' Expected Results '''

* User able to specify a specific field to enumerate via the ZAP UI
* A list of all valid characters to be returned from the sets of characters the user specifies
* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Form Handling ===

The ZAP traditional and Ajax spiders explore an application by putting basic default values in all forms. These may often not be valid values, for example using "ZAP" when an email address is required.

The enhancement would allow the user to define default values based on pattern matching against the field names and/or ids.

It would also be very useful if it could show the user all forms and their associated fields for an application, and then allow the user to update the default values.

''' Expected Results '''

* User able to specify default values for all forms used by the ZAP spiders
* Display all of the forms and fields for an application and allow the user to update the default values to be used
* Full support for defining default values via the API

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Automated authentication detection and configuration ===

ZAP has extensive support for supporting application authentication, but configuring this is a manual process which can be tricky to get right.

The enhancement would allow ZAP to detect as many forms of authentication as possible and automatically configure them using the existing ZAP functionality.

''' Expected Results '''

* Automatically detect a wide range of authentication mechanisms
* Automatically configure ZAP to handle them
* Full support via the API

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Advanced padding oracle testing and exploitation ===

ZAP has currently has very minimal support in it's the (beta) [https://github.com/zaproxy/zap-extensions/blob/beta/src/org/zaproxy/zap/extension/ascanrulesBeta/PaddingOraclePlugin.java PaddingOraclePlugin] for identifying potential [https://en.wikipedia.org/wiki/Padding_oracle_attack padding oracle] vulnerabilities. Specifically, it only examines two indicators for possible oracles (changing the last byte of padding by XORing it with 0x1 and resubmitting the HTTP request with the new altered parameter to see if the HTTP response contains some error patter or to check if the returned HTTP status is a 500 error. Furthermore, it is limited to checking parameters, but encrypted values that may be susceptible to padding oracle attacks may also be in HTTP cookies or even HTTP request / response values. (In the latter case, these custom headers are usually manipulated via AJAX.) Lastly SOAP messages using [https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html W3C XML Encryption] and JSON are other potential sources of padding oracle vulnerabilities that might be examined.

The enhancement would extend the support to more a broader attack surface such as new attack vectors like cookies, HTTP headers, and possibly XML or JSON and also expand the identification of potential new oracles to not just keywords, but to any minute difference in responses (at least for idempotent GETs) or significant variations in time. Lastly, we would like to add the ability to exploit padding oracle vulnerabilities discovered which could lead to whole lot of other interesting discoveries.

''' Expected Results '''

* Detect oracle padding vulnerabilities in more situations
** Expanded attack vectors: cookies, HTTP headers, XML, JSON
** Expanded variation of recognized potential oracles: ''any'' output differences when padding correct vs. incorrect (takes much more than flipping a single padding bit), significant differences in timing, etc.
* Add the option to actually attempt to exploit discovered potential padding oracle vulnerabilities and report additional subsequent findings once the ciphertext is actually decrypted.
* Build test code to illustrate a working proof of concept

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential. Reading up on basic details of how padding oracle attacks operate would also be extremely helpful.

''' Mentors '''
Kevin Wall (cryptography subject matter expert) and other members of the ZAP core team

=== Zest text representation and parser ===

Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.

A standardized text representation and parser would be very useful and help its adoption.

''' Expected Results '''

* A documented definition of a text representation for Zest
* A parser that converts the text representation into a working Zest script
* An option in the Zest java implementation to output Zest scripts text format

''' Knowledge Prerequisite: '''
The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Your idea ===

We're always open to students coming up with their own suggestions for ZAP projects, so if you have something you think would make ZAP better then please get in touch!

''' Expected Results '''

* That depends on your project, but clearly defined goals will be necessary

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

== OWASP AppSensor ==

[[OWASP AppSensor Project]] provides real-time application layer intrusion detection.

* Check the AppSensor wiki page linked above
* Contact us through the mailing list.
* Check our [https://github.com/jtmelton/appsensor github repository] and the [https://github.com/jtmelton/appsensor/issues open tickets]
* Also see our [http://www.appsensor.org appsensor website]

=== Dashboard UI Expansion ===

'''Brief Explanation:'''

AppSensor provides a solid base of functionality to applications, and we currently have a minimal application for data display. This project will involve expanding the default/standard UI for the AppSensor project. As part of the project, you will learn about the domain model, iterating your mockup designs and share those with the project leader(s) and the community for feedback. The existing stack is based on spring boot and reactjs. There are lots of features to be added, and you'll work with the project leader(s) and the community to build the most-needed and requested capabilities.

'''Expected Results:'''

The existing dashboard application will be expanded and will involve features like:
* Search (could involve significant back-end work to configure indexing, etc.)
* Policy Management (edit server configuration in real-time)
* Data visualization / dashboarding

Source code, tests, and associated documentation for both the back-end and UI will be delivered for this effort.

'''Knowledge Prerequisites:'''

Comfortable with UI design and development, particularly building dashboards. Comfortable with Java (with some assistance). Basic familiarity with security concepts related to intrusion detection and prevention as this is the domain.

'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)

=== Trend Monitoring Analysis Engine ===

'''Brief Explanation:'''

AppSensor currently supports a basic policy-driven analysis engine to determine if a series of events represents an attack (if a user triggers 5 of this type of event in 10 minutes, it's an attack). While this supports many use cases, there are times when it would be helpful to know trending information. If a particular function of the application begins to see 10 times its normal amount of traffic, that might represent an attack. This project would add an additional analysis engine to support "trend monitoring". Development of this feature would require some initial research on alternative implementation strategies, followed by the development and testing of the feature in AppSensor.

'''Expected Results:'''

The project should produce:
* A trend monitoring analysis engine to be used either in place of or in addition to the existing policy-driven analysis engine
* Associated configuration mechanism to specify the trending rules/policy
* A small full sample demo application showing usage of the trend monitoring feature

Source code and associated tests for the feature will be created, along with the associated end user documentation for how to setup and configure it.

'''Knowledge Prerequisites:'''

Comfortable in Java and unit testing.

'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)

=== Expand language support for clients ===

'''Brief Explanation:'''

AppSensor supports various modes for communication with the server. The language and framework of the client application are required only to support the given mode. This flexibility is desirable, but having pre-built clients in various languages is useful for our user-base. This project would involve working with various popular languages and frameworks to build support for communicating with the appsensor server backend.

'''Expected Results:'''

The project should produce:
* Clients in multiple popular languages for interaction with appsensor server
* Evaluate the possibility for generating clients from specification as opposed to writing and maintaining the code (ie. swagger for REST)
* At a minimum, coverage for the HTTP/REST mode should be supported. Other modes (thrift, soap, kafka, etc.) will be produced as time allows.
* Several small demo applications showing usage of the given APIs

Source code and tests for the feature will be created, along with the associated end user documentation for how to setup and configure it.

'''Knowledge Prerequisites:'''

Comfortable working in multiple popular languages and unit testing.

'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)

=== Implement Detection Points in Reverse Proxy ===

'''Brief Explanation:'''

AppSensor works by tracking events that are created by "detection points", essentially locations in the processing pipeline where suspicious or malicious intent is observed. This often requires business-specific detection within the application. However, the project has defined a number of detection points (https://www.owasp.org/index.php/AppSensor_DetectionPoints) and responses (https://www.owasp.org/index.php/AppSensor_ResponseActions), some of which can be generically applied across a broader set of applications, including those that are common to an entire organization or even cross-organization. For that reason, a sub-project has been created (https://github.com/jtmelton/appsensor-reverse-proxy) that provides support for detection points and responses that are generic enough to be broadly applicable. This project would expand support for these detection points and responses.

'''Expected Results:'''

The project should produce:
* New detection points and responses
* Documentation for how to deploy the project and any end-user considerations
* Load testing each function as this project front-ends applications, and traffic throughput characteristics are important to our user-base.
* A small sample demo application showing the utility of the proxy. A recording of the usage for community viewing would be beneficial.

Source code and associated tests for the feature will be created, along with the associated end user documentation for how to setup and configure it.

'''Knowledge Prerequisites:'''

Comfortable in golang and unit testing.

'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)

== OWASP Seraphimdroid [[OWASP_SeraphimDroid_Project| ]] ==

=== Behavioral malware and intrusion analysis ===

'''Brief Explanation:'''

[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.

'''Expected Results:'''

* Reviewing scientific literature and find feasible approach we can take
* Implement and possibly improve the approach in Seraphimdroid
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it
* Documenting approach as a technical report

'''Knowledge Prerequisites:'''
* Java
* Android
* CSV, XML
* Basic knowledge and interest in machine learning

'''Mentors:'''
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader

=== Framework for plugin development ===

'''Brief Explanation:'''

[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed.

'''Expected Results:'''

* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid
* Providing GUI integration with third party components
* Develop at least one test plugin
* Document the development process and API

'''Knowledge Prerequisites:'''
* Java
* Android
* CSV, XML

'''Mentors:'''
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader

=== Educational component ===

'''Brief Explanation:'''

[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.

'''Expected Results:'''

* Develop uneatable knowledge base and GUI for it
* Develop web server where the knowledge base can be updated
* Improve current educational reporting
* Develop methodology for monitoring users and notifying them about risky activities

'''Knowledge Prerequisites:'''
* Java
* Android
* CSV, XML

'''Mentors:'''
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader

== OWASP ZSC Tool ==

'''Brief Explanation:'''

[[OWASP_ZSC_Tool_Project|OWASP ZSC]] is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python.

'''Expected Results:'''

Please take a look of our TODO list in Github to get some ideas:
https://github.com/Ali-Razmjoo/OWASP-ZSC/issues

Another ideas:
* Help us develop shellcode module for windows
* Develop shellcode module for OSX

Read about the project here:
https://ali-razmjoo.gitbooks.io/owasp-zsc/content/

Recommended reading:
http://www.vividmachines.com/shellcode/shellcode.html

'''Knowledge Prerequisites:'''
* Python
* Basic knowledge about Shellcode and assembly language

'''Mentors:'''
*Christo and Timo Goosen and Brian Beaudry- OWASP ZSC Contributors

Contact us through our mailing list for questions:
https://groups.google.com/d/forum/owasp-zsc

== OWASP-SKF (Security Knowledge Framework) ==

'''Brief Explanation:'''
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX under python.

The 4 Core usage of SKF:

Security Requirements OWASP ASVS for development and for third party vendor applications
Security knowledge reference (Code examples/ Knowledge Base items)
Security is part of design with the pre-development functionality in SKF
Security post-development functionality in SKF for verification with the OWASP ASVS

'''Expected Results:'''

More code examples for different languages
Better quality of the knowledge base items
More items in the pre-development phase
Editable checklists in the post-development phase

We really would love to improve the quality of the knowledge base items further, also we would love to have more code examples in the different languages like: Perl, Hack, Go, Node.js and more.

