https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Riiecco
OWASP - User contributions [en]
2026-05-01T17:52:25Z
User contributions
MediaWiki 1.27.2
https://wiki.owasp.org/index.php?title=GSoC2019_Ideas&diff=246505
GSoC2019 Ideas
2019-01-10T19:57:38Z
<p>Riiecco: /* OWASP-SKF (draft) */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
<br />
<br />
==OWASP-SKF (draft)==<br />
Idea 1: <br />
<br />
Build lab examples and write-ups (how to test) for different vulnerabilities over different technology stacks. These challenges are to be delivered in Docker so they can be <br />
<br />
easily deployed.<br />
<br />
In the current situation the security knowledge framework ultimately presents a list of security controls with correlating knowledge base items that contain a description and <br />
<br />
a solution. The new labs are used to give the software developers or application security specialists a more in depth understanding and approach on how to test the <br />
<br />
vulnerabilities in their own code. <br />
* For example we have now around 20 lab challenges in Docker container build in Python:<br />
** A Local File Inclusion Docker app example:<br />
*** https://github.com/blabla1337/skf-labs/tree/master/LFI<br />
** A write-up example:<br />
*** https://owasp-skf.gitbook.io/asvs-write-ups/filename-injection<br />
The images that are pushed to the Github repository are already automatically build and pushed to a docker registry where the SKF users can easily pull the images from to get their<br />
<br />
labs running. Of course they can download it and build it themselves from source by pulling the original repository. <br />
<br />
Idea 2: <br />
<br />
We want to extend the Machine learning chatbot functionality in SKF.<br />
* Create a desktop version of the chatbot. Where people can install the setup file on their local machine.<br />
* Extend the bots capability to do the google search(using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.<br />
* Extend the bot capability to reply what security controls should be followed from the ASVS and MASVSĀ or other custom checklists that are present in SKF.<br />
* Extend the bot to different platforms like Facebook, telegram, slack etc.<br />
** Now the working chatbot implementation for example is only for Gitter<br />
<br />
== OWASP DefectDojo ==<br />
OWASP DefectDojo is a popular open source vulnerability management tool, used as the backbone for security programs. It is easy to get started with and work on! We welcome volunteers of all experience levels and are happy to provide mentorship.<br />
<br />
Option 1: Unit Tests - Difficulty: Easy<br />
* If you're new to programming, unit tests are short scripts designed to test a specific function of an application.<br />
* The project needs additional unit tests to ensure that new code functions properly. <br />
Option 2: Feature Enhancement - Difficulty: Varies<br />
* The functionality of DefectDojo is constantly expanding.<br />
* Feature enhancements offer programming challenges for all levels of experience.<br />
Option 3: Pull Request Review - Difficulty: Moderate - Hard<br />
* Test pull requests and provide feedback on code.<br />
<br />
<br />
<br />
== OHP (OWASP Honeypot) ==<br />
<br />
OWASP Honeypot is an open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 2.x and 3.x and tested on Windows, Mac OS X and Linux.<br />
<br />
=== Getting Start ===<br />
<br />
It's best to start from [https://github.com/zdresearch/OWASP-Honeypot/wiki GitHub wiki page], we are looking forward to add more modules and optimize the core.<br />
<br />
=== Technologies ===<br />
<br />
Currently we are using<br />
<br />
* Docker<br />
* Python<br />
* MongoDB<br />
* TShark<br />
* Flask<br />
* ChartJS<br />
* And more linux services<br />
<br />
=== Expected Results ===<br />
...<br />
<br />
=== Roadmap ===<br />
<br />
...<br />
<br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Packet Analysis<br />
* Docker<br />
* Database<br />
<br />
=== Mentors and Leaders ===<br />
<br />
* [mailto:ali.razmjoo@owasp.org Ali Razmjoo] (Mentor & Project Leader)<br />
* [mailto:reza.espargham@owasp.org Reza Espargham](Mentor)<br />
* [mailto:abiusx@owasp.org Abbas Naderi] (Mentor)<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
The best way to get in touch with us is the '''community chat on https://gitter.im/bkimminich/juice-shop<nowiki/>.''' You can also send PMs to the potential mentors (@bkimminich, @wurstbrot and @J12934) there if you like!<br />
<br />