Please take a look of our TODO list in Github to get some ideas:
https://github.com/blabla1337/skf-flask/issues

Another ideas:
* Help us with stuff you think is missing in the SKF project

Read about the project here:
https://skf.readme.io

Recommended reading (here you find a link to the Online Demo):
https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework

'''Knowledge Prerequisites:'''
* Python, PHP, Hack, .NET, GO, Ruby, Perl, Java, Node.js
* Basic knowledge about programming in one of the above languages

'''Mentors:'''
*Glenn and Riccardo ten Cate- OWASP-SKF project leaders
*Martin Knobloch Chapter leader of OWASP NL

GSOC2016 Ideas

2016-02-19T21:29:52Z

Foobar:

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check the Hackademic wiki page linked above
* Contact us through the mailing list or irc channel.
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]

== OWASP Hackademic Challenges ==

[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.

=== REST API for the sandbox ===

'''Brief Explanation:'''

During the last summer code sprint Hackademic got challenge sandboxing in the form of vagrant and docker wrappers as well as an engine to start and stop the container or vm instances.
What is needed now is a rest api which supports endpoint authentication and authorization which enables the sandbox engine to be completely independed from the rest of the project.

Ideas on the project:
Since the sandbox is written in python, you can use microframeworks such as flask to implement the api.
The endpoint authorization can be done via certificates or plain signature or username/password type authentication.
However the communication between the two has to be over a secure channel.

'''Expected Results:'''
* A REST style api which allows an authenticated remote entity control the sandbox engine.
* PEP8 compliant code
* Acceptable unit test coverage

'''Knowledge Prerequisites:'''

Python, test driven developmen, some idea what REST is, some security knowledge would be preferable.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== New CMS ===

'''Brief Explanation:'''

The CMS part of the project is really old and has accumulated a significant amount of technical debt.
In addition many design decisions are either outdated or could be improved.
Therefore it may be a good idea to leverage the power of modern web frameworks to create a new CMS.
The new cms can be written in php or python using any compoennts we agree are necesary and based on the framework we agree on.

'''Expected Results:'''
* New cms with same functionality as the old one (3 types of users -- student, teacher, admin--, 3 types of resources -- article challenge, class--, ACL type permissions, CRUD operations on every resource/user, all functionality can be extended by Plugins.
* REST endpoints in addition to classic ones
* tests covering all routes implemented
* PSR/PEP 8 code

''' Note: '''
This is a huge project, it is ok if the student implements a part of it. However whatever implemented must be up to spec.
If you decide to take on this project contact us and we can agree on a list of routes.
If you don't decide to take on this project contact us.
Generally contact us, we like it when students have insightful questions and the community is active

'''Knowledge Prerequisites:'''
Python or PHP, the framework suggested, what REST is, the technologies used, some security knowledge would be nice.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== First Course Type Challenge ===

'''Brief Explanation:'''
We have a wonderful sandbox engine which allows for complex guided challenges to be implemented.
We'd like to build a challenge that guides the user through a series of steps to an end goal and teaches more information on the subject matter on the way.
This is a very open-ended project on purpose to allow creative student to come up with nice ideas.
Bellow you will find some examples that we thought might be interesting.

Ideas on the project:
* Purposefully vulnerable web page that guides the user via javascript tooltips and hints to exploiting it using ZAP. ( Bonus: using ZAP via the ZAP api). The challenge is solved when the the student submits the contents of a text file located on the disk (obtained by exploited an RCE)

* Reversing a provided binary to extract information by providing step by step instructions to reversing using any popular reversing tool (well, you can't use IDA so gdb should have to do). Challenge is solved when the keys are extracted from the binary and submitted. Bonus points if each binary donwloaded has different keys.

* Guide to exploiting the TOP10. (Using ZAP?)

* Defensive Type challenges -- Here's how to create a patch for this kind of vulnerability -- Challenge is solved when the unit tests are run and the vulnerability isn't there.

'''Expected Results:'''

* One or more Course - style challenges provided either as a docker container or as a vagrant box.
* Concrete documentation on how to build a challenge like this.

'''Knowledge Prerequisites:'''
The technologies used.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== Advanced Sandboxed Challenges ===

'''Brief Explanation:'''

In the spirit of the challenges above, we're looking for true ctf type challenges.
This is an open ended task. We're expecting awesome fresh ideas.

Ideas on the project:
* An application vulnerable to one or more TOP 10 elements.
* A logic flaws based ctf
* Your idea here

'''Expected Results:'''
Docker containers or Vagrant boxes that contain complete new challenges.

'''Knowledge Prerequisites:'''
Knowledge of the technologies used

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== Your idea ===

'''Brief Explanation:'''

Amazing students, in our experience the best, most creative and unique ideas show up when we let students suggest their own feature in relation to the project.
The above should give you a general idea where we're going but don't let them constrain you.
Do you wanna do something that would fit into Hackademic? Send us an email!

Ideas on the project:
No idea, that's your turn to shine!

'''Expected Results:'''
If it's code, code according to our coding standards.
If it's challenges, something new and interesting.
If it's something else, then written like the person who's going to maintain your code is a raging psychopath with an axe who knows where you live.

In short we'd like some quality. ;-)

'''Knowledge Prerequisites:'''

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

== OWASP OWTF ==

=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===

'''Brief explanation:'''

Background problem to solve:

We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date.

Proposed solution:

We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.

A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf

VMS will have the following features:
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.

[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - HTTP Request Translator Improvements ===

'''Brief explanation:'''

Problem to solve:

There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.

Proposed solution:

An HTTP request translator, a *standalone* *tool* that can:

1) Be used from inside OR outside of OWTF.

2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts

3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)
* Transforms with boundary strings? (TBD)
* Individually or in bulk? (TBD)

'''Essential Function: "--output" argument'''

CRITICAL: The command/script should be generated so that the request is sent as literally as possible.

Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.

NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)
* http request in => curl command out
* http request in => bash script out
* http request in => python script out
* http request in => php script out
* http request in => ruby script out
* http request in => PowerShell script out

'''Basic additional arguments:'''

- "--proxy" argument: generates the command/script with the relevant proxy option

NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)

- "--string-search" argument: generates the command/script so that it:

1) performs the request

2) then searches for something in the response (i.e. literal match)

- "--regex-search" argument: generates the command/script so that it:
1) performs the request

2) then searches for something in the response (i.e. regex match)

'''OWTF integration'''

The idea here, is to invoke this tool from:

1) Single HTTP transactions:

For example, have a button to "export http request" + then show options equivalent to the flags

2) Multiple HTTP transactions:

Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).

'''Desired input formats:'''

* Read raw HTTP request from stdin -Suggested default behaviour! :)-

Example: cat path/to/http_request.txt | http-request-translator.py --output

* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"

Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"

Example:

1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)

2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"

3) User pastes a raw HTTP requests + hits enter

4) Tool outputs whatever is relevant for the flags + http request given

* For bulk processing: Maybe a directory of raw http request files?

'''Nice to have: Transforms'''

In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.

Example:

NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"

Step 1) The user provides a raw HTTP request like this:

GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test
Host: target.com
...

Step 2) The tool generates a bash script like the following:

#!/bin/bash

PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")
curl ...... "http://target.com/path/to/$PARAM1/test"

OR a "curl command" like the following:
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"

This feature can be valuable to shave a bit more time in script writing.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - JavaScript Library Sniper Improvements ===

'''Brief explanation:'''
This is a project that tries to resolve a very common problem during penetration tests:

The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.

To solve this problem, we propose a *standalone* *tool* that can:

1) Be run BOTH from inside AND outside of OWTF

2) Build and *update* a fingerprint JavaScript library database of:
* Library File hashes => JavaScript Library version
* Library File lengths => JavaScript Library version
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)

3) Build and *update* a vulnerability database of:
* JavaScript Library version => CVE - CVSS score - Vulnerability info

4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:
* JavaScript Library version
* List of vulnerabilities sorted in descending CVSS score order

5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:
* ALL Library/vulnerability matches described on 4)

Once the standalone tool is built and verified to be working, OWTF should be able to:

Feature 1) GREP plugin improvement (Web Application Fingerprint):

Step 1) Lookup file lengths and hashes in the "JavaScript library database"

Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user

Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):

1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-

2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)

Potential projects worth having a look for potential overlap/inspiration:
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]

How many JavaScript libraries should be included?
* As many as possible, but especially the major ones: jQuery, knockout, etc.
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-

Common JavaScript library fingerprinting techniques include:
* Parse the JavaScript file and grab the version from there
* Determine the JavaScript version based on a hash of the file
* Determine the JavaScript version based on the length of the file

Other Challenges:
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"
* When the JavaScript file does not match a specific version:
1) The commit that matches the closest should (ideally) be found
2) The NEXT library version after that commit (if present) should be found
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Off-line HTTP traffic uploader ===

'''Brief explanation:'''

Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:

* Tools that OWTF has trouble proxying right now: skipfish, hoppy
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler

This project is about implementing an off-line utility able to parse HTTP traffic:

1) Figure out how to read output files from various tools like:
skipfish, hoppy, w3af, arachni, etc.
Nice to have: ZAP database, Burp database

2) Translate that into the following clearly defined fields:

* HTTP request
* HTTP response status code
* HTTP response headers
* HTTP response body

3) IMPORTANT: Implement a plugin-based uploader system

4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database

5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.

6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)

Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)

CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Health Monitor ===

'''Brief explanation:'''

In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.

For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:

'''Feature 1) Alerting mechanisms'''

When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:
* Playing an mp3 song (both local and possibly remote locations)
* Scan status overview on the CLI
* Scan status overview on the GUI

NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.

'''Feature 2) Corrective mechanisms'''

Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:
* Stop this tool
* Freeze this process (to continue later)
* Freeze the whole scan (to continue later)

Additional mechanisms:
* Show a ranking of files that take the most space

'''Feature 3) Target monitor'''

Brief overview:

All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).

Potential approach: Check if length of 1st page changes every 60 seconds.

NOTE: It might be needed to change this on the fly.

More background

Consider the following scenario:

Current Situation aka "problem to solve":

1) Website X goes down during a scan

2) the customer notices

3) the customer tells the boss

4) the boss tells the pentester

5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)

Desired situation aka "solution":

It would be much more professional AND efficient that:

1) The pentester notices

2) The pentester tells the boss

3) The boss tells the customer

4) OWTF stops the tool because it knows that website is DEAD anyway

A target monitor could easily do this with heartbeat requests + playing mp3s

The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"

'''Feature 4) Disk space monitor'''

Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).

Proposed solution:

Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).

'''Feature 5) Network/Internet Connectivity monitor'''

Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:

1) Detects the lack of connectivity

2) Freezes all the tools (read: processes) in progress

3) Resumes the scan when the connectivity is back.

'''Feature 6) Tool crash detection'''

Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)

'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''

OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Installation Improvements and Package manager ===

'''Brief explanation:'''

This project is to implement what was suggested in the following github issue:
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]

Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?
Having a private server with:
* pre-installed files for VMs
* pre-configured and patched tools
* Merged Lists
* Pre-configured certificates
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.
Additional ideas are welcome.

-- They could be hosted on Dropbox or a private VPS :)

2 Installation Modes
* For high speed connections (Downloading the files uncompressed)
* For low speed connections (Downloading the files compressed)
and the installation crashed because i runned out of space in the vm
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Excellent reliability (i.e. proper exception handling, etc.)
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Testing Framework Improvements ===

'''Brief explanation:'''

As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.

'''Top features'''

In this improvement phase, the Testing Framework should:
* (Top Prio) Focus more on functional tests
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)
* (Top Prio) Put together a great wiki documentation section for contributors
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.
* (Top Prio) Fix the current Travis issues :)
* (Nice to have) Bring the unit tests up to speed with the codebase
This will be challenging but very worth trying after top priorities.
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.

'''General background'''

The Unit Test Framework should be able to:
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")
* Allow to regression test by test categories (i.e. "test only web plugins")
* Allow to regression test everything (i.e. plugins + framework core: "test all")
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF
* Perform well so that we can run as many tests as possible in a given period of time
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Performant and automated regression testing
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Tool utilities module ===

'''Brief explanation:'''

The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.

'''Feature 1) Vulnerable software version database:'''

Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).

Example:
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]

'''Feature 2) Nmap output file merger:'''

Unify nmap files *without* losing data: XML, text and greppable formats
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).

'''Feature 3) Nmap output file vulnerability mapper'''

From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):

1) CVEs in reverse order of CVSS score, with links.

2) Metasploit modules available for each CVE / issue

NOTE: Can supply an *old* shell script for reference

3) Servers/ports affected (i.e. all server / port combinations using that software version)

'''Feature 4) URL target list creator:'''

Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF

'''Feature 5) Hydra command creator:'''

nmap file in => Hydra command list out

grep http auth / login pages in output files to identify login interfaces => Hydra command list out

'''Feature 6) WP-scan command creator:'''

look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Excellent reliability (i.e. proper exception handling, etc.)
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

''' OWASP Mentors '''

== OWASP ZAP ==

ZAP is one of the top OWASP projects and the most active open source web security tools.

You can follow (and join in) the GSoC discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ

=== Bug tracker support ===

This would allow ZAP users to raise issues in bug trackers directly within ZAP. Ideally it would be implemented as an extension with a generic framework and then adaptors for specific trackers, like github and bugzilla.

The info included in the issues raised should be as configurable as possible so that users can include whatever they want, and set things like custom fields.

''' Expected Results '''

* Raise issues in github and bugzilla from alerts within the ZAP UI
* Support for raising alerts using the ZAP API
* High level of customization so that users can tune to their requirements

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Field enumeration ===

This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.

The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.

''' Expected Results '''

* User able to specify a specific field to enumerate via the ZAP UI
* A list of all valid characters to be returned from the sets of characters the user specifies
* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Form Handling ===

The ZAP traditional and Ajax spiders explore an application by putting basic default values in all forms. These may often not be valid values, for example using "ZAP" when an email address is required.

The enhancement would allow the user to define default values based on pattern matching against the field names and/or ids.

It would also be very useful if it could show the user all forms and their associated fields for an application, and then allow the user to update the default values.

''' Expected Results '''

* User able to specify default values for all forms used by the ZAP spiders
* Display all of the forms and fields for an application and allow the user to update the default values to be used
* Full support for defining default values via the API

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Automated authentication detection and configuration ===

ZAP has extensive support for supporting application authentication, but configuring this is a manual process which can be tricky to get right.

The enhancement would allow ZAP to detect as many forms of authentication as possible and automatically configure them using the existing ZAP functionality.

''' Expected Results '''

* Automatically detect a wide range of authentication mechanisms
* Automatically configure ZAP to handle them
* Full support via the API

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Advanced padding oracle testing and exploitation ===

ZAP has support for finding padding oracle vulnerabilities.

The enhancement would extend the support to more input vectors and add the ability to exploit vulnerabilities discovered which could lead to whole lot of other interesting discoveries.

''' Expected Results '''

* Detect oracle padding vulnerabilities in more situations
* Exploit the vulnerabilities and report additional findings

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Kevin Wall and other members of the ZAP core team

=== Zest text representation and parser ===

Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.

A standardized text representation and parser would be very useful and help its adoption.

''' Expected Results '''

* A documented definition of a text representation for Zest
* A parser that converts the text representation into a working Zest script
* An option in the Zest java implementation to output Zest scripts text format

''' Knowledge Prerequisite: '''
The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

=== Your idea ===

We're always open to students coming up with their own suggestions for ZAP projects, so if you have something you think would make ZAP better then please get in touch!

''' Expected Results '''

* That depends on your project, but clearly defined goals will be necessary

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
Simon Bennetts and other members of the ZAP core team

== OWASP AppSensor ==

[[OWASP AppSensor Project]] provides real-time application layer intrusion detection.

* Check the AppSensor wiki page linked above
* Contact us through the mailing list.
* Check our [https://github.com/jtmelton/appsensor github repository] and the [https://github.com/jtmelton/appsensor/issues open tickets]
* Also see our [http://www.appsensor.org appsensor website]

=== Dashboard UI Expansion ===

'''Brief Explanation:'''

AppSensor provides a solid base of functionality to applications, and we currently have a minimal application for data display. This project will involve expanding the default/standard UI for the AppSensor project. As part of the project, you will learn about the domain model, iterating your mockup designs and share those with the project leader(s) and the community for feedback. The existing stack is based on spring boot and reactjs. There are lots of features to be added, and you'll work with the project leader(s) and the community to build the most-needed and requested capabilities.

'''Expected Results:'''

The existing dashboard application will be expanded and will involve features like:
* Search (could involve significant back-end work to configure indexing, etc.)
* Policy Management (edit server configuration in real-time)
* Data visualization / dashboarding

Source code, tests, and associated documentation for both the back-end and UI will be delivered for this effort.

'''Knowledge Prerequisites:'''

Comfortable with UI design and development, particularly building dashboards. Comfortable with Java (with some assistance). Basic familiarity with security concepts related to intrusion detection and prevention as this is the domain.

'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)

=== Trend Monitoring Analysis Engine ===

'''Brief Explanation:'''

AppSensor currently supports a basic policy-driven analysis engine to determine if a series of events represents an attack (if a user triggers 5 of this type of event in 10 minutes, it's an attack). While this supports many use cases, there are times when it would be helpful to know trending information. If a particular function of the application begins to see 10 times its normal amount of traffic, that might represent an attack. This project would add an additional analysis engine to support "trend monitoring". Development of this feature would require some initial research on alternative implementation strategies, followed by the development and testing of the feature in AppSensor.

'''Expected Results:'''

The project should produce:
* A trend monitoring analysis engine to be used either in place of or in addition to the existing policy-driven analysis engine
* Associated configuration mechanism to specify the trending rules/policy
* A small full sample demo application showing usage of the trend monitoring feature

Source code and associated tests for the feature will be created, along with the associated end user documentation for how to setup and configure it.

'''Knowledge Prerequisites:'''

Comfortable in Java and unit testing.

'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)

=== Expand language support for clients ===

'''Brief Explanation:'''

AppSensor supports various modes for communication with the server. The language and framework of the client application are required only to support the given mode. This flexibility is desirable, but having pre-built clients in various languages is useful for our user-base. This project would involve working with various popular languages and frameworks to build support for communicating with the appsensor server backend.

'''Expected Results:'''

The project should produce:
* Clients in multiple popular languages for interaction with appsensor server
* Evaluate the possibility for generating clients from specification as opposed to writing and maintaining the code (ie. swagger for REST)
* At a minimum, coverage for the HTTP/REST mode should be supported. Other modes (thrift, soap, kafka, etc.) will be produced as time allows.
* Several small demo applications showing usage of the given APIs

Source code and tests for the feature will be created, along with the associated end user documentation for how to setup and configure it.

'''Knowledge Prerequisites:'''

Comfortable working in multiple popular languages and unit testing.

'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)

=== Implement Detection Points in Reverse Proxy ===

'''Brief Explanation:'''

AppSensor works by tracking events that are created by "detection points", essentially locations in the processing pipeline where suspicious or malicious intent is observed. This often requires business-specific detection within the application. However, the project has defined a number of detection points (https://www.owasp.org/index.php/AppSensor_DetectionPoints) and responses (https://www.owasp.org/index.php/AppSensor_ResponseActions), some of which can be generically applied across a broader set of applications, including those that are common to an entire organization or even cross-organization. For that reason, a sub-project has been created (https://github.com/jtmelton/appsensor-reverse-proxy) that provides support for detection points and responses that are generic enough to be broadly applicable. This project would expand support for these detection points and responses.

'''Expected Results:'''

The project should produce:
* New detection points and responses
* Documentation for how to deploy the project and any end-user considerations
* Load testing each function as this project front-ends applications, and traffic throughput characteristics are important to our user-base.
* A small sample demo application showing the utility of the proxy. A recording of the usage for community viewing would be beneficial.

Source code and associated tests for the feature will be created, along with the associated end user documentation for how to setup and configure it.

'''Knowledge Prerequisites:'''

Comfortable in golang and unit testing.

'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)

== OWASP Seraphimdroid [[OWASP_SeraphimDroid_Project| ]] ==

=== Behavioral malware and intrusion analysis ===

'''Brief Explanation:'''

[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.

'''Expected Results:'''

* Reviewing scientific literature and find feasible approach we can take
* Implement and possibly improve the approach in Seraphimdroid
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it
* Documenting approach as a technical report

'''Knowledge Prerequisites:'''
* Java
* Android
* CSV, XML
* Basic knowledge and interest in machine learning

'''Mentors:'''
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader

=== Framework for plugin development ===

'''Brief Explanation:'''

[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed.

'''Expected Results:'''

* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid
* Providing GUI integration with third party components
* Develop at least one test plugin
* Document the development process and API

'''Knowledge Prerequisites:'''
* Java
* Android
* CSV, XML

'''Mentors:'''
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader

=== Educational component ===

'''Brief Explanation:'''

[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.

'''Expected Results:'''

* Develop uneatable knowledge base and GUI for it
* Develop web server where the knowledge base can be updated
* Improve current educational reporting
* Develop methodology for monitoring users and notifying them about risky activities

'''Knowledge Prerequisites:'''
* Java
* Android
* CSV, XML

'''Mentors:'''
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader

== OWASP ZSC Tool ==

'''Brief Explanation:'''

[[OWASP_ZSC_Tool_Project|OWASP ZSC]] is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python.