To receive early feedback please '''put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page''' in ''Draft Shared'' mode. Please pick '''''juice shop'' as Proposal Tag''' to make them easier to find for us. '''Thank you!'''<br />
<br />
=== Challenge Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges)<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Hacking Instructor ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
TODO<br />
<br />
'''Expected Results:'''<br />
<br />
TODO<br />
<br />
''' Getting started: '''<br />
<br />
TODO<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
TODO<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader</div>
Riiecco
https://wiki.owasp.org/index.php?title=GSoC2019_Ideas&diff=246504
GSoC2019 Ideas
2019-01-10T19:57:23Z
<p>Riiecco: /* OWASP-SKF (draft) */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
<br />
<br />
==OWASP-SKF (draft)==<br />
Idea 1: <br />
<br />
Build lab examples and write-ups (how to test) for different vulnerabilities over different technology stacks. These challenges are to be delivered in Docker so they can be <br />
<br />
easily deployed.<br />
<br />
In the current situation the security knowledge framework ultimately presents a list of security controls with correlating knowledge base items that contain a description and <br />
<br />
a solution. The new labs are used to give the software developers or application security specialists a more in depth understanding and approach on how to test the <br />
<br />
vulnerabilities in their own code. <br />
* For example we have now around 20 lab challenges in Docker container build in Python:<br />
** A Local File Inclusion Docker app example:<br />
*** https://github.com/blabla1337/skf-labs/tree/master/LFI<br />
** A write-up example:<br />
*** https://owasp-skf.gitbook.io/asvs-write-ups/filename-injection<br />
The images that are pushed to the Github repository are already automatically build and pushed to a docker registry where the SKF users can easily pull the images from to get their<br />
<br />
labs running. Of course they can download it and build it themselves from source by pulling the original repository. <br />
<br />
Idea 2: <br />
<br />
We want to extend the Machine learning chatbot functionality in SKF.<br />
* Create a desktop version of the chatbot. Where people can install the setup file on their local machine.<br />
* Extend the bots capability to do the google search(using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.<br />
* Extend the bot capability to reply what security controls should be followed from the ASVS and MASVSĀ or other custom checklists that are present in SKF.<br />
* Extend the bot to different platforms like Facebook, telegram, slack etc.<br />
** Now the working chatbot implementation for example is only for Gitter<br />
<br />
== OWASP DefectDojo ==<br />
OWASP DefectDojo is a popular open source vulnerability management tool, used as the backbone for security programs. It is easy to get started with and work on! We welcome volunteers of all experience levels and are happy to provide mentorship.<br />
<br />
Option 1: Unit Tests - Difficulty: Easy<br />
* If you're new to programming, unit tests are short scripts designed to test a specific function of an application.<br />
* The project needs additional unit tests to ensure that new code functions properly. <br />
Option 2: Feature Enhancement - Difficulty: Varies<br />
* The functionality of DefectDojo is constantly expanding.<br />
* Feature enhancements offer programming challenges for all levels of experience.<br />
Option 3: Pull Request Review - Difficulty: Moderate - Hard<br />
* Test pull requests and provide feedback on code.<br />
<br />
<br />
<br />
== OHP (OWASP Honeypot) ==<br />
<br />
OWASP Honeypot is an open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 2.x and 3.x and tested on Windows, Mac OS X and Linux.<br />
<br />
=== Getting Start ===<br />
<br />
It's best to start from [https://github.com/zdresearch/OWASP-Honeypot/wiki GitHub wiki page], we are looking forward to add more modules and optimize the core.<br />
<br />
=== Technologies ===<br />
<br />
Currently we are using<br />
<br />
* Docker<br />
* Python<br />
* MongoDB<br />
* TShark<br />
* Flask<br />
* ChartJS<br />
* And more linux services<br />
<br />
=== Expected Results ===<br />
...<br />
<br />
=== Roadmap ===<br />
<br />
...<br />
<br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Packet Analysis<br />
* Docker<br />
* Database<br />
<br />
=== Mentors and Leaders ===<br />
<br />
* [mailto:ali.razmjoo@owasp.org Ali Razmjoo] (Mentor & Project Leader)<br />
* [mailto:reza.espargham@owasp.org Reza Espargham](Mentor)<br />