'''Expected Results:'''

Please take a look of our TODO list in Github to get some ideas:
https://github.com/Ali-Razmjoo/OWASP-ZSC/issues

Another ideas:
* Help us develop shellcode module for windows
* Develop shellcode module for OSX

Read about the project here:
https://ali-razmjoo.gitbooks.io/owasp-zsc/content/

Recommended reading:
http://www.vividmachines.com/shellcode/shellcode.html

'''Knowledge Prerequisites:'''
* Python
* Basic knowledge about Shellcode and assembly language

'''Mentors:'''
*Christo and Timo Goosen and Brian Beaudry- OWASP ZSC Contributors

Contact us through our mailing list for questions:
https://groups.google.com/d/forum/owasp-zsc

== OWASP-SKF (Security Knowledge Framework) ==

'''Brief Explanation:'''
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX under python.

The 4 Core usage of SKF:

Security Requirements OWASP ASVS for development and for third party vendor applications
Security knowledge reference (Code examples/ Knowledge Base items)
Security is part of design with the pre-development functionality in SKF
Security post-development functionality in SKF for verification with the OWASP ASVS

'''Expected Results:'''

More code examples for different languages
Better quality of the knowledge base items
More items in the pre-development phase
Editable checklists in the post-development phase

We really would love to improve the quality of the knowledge base items further, also we would love to have more code examples in the different languages like: Perl, Hack, Go, Node.js and more.

Please take a look of our TODO list in Github to get some ideas:
https://github.com/blabla1337/skf-flask/issues

Another ideas:
* Help us with stuff you think is missing in the SKF project

Read about the project here:
https://skf.readme.io

Recommended reading (here you find a link to the Online Demo):
https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework

'''Knowledge Prerequisites:'''
* Python, PHP, Hack, .NET, GO, Ruby, Perl, Java, Node.js
* Basic knowledge about programming in one of the above languages

'''Mentors:'''
*Glenn and Riccardo ten Cate- OWASP-SKF project leaders

Category:OWASP Github Documentation

2016-02-15T21:46:24Z

Foobar: /* Volunteers */

==Proposal to transport OWASP wiki content Documentation to a centralize system==

===Problem Definition===
The issues that can arise from our current method of developing our various docs include:
*Draft content that exists in the wiki. This may be in varying states (correct, incorrect, lousy, confused, etc.) and is visible to the internet and typically not clearly labelled as draft. Google ‘owasp purple monkey dishwasher’ for an example of a draft wiki page visible to the internet. This content also needs to get cleaned up after a project release.
*Substandard descriptions/content can get into our docs. Getting people to review every line/example/diagram/appendix is difficult with a volunteer organization (as other threads have discussed)
*Duplications happen, as 10 different projects create/copy/paste their definitions of topics such as XSS, SQLi, CSRF, etc. This wastes effort in an organization already constrained of active volunteers.
*Content gets out-of-date. The work to create a new version of a doc project takes years.

==Proposal Details==
* We dump all of the content from our wiki, current docs, descriptions in code tools, etc. We put it into markup (as some projects are already doing) and add it to source code repositories.
* We share doc markup files across ALL docs and code projects. For example, imagine we have a folder for SQLi. This directory contains the OWASP ‘golden source’ for SQLi definition, examples, code, tests, etc. * Repeat for all other AppSec issues (CSRF, cert pinning, etc.). We use a mechanism to ‘compile’ these markdown files into PDFs and integrate into code project HTML pages.
* Similar to good coding projects, we control who can edit the files under certain directories – people we know have expertise in an area. Edits get peer reviewed before submission. Other people can suggest edits and prove their experience to the existing team to join it.
*We allow anyone to ‘include’ this markup file into their project. So if the Code Review Guide wants to add a section on SQLi, and needs a definition, I don’t write it (or copy from wiki), I simply include the relevant markup file. Same for testing guide, dev guide, ZAP hints page, security shepherd info page, cheetsheet, and on and on.
*We allow all of our docs, plus the wiki, plus all code projects, to dynamically use an markup file update. We make this ‘real time’. This needs an example. Say in March a massive change occurs in the world of SQLi. Right now any project that talks about SQLi would need to manually go in and update, and those updates will be of varying quality and content. If, instead, one (true) source file was update, all those other projects could spot the change and automatically rebuild themselves, meaning the next person to download a development guide PDF, or view the wiki, would get the updated SQLi information.

This is a big change. This may be a controversial change. However it would greatly reduce our workload (only one markup document needs to get updated). It will also greatly reduce review tasks, as everyone is sharing core content which is reviewed once. It also improves our image to the world, as all projects have the same great descriptions and content.
This change also improves our responsiveness. Imagine a heartbleed type issue being reflected in all OWASP code and documentation projects, as well as the wiki/cheetsheets, within a few days? (simply the time for the team to agree updates to the text/examples/descriptions, review, and submit)
We should also make these markup files available to anyone on the internet (read only). This way the source descriptions become an OWASP resource it itself, and anyone out there needing to spread the word on AppSec has easy access to rock solid, up-to-date definitions.
This changes the model, from people like myself who run ‘projects’, to smaller expert teams who know ‘technologies’ (such as SQLi or IIS secure configuration). It focuses people where they want to be on docs projects, but easily shares that knowledge across all OWASP (and more) projects. It also means there’d never be another need to clean-up the wiki – it would always be based off the markup content.

Big downside: there’s a large piece of work to start it off. All content would need to get organized, put into sensible structure, converted to markdown, argued over, ‘experts’ defined and assigned, etc. I doubt this would be a volunteer effort, and may need contractor involvement. Could this be combined with the OWASP wiki redesign?

==Draft Plan==

==Volunteers==

Gary Robinson

Enrico Branca

Glenn ten Cate

==Participating Document Projects==

Code Review Project

[https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework OWASP Security Knowledge Framework]

Category:OWASP Github Documentation

2016-02-15T21:45:53Z

Foobar: /* Participating Document Projects */

==Proposal to transport OWASP wiki content Documentation to a centralize system==

===Problem Definition===
The issues that can arise from our current method of developing our various docs include:
*Draft content that exists in the wiki. This may be in varying states (correct, incorrect, lousy, confused, etc.) and is visible to the internet and typically not clearly labelled as draft. Google ‘owasp purple monkey dishwasher’ for an example of a draft wiki page visible to the internet. This content also needs to get cleaned up after a project release.
*Substandard descriptions/content can get into our docs. Getting people to review every line/example/diagram/appendix is difficult with a volunteer organization (as other threads have discussed)
*Duplications happen, as 10 different projects create/copy/paste their definitions of topics such as XSS, SQLi, CSRF, etc. This wastes effort in an organization already constrained of active volunteers.
*Content gets out-of-date. The work to create a new version of a doc project takes years.

==Proposal Details==
* We dump all of the content from our wiki, current docs, descriptions in code tools, etc. We put it into markup (as some projects are already doing) and add it to source code repositories.
* We share doc markup files across ALL docs and code projects. For example, imagine we have a folder for SQLi. This directory contains the OWASP ‘golden source’ for SQLi definition, examples, code, tests, etc. * Repeat for all other AppSec issues (CSRF, cert pinning, etc.). We use a mechanism to ‘compile’ these markdown files into PDFs and integrate into code project HTML pages.
* Similar to good coding projects, we control who can edit the files under certain directories – people we know have expertise in an area. Edits get peer reviewed before submission. Other people can suggest edits and prove their experience to the existing team to join it.
*We allow anyone to ‘include’ this markup file into their project. So if the Code Review Guide wants to add a section on SQLi, and needs a definition, I don’t write it (or copy from wiki), I simply include the relevant markup file. Same for testing guide, dev guide, ZAP hints page, security shepherd info page, cheetsheet, and on and on.
*We allow all of our docs, plus the wiki, plus all code projects, to dynamically use an markup file update. We make this ‘real time’. This needs an example. Say in March a massive change occurs in the world of SQLi. Right now any project that talks about SQLi would need to manually go in and update, and those updates will be of varying quality and content. If, instead, one (true) source file was update, all those other projects could spot the change and automatically rebuild themselves, meaning the next person to download a development guide PDF, or view the wiki, would get the updated SQLi information.

This is a big change. This may be a controversial change. However it would greatly reduce our workload (only one markup document needs to get updated). It will also greatly reduce review tasks, as everyone is sharing core content which is reviewed once. It also improves our image to the world, as all projects have the same great descriptions and content.
This change also improves our responsiveness. Imagine a heartbleed type issue being reflected in all OWASP code and documentation projects, as well as the wiki/cheetsheets, within a few days? (simply the time for the team to agree updates to the text/examples/descriptions, review, and submit)
We should also make these markup files available to anyone on the internet (read only). This way the source descriptions become an OWASP resource it itself, and anyone out there needing to spread the word on AppSec has easy access to rock solid, up-to-date definitions.
This changes the model, from people like myself who run ‘projects’, to smaller expert teams who know ‘technologies’ (such as SQLi or IIS secure configuration). It focuses people where they want to be on docs projects, but easily shares that knowledge across all OWASP (and more) projects. It also means there’d never be another need to clean-up the wiki – it would always be based off the markup content.

Big downside: there’s a large piece of work to start it off. All content would need to get organized, put into sensible structure, converted to markdown, argued over, ‘experts’ defined and assigned, etc. I doubt this would be a volunteer effort, and may need contractor involvement. Could this be combined with the OWASP wiki redesign?

==Draft Plan==

==Volunteers==

Gary Robinson
Enrico Branca

==Participating Document Projects==

Code Review Project

[https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework OWASP Security Knowledge Framework]

OWASP Security Knowledge Framework

2016-01-06T20:28:16Z

Foobar: /* Roadmap */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

* Security Requirements OWASP ASVS for development and for third party vendor applications
* Security knowledge reference (Code examples/ Knowledge Base items)
* Security is part of design with the pre-development functionality in SKF
* Security post-development functionality in SKF for verification with the OWASP ASVS

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 

==Donate==
<paypal>Security Knowledge Framework </paypal>

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation 

Installation guide with Chef:
* https://skf.readme.io/docs/installation#section-automated-installation-with-chef 

Installation guide for AWS:
* https://skf.readme.io/docs/installation#section-aws-installation 

== Project Online Demo ==
'''username: admin password: test-skf''' 
* https://demo.securityknowledgeframework.org 

'''Project website:''' 
* http://www.secureby.design 

== Video demo ==
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be 

== Project OWASP-SKF Pebble ==
'''Released OWASP-SKF Pebble in the Appstore for free''' 
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of workshop DevOpsDays 2015 Amsterdam: 
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf

= Roadmap and Getting Involved =

==Roadmap==

Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

- Add code examples -> relevant knowledge-base items in results
- Add generic Selenium test cases for the pre-development and post-development security controls.
- Add current code examples and refer them in the advices of the pre-development and post-development items.
- Add CWE to checklists
- Add Python code examples
- Add Java code examples
- Explain the SDLC more in-depth on our website and OWASP wiki page.
- Add Go/Ruby/??? code examples

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== Travis-ci.org:==
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:

https://travis-ci.org/blabla1337/skf-flask

== Coveralls.io:==
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:

https://coveralls.io/r/blabla1337/skf-flask

== Scrutinizer-ci.com==
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:

https://scrutinizer-ci.com/g/blabla1337/skf-flask/

== Uptimerobot.com==
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

== ssllabs.com & sslbadge.org ==

ssllabs.org:
Bringing you the best SSL/TLS and PKI testing tools and documentation.
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org

sslbadge.org:
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.