* [mailto:abiusx@owasp.org Abbas Naderi] (Mentor)<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
The best way to get in touch with us is the '''community chat on https://gitter.im/bkimminich/juice-shop<nowiki/>.''' You can also send PMs to the potential mentors (@bkimminich, @wurstbrot and @J12934) there if you like!<br />
<br />
To receive early feedback please '''put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page''' in ''Draft Shared'' mode. Please pick '''''juice shop'' as Proposal Tag''' to make them easier to find for us. '''Thank you!'''<br />
<br />
=== Challenge Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges)<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Hacking Instructor ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
TODO<br />
<br />
'''Expected Results:'''<br />
<br />
TODO<br />
<br />
''' Getting started: '''<br />
<br />
TODO<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
TODO<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=242863
OWASP Security Knowledge Framework
2018-08-27T18:36:29Z
<p>Riiecco: /* Classifications */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
* Security Requirements OWASP ASVS for development and for third party vendor applications <br />
* Security knowledge reference (Code examples/ Knowledge Base items)<br />
* Security is part of design with the pre-development functionality in SKF<br />
* Use SKF to gather the right security requirements for your projects<br />
* SKF then gives extensive knowledgebase items that correlates to the security requirements<br />
* Developers can close "tickets" and leave an audit trail to determine possible technical depts or improvements<br />
* Security specialist can follow the "tickets" and audit trail and verify or Fail closed items and provide feedback.<br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br><br />
<br />
==Donate==<br />
<paypal>Security Knowledge Framework </paypal><br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br /><br />
* https://github.com/blabla1337/skf-flask<br /><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br />
* https://demo.securityknowledgeframework.org<br /><br />
<br />
'''Project website:'''<br />
* http://www.secureby.design<br /><br />
<br />
== Video demo ==<br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br /><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br /><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Midlevel.png]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Milestones / Roadmap and Getting Involved =<br />
<br />
==Next major release features==<br />
* Implement the MASVS Knowledge base items in the OWASP-SKF project <br />
<br />
* Implement MASVS process flow under the new project section <br />
* Implement dynamic checklist creation for custom checklists to process flow under the new project section <br />
* Add CWE to Knowledge base items <br />
* Add how to pentest section per Knowledge base item (OWASP-Testing Guide) <br />
* Add internationalist feature to SKF for supporting multiple human languages <br />
* Market and brand the new AI chat-bot implementation <br />
* Add dynamic questionnaire creation that links questions to security requirements <br />
<br />
Check out the detailed roadmap here: <br />
<br />
'''[https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== CI-Pipeline ==<br />
<br />
=== Travis-ci.org: ===<br />
<code>Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes! SKF Build details:</code> <br />
<nowiki>https://travis-ci.org/blabla1337/skf-flask</nowiki><br />
<br />
=== Coveralls.io Python: ===<br />
<code>DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite. SKF Coveralls details:</code> <br />
<nowiki>https://coveralls.io/r/blabla1337/skf-flask</nowiki><br />
<br />
=== codecov.io for Angular: ===<br />
<code>Code coverage done right. Highly integrated with GitHub, Bitbucket and GitLab. SKF codecov details:</code> <br />
<nowiki>https://codecov.io/gh/blabla1337/skf-flask</nowiki><br />
<br />
=== Scrutinizer-ci.com: ===<br />
<code>Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality. SKF Scrutinizer details:</code> <br />
<nowiki>https://scrutinizer-ci.com/g/blabla1337/skf-flask/</nowiki><br />
<br />
=== Bithound.io NPM packages: ===<br />
<code>BitHound provides your Node team with comprehensive and prioritized issues in your code and npm packages. SKF Bithound details:</code> <br />
<nowiki>https://www.bithound.io/github/blabla1337/skf-flask</nowiki><br />
<br />
=== Requires.io pip packages: ===<br />