= Contributors =
==Contributors==

Glenn ten Cate 
Riccardo ten Cate 
Alexander Kaasjager 
John Haley 
Daniel Paulus 
Erik de Kuijper 
Roderick Schaefer 
Jim Manico 
Martijn Gijsberti Hodenpijl 
Bithin Alangot 
Martin Knobloch 
Adam Fisher

 
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP Security Knowledge Framework

2016-01-06T20:25:25Z

Foobar: /* Contributors */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

* Security Requirements OWASP ASVS for development and for third party vendor applications
* Security knowledge reference (Code examples/ Knowledge Base items)
* Security is part of design with the pre-development functionality in SKF
* Security post-development functionality in SKF for verification with the OWASP ASVS

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 

==Donate==
<paypal>Security Knowledge Framework </paypal>

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation 

Installation guide with Chef:
* https://skf.readme.io/docs/installation#section-automated-installation-with-chef 

Installation guide for AWS:
* https://skf.readme.io/docs/installation#section-aws-installation 

== Project Online Demo ==
'''username: admin password: test-skf''' 
* https://demo.securityknowledgeframework.org 

'''Project website:''' 
* http://www.secureby.design 

== Video demo ==
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be 

== Project OWASP-SKF Pebble ==
'''Released OWASP-SKF Pebble in the Appstore for free''' 
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of workshop DevOpsDays 2015 Amsterdam: 
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf

= Roadmap and Getting Involved =

==Roadmap==

Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

- Add code examples -> relevant knowledge-base items in results
- Add CWE to checklists
- Add user management
- Add Python code examples
- Add Java code examples
- Add Go/Ruby/??? code examples

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== Travis-ci.org:==
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:

https://travis-ci.org/blabla1337/skf-flask

== Coveralls.io:==
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:

https://coveralls.io/r/blabla1337/skf-flask

== Scrutinizer-ci.com==
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:

https://scrutinizer-ci.com/g/blabla1337/skf-flask/

== Uptimerobot.com==
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

== ssllabs.com & sslbadge.org ==

ssllabs.org:
Bringing you the best SSL/TLS and PKI testing tools and documentation.
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org

sslbadge.org:
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.

= Contributors =
==Contributors==

Glenn ten Cate 
Riccardo ten Cate 
Alexander Kaasjager 
John Haley 
Daniel Paulus 
Erik de Kuijper 
Roderick Schaefer 
Jim Manico 
Martijn Gijsberti Hodenpijl 
Bithin Alangot 
Martin Knobloch 
Adam Fisher

 
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP Security Knowledge Framework

2016-01-06T20:24:01Z

Foobar:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

* Security Requirements OWASP ASVS for development and for third party vendor applications
* Security knowledge reference (Code examples/ Knowledge Base items)
* Security is part of design with the pre-development functionality in SKF
* Security post-development functionality in SKF for verification with the OWASP ASVS

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 

==Donate==
<paypal>Security Knowledge Framework </paypal>

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation 

Installation guide with Chef:
* https://skf.readme.io/docs/installation#section-automated-installation-with-chef 

Installation guide for AWS:
* https://skf.readme.io/docs/installation#section-aws-installation 

== Project Online Demo ==
'''username: admin password: test-skf''' 
* https://demo.securityknowledgeframework.org 

'''Project website:''' 
* http://www.secureby.design 

== Video demo ==
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be 

== Project OWASP-SKF Pebble ==
'''Released OWASP-SKF Pebble in the Appstore for free''' 
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of workshop DevOpsDays 2015 Amsterdam: 
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf

= Roadmap and Getting Involved =

==Roadmap==

Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

- Add code examples -> relevant knowledge-base items in results
- Add CWE to checklists
- Add user management
- Add Python code examples
- Add Java code examples
- Add Go/Ruby/??? code examples

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== Travis-ci.org:==
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:

https://travis-ci.org/blabla1337/skf-flask

== Coveralls.io:==
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:

https://coveralls.io/r/blabla1337/skf-flask

== Scrutinizer-ci.com==
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:

https://scrutinizer-ci.com/g/blabla1337/skf-flask/

== Uptimerobot.com==
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

== ssllabs.com & sslbadge.org ==

ssllabs.org:
Bringing you the best SSL/TLS and PKI testing tools and documentation.
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org

sslbadge.org:
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.

= Contributors =
==Contributors==

Glenn ten Cate 
Riccardo ten Cate 
Alexander Kaasjager 
John Haley 
Daniel Paulus 
Erik de Kuijper 
Roderick Schaefer 
Jim Manico 
Martijn Gijsberti Hodenpijl 
Bithin Alangot 
Martin Knobloch
Adam Fisher

 
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP Security Knowledge Framework

2016-01-06T10:18:21Z

Foobar:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

* Security Requirements OWASP ASVS for development and for third party vendor applications
* Security knowledge reference (Code examples/ Knowledge Base items)
* Security is part of design with the pre-development functionality in SKF
* Security post-development functionality in SKF for verification with the OWASP ASVS

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 

==Donate==
<paypal>Security Knowledge Framework </paypal>

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation 

Installation guide with Chef:
* https://skf.readme.io/docs/installation#section-automated-installation-with-chef 

== Project Online Demo ==
'''username: admin password: test-skf''' 
* https://demo.securityknowledgeframework.org 

'''Project website:''' 
* http://www.secureby.design 

== Video demo ==
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be 

== Project OWASP-SKF Pebble ==
'''Released OWASP-SKF Pebble in the Appstore for free''' 
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of workshop DevOpsDays 2015 Amsterdam: 
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf

= Roadmap and Getting Involved =

==Roadmap==

Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

- Add code examples -> relevant knowledge-base items in results
- Add CWE to checklists
- Add user management
- Add Python code examples
- Add Java code examples
- Add Go/Ruby/??? code examples

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== Travis-ci.org:==
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:

https://travis-ci.org/blabla1337/skf-flask

== Coveralls.io:==
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:

https://coveralls.io/r/blabla1337/skf-flask

== Scrutinizer-ci.com==
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:

https://scrutinizer-ci.com/g/blabla1337/skf-flask/

== Uptimerobot.com==
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

== ssllabs.com & sslbadge.org ==

ssllabs.org:
Bringing you the best SSL/TLS and PKI testing tools and documentation.
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org

sslbadge.org:
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.

= Contributors =
==Contributors==

Glenn ten Cate 
Riccardo ten Cate 
Alexander Kaasjager 
John Haley 
Daniel Paulus 
Erik de Kuijper 
Roderick Schaefer 
Jim Manico 
Martijn Gijsberti Hodenpijl 
Bithin Alangot 

 
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP Security Knowledge Framework

2015-10-17T22:50:00Z

Foobar:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

- Security Requirements OWASP ASVS for development and for third party vendor applications 
- Security knowledge reference (Code examples/ Knowledge Base items) 
- Security is part of design with the pre-development functionality in SKF 
- Security post-development functionality in SKF for verification with the OWASP ASVS 

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 

==Donate==
<paypal>Security Knowledge Framework </paypal>

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation 

== Project Online Demo ==
'''username: admin password: test-skf''' 
* https://demo.securityknowledgeframework.org 

'''Project website:''' 
* https://www.securityknowledgeframework.org 

== Video demo ==
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be 

== Project OWASP-SKF Pebble ==
'''Released OWASP-SKF Pebble in the Appstore for free''' 
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of workshop DevOpsDays 2015 Amsterdam: 
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf

= Roadmap and Getting Involved =

==Roadmap==

Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

- Add code examples -> relevant knowledge-base items in results
- Add CWE to checklists
- Add user management
- Add Python code examples
- Add Java code examples
- Add Go/Ruby/??? code examples

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== Travis-ci.org:==
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:

https://travis-ci.org/blabla1337/skf-flask

== Coveralls.io:==
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:

https://coveralls.io/r/blabla1337/skf-flask

== Scrutinizer-ci.com==
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:

https://scrutinizer-ci.com/g/blabla1337/skf-flask/

== Uptimerobot.com==
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

== ssllabs.com & sslbadge.org ==

ssllabs.org:
Bringing you the best SSL/TLS and PKI testing tools and documentation.
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org

sslbadge.org:
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.

= Contributors =
==Contributors==

Glenn ten Cate 
Riccardo ten Cate 
Alexander Kaasjager 
John Haley 
Daniel Paulus 
Erik de Kuijper 
Roderick Schaefer 
Jim Manico 
Martijn Gijsberti Hodenpijl 
Bithin Alangot 

 
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

Netherlands

2015-07-09T12:01:57Z

Foobar: /* Calendar */

{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}

<paypal>Netherlands</paypal>


= Local News =
=='''News'''==
:: Call for participation! For those who want to getting involved in the OWASP Netherlands Chapter, we meet:
::;[[Netherlands_June_25th_2015 | OWASP NL Chapter participation meeting, June 25th]] - [https://www.eventbrite.nl/e/tickets-owasp-netherlands-chapter-chapter-participation-meeting-juni-25th-2015-17423391834 Click here for Registration]

=='''Provisional 2014 Chapter Event Calendar'''==
:: <strike>[[Netherlands March 19th, 2015 | March 19th 2015 - HvA]]</strike>
:: <strike>[[Netherlands_April_30th,_2015 | April 30th - UWV Amsterdam]]</strike>
:: <strike>[http://appsec.eu OWASP Appsec-Eu/Research 2015] </strike>
:: [[Netherlands_June_25th_2015 | OWASP NL Chapter participation meeting, June 25th]]
:: [[Netherlands_September_17th_2015 | September 17th Radboud University Nijmegen]]
::;Slide Decks from past Chapter meetings can be downloaded from the [https://www.owasp.org/index.php/Netherlands#tab=Past_Events Past Events page].

=='''Other OWASP Events'''==
::;'''[https://www.owasp.org/index.php/OWASP_Events/upcoming_events OWASP Upcoming Events]'''

=='''Call for Presentations'''==
::;[https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dGs1UFN0Ul9YR1pRcGdYRmtYallraUE6MQ#gid=0 OWASP NL Chapter Call For Presentation]

=='''Stay in contact:'''==
<center>
{| cellspacing="15"
|-
| [[Image:Join the list.png|150px|link=http://lists.owasp.org/mailman/listinfo/owasp-netherlands]]
| [[Image:Follow-us-on-twitter.png|175px|link=http://www.twitter.com/owasp_NL]]
| [[Image:Linkedin-button.gif|135px|link=http://www.linkedin.com/groups/OWASP-Netherlands-Chapter-1987229/about]]
|}
</center>

=='''Sponsors'''==
Interested in Sponsoring the Netherlands OWASP Chapter, email netherlands '@' owasp.org



= Calendar =
== Provisional Chapter Event Calendar 2015 ==
{|class="wikitable" border="1" style="text-align:center;"|
! width="300" | Date
! width="350" | Link
! width="300" | Flyer
|- align="center"
| March 19th 2015
| [[Netherlands March 19th, 2015 | Agenda]]
| [[Media:OWASP Netherlands Chapter Meeting 2015-03-19.pdf | Flyer]]
|- align="center"
| April 30th, 2015
| [[Netherlands April 30th, 2015 | Agenda]]
| [[Media:OWASP_Netherlands_Chapter_Meeting_2015-04-30.pdf| Flyer]]
|- align="center"
| May 19th to 22nd, 2015
| [http://appsec.eu OWASP AppSec-EU/Research 2015 ]
| N/A
|- align="center"
| June 25th, 2015
| [[Netherlands_June_25th_2015 | Agenda]]
| N/A
|- align="center"
| September 17th, 2015
| [[Netherlands_September_17th_2015 | Agenda]]
| [[Media:OWASP_Netherlands_Chapter_Meeting_2015-09-17.pdf| Flyer TBD]]
|}


= Past Events =
*Events held in [[Netherlands Previous Events 2015|2015]]
*Events held in [[Netherlands Previous Events 2014|2014]]
*Events held in [[Netherlands Previous Events 2013|2013]]
*Events held in [[Netherlands Previous Events 2012|2012]]
*Events held in [[Netherlands Previous Events 2011|2011]]
*Events held in [[Netherlands Previous Events 2010|2010]]
*Events held in [[Netherlands Previous Events 2009|2009]]
*Events held in [[Netherlands Previous Events 2008|2008]]
*Events held in [[Netherlands Previous Events 2007|2007]]
*Events held in [[Netherlands Previous Events 2006|2006]]
*Events held in [[Netherlands Previous Events 2005|2005]]



= Chapter Leaders =
The Netherlands Chapter is supported by the following board:
*[https://www.owasp.org/index.php/User:Ferdinand_Vroom Ferdinand Vroom]
*[https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch], PervaSec
 
*[mailto:netherlands@owasp.org OWASP Netherlands], OWASP Netherlands board email adres
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.


= Chapter Support =
=== Chapter Sponsoring ===
OWASP Netherlands is looking for organizations to sponsor our chapter.
If you are interested in sponsoring the Netherlands chapter please contact us via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org].

=== Donation ===
If you would like to donate to our chapter, please use the PayPal link at the top of this page.
;Thank you!

=== Call for Speakers ===
We are continuously looking for speakers. '''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated! '''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it! 
Links: 
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement]
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template]
Interested in presenting at a local chapter meeting, please send an email to: netherlands 'at' owasp.org

=== Call for Location ===
For the OWASP Netherlands chapter meetings to come, we are continuously looking for locations!
Most preferable, the location is good accessible with public transport and by car. Free parking should be provided.
What do we expect:
*meeting room for at least 50 people
*lunch for attendees
**drinks, sandwiches...
*a small present for the speakers
**(e.g. bottle of wine, for speakers from aboard alcohol might be less practical if flying in only with hand luggage)
Interested in sponsoring a local chapter meeting, please send an email to: netherlands 'at' owasp.org


__NOTOC__
<headertabs/>
[[Category:Europe]]

Netherlands

2015-07-09T12:00:08Z

Foobar: /* Calendar */

{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}

<paypal>Netherlands</paypal>


= Local News =
=='''News'''==
:: Call for participation! For those who want to getting involved in the OWASP Netherlands Chapter, we meet:
::;[[Netherlands_June_25th_2015 | OWASP NL Chapter participation meeting, June 25th]] - [https://www.eventbrite.nl/e/tickets-owasp-netherlands-chapter-chapter-participation-meeting-juni-25th-2015-17423391834 Click here for Registration]

=='''Provisional 2014 Chapter Event Calendar'''==
:: <strike>[[Netherlands March 19th, 2015 | March 19th 2015 - HvA]]</strike>
:: <strike>[[Netherlands_April_30th,_2015 | April 30th - UWV Amsterdam]]</strike>
:: <strike>[http://appsec.eu OWASP Appsec-Eu/Research 2015] </strike>
:: [[Netherlands_June_25th_2015 | OWASP NL Chapter participation meeting, June 25th]]
:: [[Netherlands_September_17th_2015 | September 17th Radboud University Nijmegen]]
::;Slide Decks from past Chapter meetings can be downloaded from the [https://www.owasp.org/index.php/Netherlands#tab=Past_Events Past Events page].

=='''Other OWASP Events'''==
::;'''[https://www.owasp.org/index.php/OWASP_Events/upcoming_events OWASP Upcoming Events]'''

=='''Call for Presentations'''==
::;[https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dGs1UFN0Ul9YR1pRcGdYRmtYallraUE6MQ#gid=0 OWASP NL Chapter Call For Presentation]

=='''Stay in contact:'''==
<center>
{| cellspacing="15"
|-
| [[Image:Join the list.png|150px|link=http://lists.owasp.org/mailman/listinfo/owasp-netherlands]]
| [[Image:Follow-us-on-twitter.png|175px|link=http://www.twitter.com/owasp_NL]]
| [[Image:Linkedin-button.gif|135px|link=http://www.linkedin.com/groups/OWASP-Netherlands-Chapter-1987229/about]]
|}
</center>

=='''Sponsors'''==
Interested in Sponsoring the Netherlands OWASP Chapter, email netherlands '@' owasp.org



= Calendar =
== Provisional Chapter Event Calendar 2015 ==
{|class="wikitable" border="1" style="text-align:center;"|
! width="300" | Date
! width="350" | Link
! width="300" | Flyer
|- align="center"
| March 19th 2015
| [[Netherlands March 19th, 2015 | Agenda]]
| [[Media:OWASP Netherlands Chapter Meeting 2015-03-19.pdf | Flyer]]
|- align="center"
| April 30th, 2015
| [[Netherlands April 30th, 2015 | Agenda]]
| [[Media:OWASP_Netherlands_Chapter_Meeting_2015-04-30.pdf| Flyer]]
|- align="center"
| May 19th to 22nd, 2015
| [http://appsec.eu OWASP AppSec-EU/Research 2015 ]
| N/A
|- align="center"
| June 25th, 2015
| [[Netherlands_June_25th_2015 | Agenda]]
| N/A
|- align="center"
| September 17th, 2015
| [[Netherlands_September_17th_2015 | Agenda]]
| [[Media:OWASP_Netherlands_Chapter_Meeting_2015-09-17.pdf| Flyer TBD]]
|- align="center"
| October 22th, 2015
| [[Netherlands_October_22th_2015 | Agenda]]
N/A
|}


= Past Events =
*Events held in [[Netherlands Previous Events 2015|2015]]
*Events held in [[Netherlands Previous Events 2014|2014]]
*Events held in [[Netherlands Previous Events 2013|2013]]
*Events held in [[Netherlands Previous Events 2012|2012]]
*Events held in [[Netherlands Previous Events 2011|2011]]
*Events held in [[Netherlands Previous Events 2010|2010]]
*Events held in [[Netherlands Previous Events 2009|2009]]
*Events held in [[Netherlands Previous Events 2008|2008]]
*Events held in [[Netherlands Previous Events 2007|2007]]
*Events held in [[Netherlands Previous Events 2006|2006]]
*Events held in [[Netherlands Previous Events 2005|2005]]



= Chapter Leaders =
The Netherlands Chapter is supported by the following board:
*[https://www.owasp.org/index.php/User:Ferdinand_Vroom Ferdinand Vroom]
*[https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch], PervaSec
 
*[mailto:netherlands@owasp.org OWASP Netherlands], OWASP Netherlands board email adres
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.


= Chapter Support =
=== Chapter Sponsoring ===
OWASP Netherlands is looking for organizations to sponsor our chapter.
If you are interested in sponsoring the Netherlands chapter please contact us via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org].

=== Donation ===
If you would like to donate to our chapter, please use the PayPal link at the top of this page.
;Thank you!

=== Call for Speakers ===
We are continuously looking for speakers. '''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated! '''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it! 
Links: 
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement]
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template]
Interested in presenting at a local chapter meeting, please send an email to: netherlands 'at' owasp.org

=== Call for Location ===
For the OWASP Netherlands chapter meetings to come, we are continuously looking for locations!
Most preferable, the location is good accessible with public transport and by car. Free parking should be provided.
What do we expect:
*meeting room for at least 50 people
*lunch for attendees
**drinks, sandwiches...
*a small present for the speakers
**(e.g. bottle of wine, for speakers from aboard alcohol might be less practical if flying in only with hand luggage)
Interested in sponsoring a local chapter meeting, please send an email to: netherlands 'at' owasp.org


__NOTOC__
<headertabs/>
[[Category:Europe]]

Netherlands

2015-07-09T11:59:36Z

Foobar: /* Calendar */

{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}}

<paypal>Netherlands</paypal>


= Local News =
=='''News'''==
:: Call for participation! For those who want to getting involved in the OWASP Netherlands Chapter, we meet:
::;[[Netherlands_June_25th_2015 | OWASP NL Chapter participation meeting, June 25th]] - [https://www.eventbrite.nl/e/tickets-owasp-netherlands-chapter-chapter-participation-meeting-juni-25th-2015-17423391834 Click here for Registration]

=='''Provisional 2014 Chapter Event Calendar'''==
:: <strike>[[Netherlands March 19th, 2015 | March 19th 2015 - HvA]]</strike>
:: <strike>[[Netherlands_April_30th,_2015 | April 30th - UWV Amsterdam]]</strike>
:: <strike>[http://appsec.eu OWASP Appsec-Eu/Research 2015] </strike>
:: [[Netherlands_June_25th_2015 | OWASP NL Chapter participation meeting, June 25th]]
:: [[Netherlands_September_17th_2015 | September 17th Radboud University Nijmegen]]
::;Slide Decks from past Chapter meetings can be downloaded from the [https://www.owasp.org/index.php/Netherlands#tab=Past_Events Past Events page].