<code>Stay Up-to-date! Stay secure! Requires.io monitors your Python projects dependencies, and notify you whenever any of your dependency is out-of-date. SKF Requires details:</code> <br />
<nowiki>https://requires.io/github/blabla1337/skf-flask/requirements/</nowiki><br />
<br />
=== Black Duck Security Risk: ===<br />
<code>Announcing Black Duck CoPilot, a new service helping open source project teams catalog and report on their project's dependencies. SKF Requires details:</code> <br />
<nowiki>https://copilot.blackducksoftware.com/github/groups/blabla1337/locations/skf-flask/public/results</nowiki><br />
<br />
=== uptimerobot.com: ===<br />
<code>Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.</code> <br />
<br />
=== ssllabs.com & sslbadge.org: ===<br />
<code>ssllabs.org: Bringing you the best SSL/TLS and PKI testing tools and documentation. sslbadge.org: Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.</code> <br />
<br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=231535
OWASP Security Knowledge Framework
2017-07-10T20:46:35Z
<p>Riiecco: /* Roadmap */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
* Security Requirements OWASP ASVS for development and for third party vendor applications <br />
* Security knowledge reference (Code examples/ Knowledge Base items)<br />
* Security is part of design with the pre-development functionality in SKF<br />
* Use SKF to gather the right security requirements for your projects<br />
* SKF then gives extensive knowledgebase items that correlates to the security requirements<br />
* Developers can close "tickets" and leave an audit trail to determine possible technical depts or improvements<br />
* Security specialist can follow the "tickets" and audit trail and verify or Fail closed items and provide feedback.<br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br><br />
<br />
==Donate==<br />
<paypal>Security Knowledge Framework </paypal><br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br /><br />
* https://github.com/blabla1337/skf-flask<br /><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br />
* https://demo.securityknowledgeframework.org<br /><br />
<br />
'''Project website:'''<br />
* http://www.secureby.design<br /><br />
<br />
== Video demo ==<br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br /><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br /><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Midlevel.png]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add generic Selenium test cases for the pre-development and post-development security controls.<br />
- Add current code examples and refer them in the advices of the pre-development and post-development items.<br />
- Add CWE to checklists<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Explain the SDLC more in-depth on our website and OWASP wiki page.<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== CI-Pipeline ==<br />
<br />
=== Travis-ci.org: ===<br />
<code>Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes! SKF Build details:</code> <br />
<nowiki>https://travis-ci.org/blabla1337/skf-flask</nowiki><br />
<br />
=== Coveralls.io Python: ===<br />
<code>DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite. SKF Coveralls details:</code> <br />
<nowiki>https://coveralls.io/r/blabla1337/skf-flask</nowiki><br />
<br />
=== codecov.io for Angular: ===<br />
<code>Code coverage done right. Highly integrated with GitHub, Bitbucket and GitLab. SKF codecov details:</code> <br />
<nowiki>https://codecov.io/gh/blabla1337/skf-flask</nowiki><br />
<br />
=== Scrutinizer-ci.com: ===<br />
<code>Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality. SKF Scrutinizer details:</code> <br />
<nowiki>https://scrutinizer-ci.com/g/blabla1337/skf-flask/</nowiki><br />
<br />
=== Bithound.io NPM packages: ===<br />
<code>BitHound provides your Node team with comprehensive and prioritized issues in your code and npm packages. SKF Bithound details:</code> <br />
<nowiki>https://www.bithound.io/github/blabla1337/skf-flask</nowiki><br />
<br />
=== Requires.io pip packages: ===<br />
<code>Stay Up-to-date! Stay secure! Requires.io monitors your Python projects dependencies, and notify you whenever any of your dependency is out-of-date. SKF Requires details:</code> <br />
<nowiki>https://requires.io/github/blabla1337/skf-flask/requirements/</nowiki><br />
<br />
=== Black Duck Security Risk: ===<br />
<code>Announcing Black Duck CoPilot, a new service helping open source project teams catalog and report on their project's dependencies. SKF Requires details:</code> <br />
<nowiki>https://copilot.blackducksoftware.com/github/groups/blabla1337/locations/skf-flask/public/results</nowiki><br />