=='''Other OWASP Events'''==
::;'''[https://www.owasp.org/index.php/OWASP_Events/upcoming_events OWASP Upcoming Events]'''

=='''Call for Presentations'''==
::;[https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dGs1UFN0Ul9YR1pRcGdYRmtYallraUE6MQ#gid=0 OWASP NL Chapter Call For Presentation]

=='''Stay in contact:'''==
<center>
{| cellspacing="15"
|-
| [[Image:Join the list.png|150px|link=http://lists.owasp.org/mailman/listinfo/owasp-netherlands]]
| [[Image:Follow-us-on-twitter.png|175px|link=http://www.twitter.com/owasp_NL]]
| [[Image:Linkedin-button.gif|135px|link=http://www.linkedin.com/groups/OWASP-Netherlands-Chapter-1987229/about]]
|}
</center>

=='''Sponsors'''==
Interested in Sponsoring the Netherlands OWASP Chapter, email netherlands '@' owasp.org



= Calendar =
== Provisional Chapter Event Calendar 2015 ==
{|class="wikitable" border="1" style="text-align:center;"|
! width="300" | Date
! width="350" | Link
! width="300" | Flyer
|- align="center"
| March 19th 2015
| [[Netherlands March 19th, 2015 | Agenda]]
| [[Media:OWASP Netherlands Chapter Meeting 2015-03-19.pdf | Flyer]]
|- align="center"
| April 30th, 2015
| [[Netherlands April 30th, 2015 | Agenda]]
| [[Media:OWASP_Netherlands_Chapter_Meeting_2015-04-30.pdf| Flyer]]
|- align="center"
| May 19th to 22nd, 2015
| [http://appsec.eu OWASP AppSec-EU/Research 2015 ]
| N/A
|- align="center"
| June 25th, 2015
| [[Netherlands_June_25th_2015 | Agenda]]
| N/A
|- align="center"
| September 17th, 2015
| [[Netherlands_September_17th_2015 | Agenda]]
| [[Media:OWASP_Netherlands_Chapter_Meeting_2015-09-17.pdf| Flyer TBD]]
|}
|- align="center"
| October 22th, 2015
| [[Netherlands_October_22th_2015 | Agenda]]
|}


= Past Events =
*Events held in [[Netherlands Previous Events 2015|2015]]
*Events held in [[Netherlands Previous Events 2014|2014]]
*Events held in [[Netherlands Previous Events 2013|2013]]
*Events held in [[Netherlands Previous Events 2012|2012]]
*Events held in [[Netherlands Previous Events 2011|2011]]
*Events held in [[Netherlands Previous Events 2010|2010]]
*Events held in [[Netherlands Previous Events 2009|2009]]
*Events held in [[Netherlands Previous Events 2008|2008]]
*Events held in [[Netherlands Previous Events 2007|2007]]
*Events held in [[Netherlands Previous Events 2006|2006]]
*Events held in [[Netherlands Previous Events 2005|2005]]



= Chapter Leaders =
The Netherlands Chapter is supported by the following board:
*[https://www.owasp.org/index.php/User:Ferdinand_Vroom Ferdinand Vroom]
*[https://www.owasp.org/index.php/User:Knoblochmartin Martin Knobloch], PervaSec
 
*[mailto:netherlands@owasp.org OWASP Netherlands], OWASP Netherlands board email adres
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.


= Chapter Support =
=== Chapter Sponsoring ===
OWASP Netherlands is looking for organizations to sponsor our chapter.
If you are interested in sponsoring the Netherlands chapter please contact us via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org].

=== Donation ===
If you would like to donate to our chapter, please use the PayPal link at the top of this page.
;Thank you!

=== Call for Speakers ===
We are continuously looking for speakers. '''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated! '''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it! 
Links: 
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement]
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template]
Interested in presenting at a local chapter meeting, please send an email to: netherlands 'at' owasp.org

=== Call for Location ===
For the OWASP Netherlands chapter meetings to come, we are continuously looking for locations!
Most preferable, the location is good accessible with public transport and by car. Free parking should be provided.
What do we expect:
*meeting room for at least 50 people
*lunch for attendees
**drinks, sandwiches...
*a small present for the speakers
**(e.g. bottle of wine, for speakers from aboard alcohol might be less practical if flying in only with hand luggage)
Interested in sponsoring a local chapter meeting, please send an email to: netherlands 'at' owasp.org


__NOTOC__
<headertabs/>
[[Category:Europe]]

OWASP Security Knowledge Framework

2015-07-01T21:53:50Z

Foobar: /* Contributors */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

- Security Requirements OWASP ASVS for development and for third party vendor applications 
- Security knowledge reference (Code examples/ Knowledge Base items) 
- Security is part of design with the pre-development functionality in SKF 
- Security post-development functionality in SKF for verification with the OWASP ASVS 

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation 

== Project Online Demo ==
'''username: admin password: test-skf''' 
* https://demo.securityknowledgeframework.org 

'''Project website:''' 
* https://www.securityknowledgeframework.org 

== Project OWASP-SKF Pebble ==
'''Released OWASP-SKF Pebble in the Appstore for free''' 
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of workshop DevOpsDays 2015 Amsterdam: 
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf

= Roadmap and Getting Involved =

==Roadmap==

Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

- Add code examples -> relevant knowledge-base items in results
- Add CWE to checklists
- Add user management
- Add Python code examples
- Add Java code examples
- Add Go/Ruby/??? code examples

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== Travis-ci.org:==
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:

https://travis-ci.org/blabla1337/skf-flask

== Coveralls.io:==
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:

https://coveralls.io/r/blabla1337/skf-flask

== Scrutinizer-ci.com==
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:

https://scrutinizer-ci.com/g/blabla1337/skf-flask/

== Uptimerobot.com==
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

== ssllabs.com & sslbadge.org ==

ssllabs.org:
Bringing you the best SSL/TLS and PKI testing tools and documentation.
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org

sslbadge.org:
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.

= Contributors =
==Contributors==

Glenn ten Cate 
Riccardo ten Cate 
Alexander Kaasjager 
John Haley 
Daniel Paulus 
Erik de Kuijper 
Roderick Schaefer 
Jim Manico 
Martijn Gijsberti Hodenpijl 
Bithin Alangot 

 
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP Security Knowledge Framework

2015-06-26T20:32:04Z

Foobar: /* Documentation */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

- Security Requirements OWASP ASVS for development and for third party vendor applications 
- Security knowledge reference (Code examples/ Knowledge Base items) 
- Security is part of design with the pre-development functionality in SKF 
- Security post-development functionality in SKF for verification with the OWASP ASVS 

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation 

== Project Online Demo ==
'''username: admin password: test-skf''' 
* https://demo.securityknowledgeframework.org 

'''Project website:''' 
* https://www.securityknowledgeframework.org 

== Project OWASP-SKF Pebble ==
'''Released OWASP-SKF Pebble in the Appstore for free''' 
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of workshop DevOpsDays 2015 Amsterdam: 
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf

= Roadmap and Getting Involved =

==Roadmap==

Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

- Add code examples -> relevant knowledge-base items in results
- Add CWE to checklists
- Add user management
- Add Python code examples
- Add Java code examples
- Add Go/Ruby/??? code examples

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== Travis-ci.org:==
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:

https://travis-ci.org/blabla1337/skf-flask

== Coveralls.io:==
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:

https://coveralls.io/r/blabla1337/skf-flask

== Scrutinizer-ci.com==
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:

https://scrutinizer-ci.com/g/blabla1337/skf-flask/

== Uptimerobot.com==
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

== ssllabs.com & sslbadge.org ==

ssllabs.org:
Bringing you the best SSL/TLS and PKI testing tools and documentation.
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org

sslbadge.org:
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.

= Contributors =
==Contributors==

Glenn ten Cate 
Riccardo ten Cate 
Alexander Kaasjager 
John Haley 
Daniel Paulus 
Erik de Kuijper 
Roderick Schaefer 
Jim Manico 
Martijn Gijsberti Hodenpijl 

 
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP Security Knowledge Framework

2015-06-26T20:30:14Z

Foobar: /* Documentation */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

- Security Requirements OWASP ASVS for development and for third party vendor applications 
- Security knowledge reference (Code examples/ Knowledge Base items) 
- Security is part of design with the pre-development functionality in SKF 
- Security post-development functionality in SKF for verification with the OWASP ASVS 

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation 

== Project Online Demo ==
'''username: admin password: test-skf''' 
* https://demo.securityknowledgeframework.org 

'''Project website:''' 
* https://www.securityknowledgeframework.org 

== Project OWASP-SKF Pebble ==
'''Released OWASP-SKF Pebble in the Appstore for free''' 
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of DevOpsDays Amsterdam: 
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf

= Roadmap and Getting Involved =

==Roadmap==

Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

- Add code examples -> relevant knowledge-base items in results
- Add CWE to checklists
- Add user management
- Add Python code examples
- Add Java code examples
- Add Go/Ruby/??? code examples

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== Travis-ci.org:==
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:

https://travis-ci.org/blabla1337/skf-flask

== Coveralls.io:==
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:

https://coveralls.io/r/blabla1337/skf-flask

== Scrutinizer-ci.com==
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:

https://scrutinizer-ci.com/g/blabla1337/skf-flask/

== Uptimerobot.com==
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

== ssllabs.com & sslbadge.org ==

ssllabs.org:
Bringing you the best SSL/TLS and PKI testing tools and documentation.
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org

sslbadge.org:
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.

= Contributors =
==Contributors==

Glenn ten Cate 
Riccardo ten Cate 
Alexander Kaasjager 
John Haley 
Daniel Paulus 
Erik de Kuijper 
Roderick Schaefer 
Jim Manico 
Martijn Gijsberti Hodenpijl 

 
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

File:Skf-design-workshop.pptx.pdf

2015-06-26T20:30:01Z

Foobar: DevOpsDays Amsterdam 2015 Workshop OWASP-SKF

DevOpsDays Amsterdam 2015 Workshop OWASP-SKF

OWASP Security Knowledge Framework

2015-06-26T20:18:06Z

Foobar: /* Documentation */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

- Security Requirements OWASP ASVS for development and for third party vendor applications 
- Security knowledge reference (Code examples/ Knowledge Base items) 
- Security is part of design with the pre-development functionality in SKF 
- Security post-development functionality in SKF for verification with the OWASP ASVS 

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation 

== Project Online Demo ==
'''username: admin password: test-skf''' 
* https://demo.securityknowledgeframework.org 

'''Project website:''' 
* https://www.securityknowledgeframework.org 

== Project OWASP-SKF Pebble ==
'''Released OWASP-SKF Pebble in the Appstore for free''' 
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of DevOpsDays Amsterdam: 
https://www.owasp.org/images/2/24/Skfpptx-design-workshop.pptx.pdf

= Roadmap and Getting Involved =

==Roadmap==

Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

- Add code examples -> relevant knowledge-base items in results
- Add CWE to checklists
- Add user management
- Add Python code examples
- Add Java code examples
- Add Go/Ruby/??? code examples

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== Travis-ci.org:==
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:

https://travis-ci.org/blabla1337/skf-flask

== Coveralls.io:==
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:

https://coveralls.io/r/blabla1337/skf-flask

== Scrutinizer-ci.com==
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:

https://scrutinizer-ci.com/g/blabla1337/skf-flask/

== Uptimerobot.com==
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

== ssllabs.com & sslbadge.org ==

ssllabs.org:
Bringing you the best SSL/TLS and PKI testing tools and documentation.
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org

sslbadge.org:
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.

= Contributors =
==Contributors==

Glenn ten Cate 
Riccardo ten Cate 
Alexander Kaasjager 
John Haley 
Daniel Paulus 
Erik de Kuijper 
Roderick Schaefer 
Jim Manico 
Martijn Gijsberti Hodenpijl 

 
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP Security Knowledge Framework

2015-06-26T20:17:05Z

Foobar: /* Documentation */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

- Security Requirements OWASP ASVS for development and for third party vendor applications 
- Security knowledge reference (Code examples/ Knowledge Base items) 
- Security is part of design with the pre-development functionality in SKF 
- Security post-development functionality in SKF for verification with the OWASP ASVS 

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation 

== Project Online Demo ==
'''username: admin password: test-skf''' 
* https://demo.securityknowledgeframework.org 

'''Project website:''' 
* https://www.securityknowledgeframework.org 

== Project OWASP-SKF Pebble ==
'''Released OWASP-SKF Pebble in the Appstore for free''' 
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

Slides of DevOpsDays Amsterdam:
https://www.owasp.org/images/2/24/Skfpptx-design-workshop.pptx.pdf

= Roadmap and Getting Involved =

==Roadmap==

Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

- Add code examples -> relevant knowledge-base items in results
- Add CWE to checklists
- Add user management
- Add Python code examples
- Add Java code examples
- Add Go/Ruby/??? code examples

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== Travis-ci.org:==
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:

https://travis-ci.org/blabla1337/skf-flask

== Coveralls.io:==
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:

https://coveralls.io/r/blabla1337/skf-flask

== Scrutinizer-ci.com==
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:

https://scrutinizer-ci.com/g/blabla1337/skf-flask/

== Uptimerobot.com==
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

== ssllabs.com & sslbadge.org ==

ssllabs.org:
Bringing you the best SSL/TLS and PKI testing tools and documentation.
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org

sslbadge.org:
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.

= Contributors =
==Contributors==

Glenn ten Cate 
Riccardo ten Cate 
Alexander Kaasjager 
John Haley 
Daniel Paulus 
Erik de Kuijper 
Roderick Schaefer 
Jim Manico 
Martijn Gijsberti Hodenpijl 

 
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

File:Skfpptx-design-workshop.pptx.pdf

2015-06-26T20:11:19Z

Foobar: Workshop slides given @ DevOpsDays Amsterdam 2015

Workshop slides given @ DevOpsDays Amsterdam 2015

OWASP Security Knowledge Framework

2015-06-23T19:17:50Z

Foobar:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework==
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

- Security Requirements OWASP ASVS for development and for third party vendor applications 
- Security knowledge reference (Code examples/ Knowledge Base items) 
- Security is part of design with the pre-development functionality in SKF 
- Security post-development functionality in SKF for verification with the OWASP ASVS 

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation 

== Project Online Demo ==
'''username: admin password: test-skf''' 
* https://demo.securityknowledgeframework.org 

'''Project website:''' 
* https://www.securityknowledgeframework.org 

== Project OWASP-SKF Pebble ==
'''Released OWASP-SKF Pebble in the Appstore for free''' 
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

= Roadmap and Getting Involved =

==Roadmap==

Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

- Add code examples -> relevant knowledge-base items in results
- Add CWE to checklists
- Add user management
- Add Python code examples
- Add Java code examples
- Add Go/Ruby/??? code examples

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== Travis-ci.org:==
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:

https://travis-ci.org/blabla1337/skf-flask

== Coveralls.io:==
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:

https://coveralls.io/r/blabla1337/skf-flask

== Scrutinizer-ci.com==
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:

https://scrutinizer-ci.com/g/blabla1337/skf-flask/

== Uptimerobot.com==
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

== ssllabs.com & sslbadge.org ==

ssllabs.org:
Bringing you the best SSL/TLS and PKI testing tools and documentation.
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org

sslbadge.org:
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.

= Contributors =
==Contributors==

Glenn ten Cate 
Riccardo ten Cate 
Alexander Kaasjager 
John Haley 
Daniel Paulus 
Erik de Kuijper 
Roderick Schaefer 
Jim Manico 
Martijn Gijsberti Hodenpijl 

 
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP Security Knowledge Framework

2015-06-12T17:31:02Z

Foobar: /* Contributors */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework Project==
The OWASP Security Knowledge Framework Project is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

- Security Requirements OWASP ASVS for development and for third party vendor applications 
- Security knowledge reference (Code examples/ Knowledge Base items) 
- Security is part of design with the pre-development functionality in SKF 
- Security post-development functionality in SKF for verification with the OWASP ASVS 

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation 

== Project Online Demo ==
'''username: admin password: test-skf''' 
* https://demo.securityknowledgeframework.org 

'''Project website:''' 
* https://www.securityknowledgeframework.org 

== Project OWASP-SKF Pebble ==
'''Released OWASP-SKF Pebble in the Appstore for free''' 
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

= Roadmap and Getting Involved =

==Roadmap==

Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

- Add code examples -> relevant knowledge-base items in results
- Add CWE to checklists
- Add user management
- Add Python code examples
- Add Java code examples
- Add Go/Ruby/??? code examples

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== Travis-ci.org:==
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:

https://travis-ci.org/blabla1337/skf-flask

== Coveralls.io:==
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:

https://coveralls.io/r/blabla1337/skf-flask

== Scrutinizer-ci.com==
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:

https://scrutinizer-ci.com/g/blabla1337/skf-flask/

== Uptimerobot.com==
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

== ssllabs.com & sslbadge.org ==

ssllabs.org:
Bringing you the best SSL/TLS and PKI testing tools and documentation.
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org

sslbadge.org:
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.

= Contributors =
==Contributors==

Glenn ten Cate 
Riccardo ten Cate 
Alexander Kaasjager 
John Haley 
Daniel Paulus 
Erik de Kuijper 
Roderick Schaefer 
Jim Manico 
Martijn Gijsberti Hodenpijl 

 
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP Security Knowledge Framework

2015-06-07T17:34:56Z

Foobar: /* SKF SDLC */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework Project==
The OWASP Security Knowledge Framework Project is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

- Security Requirements OWASP ASVS for development and for third party vendor applications 
- Security knowledge reference (Code examples/ Knowledge Base items) 
- Security is part of design with the pre-development functionality in SKF 
- Security post-development functionality in SKF for verification with the OWASP ASVS 

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation 

== Project Online Demo ==
'''username: admin password: test-skf''' 
* https://demo.securityknowledgeframework.org 

'''Project website:''' 
* https://www.securityknowledgeframework.org 

== Project OWASP-SKF Pebble ==
'''Released OWASP-SKF Pebble in the Appstore for free''' 
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

= Roadmap and Getting Involved =

==Roadmap==

Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

- Add code examples -> relevant knowledge-base items in results
- Add CWE to checklists
- Add user management
- Add Python code examples
- Add Java code examples
- Add Go/Ruby/??? code examples

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== Travis-ci.org:==
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:

https://travis-ci.org/blabla1337/skf-flask

== Coveralls.io:==
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:

https://coveralls.io/r/blabla1337/skf-flask

== Scrutinizer-ci.com==
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:

https://scrutinizer-ci.com/g/blabla1337/skf-flask/

== Uptimerobot.com==
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

== ssllabs.com & sslbadge.org ==

ssllabs.org:
Bringing you the best SSL/TLS and PKI testing tools and documentation.
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org

sslbadge.org:
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.

= Contributors =
==Contributors==

Glenn ten Cate 
Riccardo ten Cate 
Alexander Kaasjager 
John Haley 
Daniel Paulus 
Erik de Kuijper 
Roderick Schaefer 
Jim Manico 

 
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP Security Knowledge Framework

2015-06-07T16:24:17Z

Foobar: /* SKF SDLC */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Knowledge Framework Project==
The OWASP Security Knowledge Framework Project is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

- Security Requirements OWASP ASVS for development and for third party vendor applications 
- Security knowledge reference (Code examples/ Knowledge Base items) 
- Security is part of design with the pre-development functionality in SKF 
- Security post-development functionality in SKF for verification with the OWASP ASVS 

== Description ==

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

== Why Use The OWASP Security Knowledge Framework? ==

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of
different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Download ==
'''Github/source-code:''' 
* https://github.com/blabla1337/skf-flask 

Installation guide:
* http://skf.readme.io/v1.0/docs/installation 

== Project Online Demo ==
'''username: admin password: test-skf''' 
* https://demo.securityknowledgeframework.org 

'''Project website:''' 
* https://www.securityknowledgeframework.org 

== Project OWASP-SKF Pebble ==
'''Released OWASP-SKF Pebble in the Appstore for free''' 
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042 

== Related Projects ==

[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''

* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== Project Leaders ==
[mailto:glenntencate@gmail.com Glenn ten Cate] 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

|}

=Documentation=

For detailed information, documentation, tutorials and guide's please visit: 
https://skf.readme.io 
OR 
https://www.securityknowledgeframework.org 

= Roadmap and Getting Involved =

==Roadmap==

Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''

- Add code examples -> relevant knowledge-base items in results
- Add CWE to checklists
- Add user management
- Add Python code examples
- Add Java code examples
- Add Go/Ruby/??? code examples

==Getting Involved==

Submitting a Pull Request on Guthub:

Fork it.
Create a branch (git checkout -b my_markup)
Commit your changes (git commit -am "Added Snarkdown")
Push to the branch (git push origin my_markup)
Check Travis status if build is still working
Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

= SKF SDLC =

SKF uses the following services to provide quality over the code and releases.

== Travis-ci.org:==
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:

https://travis-ci.org/blabla1337/skf-flask

== Coveralls.io:==
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:

https://coveralls.io/r/blabla1337/skf-flask

== Scrutinizer-ci.com==
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:

https://scrutinizer-ci.com/g/blabla1337/skf-flask/

== Uptimerobot.com==
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

= Contributors =
==Contributors==

Glenn ten Cate 
Riccardo ten Cate 
Alexander Kaasjager 
John Haley 
Daniel Paulus 
Erik de Kuijper 
Roderick Schaefer 
Jim Manico 

 
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]