<br />
=== uptimerobot.com: ===<br />
<code>Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.</code> <br />
<br />
=== ssllabs.com & sslbadge.org: ===<br />
<code>ssllabs.org: Bringing you the best SSL/TLS and PKI testing tools and documentation. sslbadge.org: Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.</code> <br />
<br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=231532
OWASP Security Knowledge Framework
2017-07-10T20:04:04Z
<p>Riiecco: /* Travis-ci.org: */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
* Security Requirements OWASP ASVS for development and for third party vendor applications <br />
* Security knowledge reference (Code examples/ Knowledge Base items)<br />
* Security is part of design with the pre-development functionality in SKF<br />
* Use SKF to gather the right security requirements for your projects<br />
* SKF then gives extensive knowledgebase items that correlates to the security requirements<br />
* Developers can close "tickets" and leave an audit trail to determine possible technical depts or improvements<br />
* Security specialist can follow the "tickets" and audit trail and verify or Fail closed items and provide feedback.<br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br><br />
<br />
==Donate==<br />
<paypal>Security Knowledge Framework </paypal><br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br /><br />
* https://github.com/blabla1337/skf-flask<br /><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br /><br />
<br />
<b>Installation guide with Chef:</b><br />
* https://skf.readme.io/docs/installation#section-automated-installation-with-chef<br /><br />
<br />
<b>Installation guide for AWS:</b><br />
* https://skf.readme.io/docs/installation#section-aws-installation<br /><br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br /><br />
* https://demo.securityknowledgeframework.org<br /><br />
<br />
'''Project website:'''<br /><br />
* http://www.secureby.design<br /><br />
<br />
== Video demo ==<br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br /><br />
<br />
== Project OWASP-SKF Pebble ==<br />
'''Released OWASP-SKF Pebble in the Appstore for free'''<br /><br />
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042<br /><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br /><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add generic Selenium test cases for the pre-development and post-development security controls.<br />
- Add current code examples and refer them in the advices of the pre-development and post-development items.<br />
- Add CWE to checklists<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Explain the SDLC more in-depth on our website and OWASP wiki page.<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== Travis-ci.org:==<br />
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!<br />
SKF Build details:<br />
<br />
https://travis-ci.org/blabla1337/skf-flask<br />
<br />
== Coveralls.io:==<br />
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.<br />
SKF Coveralls details:<br />
<br />
https://coveralls.io/r/blabla1337/skf-flask<br />
<br />
== Scrutinizer-ci.com==<br />
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.<br />
SKF Scrutinizer details:<br />
<br />
https://scrutinizer-ci.com/g/blabla1337/skf-flask/<br />
<br />
== Uptimerobot.com==<br />
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.<br />
<br />
== ssllabs.com & sslbadge.org ==<br />
<br />
ssllabs.org:<br />
Bringing you the best SSL/TLS and PKI testing tools and documentation.<br />
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org<br />
<br />
sslbadge.org:<br />
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.<br />
<br />
= Contributors =<br />
<br />
;<br />
<br />
<br /><br />
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=231531
OWASP Security Knowledge Framework
2017-07-10T19:58:56Z
<p>Riiecco: /* Main */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
* Security Requirements OWASP ASVS for development and for third party vendor applications <br />
* Security knowledge reference (Code examples/ Knowledge Base items)<br />
* Security is part of design with the pre-development functionality in SKF<br />
* Use SKF to gather the right security requirements for your projects<br />
* SKF then gives extensive knowledgebase items that correlates to the security requirements<br />
* Developers can close "tickets" and leave an audit trail to determine possible technical depts or improvements<br />
* Security specialist can follow the "tickets" and audit trail and verify or Fail closed items and provide feedback.<br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br><br />
<br />
==Donate==<br />
<paypal>Security Knowledge Framework </paypal><br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br /><br />
* https://github.com/blabla1337/skf-flask<br /><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br /><br />
<br />
<b>Installation guide with Chef:</b><br />
* https://skf.readme.io/docs/installation#section-automated-installation-with-chef<br /><br />
<br />
<b>Installation guide for AWS:</b><br />
* https://skf.readme.io/docs/installation#section-aws-installation<br /><br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br /><br />
* https://demo.securityknowledgeframework.org<br /><br />
<br />
'''Project website:'''<br /><br />
* http://www.secureby.design<br /><br />
<br />
== Video demo ==<br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br /><br />
<br />
== Project OWASP-SKF Pebble ==<br />
'''Released OWASP-SKF Pebble in the Appstore for free'''<br /><br />
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042<br /><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br /><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add generic Selenium test cases for the pre-development and post-development security controls.<br />
- Add current code examples and refer them in the advices of the pre-development and post-development items.<br />
- Add CWE to checklists<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Explain the SDLC more in-depth on our website and OWASP wiki page.<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== Travis-ci.org:==<br />
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!<br />
SKF Build details:<br />
<br />
https://travis-ci.org/blabla1337/skf-flask<br />
<br />
== Coveralls.io:==<br />
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.<br />
SKF Coveralls details:<br />
<br />
https://coveralls.io/r/blabla1337/skf-flask<br />
<br />
== Scrutinizer-ci.com==<br />
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.<br />
SKF Scrutinizer details:<br />
<br />
https://scrutinizer-ci.com/g/blabla1337/skf-flask/<br />
<br />
== Uptimerobot.com==<br />
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.<br />
<br />
== ssllabs.com & sslbadge.org ==<br />
<br />
ssllabs.org:<br />
Bringing you the best SSL/TLS and PKI testing tools and documentation.<br />
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org<br />
<br />
sslbadge.org:<br />
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.<br />
<br />
= Contributors =<br />
<br />
;[[user:Foobar|Glenn ten Cate]]<br />
;[[user:Riccardo_ten_Cate|Riccardo ten Cate]]<br />
;Alexander Kaasjager<br />
;John Haley<br />
;Daniel Paulus<br />
;Erik de Kuijper<br />
;Roderick Schaefer<br />
;[[user:Jmanico|Jim Manico]]<br />
;Martijn Gijsberti Hodenpijl<br />
;Bithin Alangot<br />
;[[user:Knoblochmartin|Martin Knobloch]]<br />
;Adam Fisher<br />
;Tom wirschell<br />
;[[user:johestephan|Joerg Stephan]]<br />
;Mihai Roman <br />
<br />
<br /><br />
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=GSOC2017_Ideas&diff=225509
GSOC2017 Ideas
2017-01-23T23:21:47Z
<p>Riiecco: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check out the suggested projects below<br />
* Contact the mentors and teams of the projects that you are interested in<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2017 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Tech Stack Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:<br />
<br />
* AngularJS 1.x with Bootstrap in the client<br />
* Express on top of NodeJS on the server with<br />
** SQLite as a database<br />
** Sequelize as an OR-Mapper<br />
*** sequelize-restful as an automatic API-generator on top of the DB entities<br />
* Jasmine 1.x to specify behavioral tests<br />
** Karma as a test runner for the client-side unit tests<br />
** Frisby.js for API tests on a dynamically launched server<br />
** Protractor for end-to-end testing of the challenge exploits<br />
* NPM for running/testing the application<br />
* Grunt for some of the custom build scripts<br />
<br />
Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].<br />
<br />
Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
== OWASP Mobile Hacking Playground ==<br />
<br />
The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects: <br />
<br />
* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)<br />
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)<br />
<br />
In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile Appās that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:<br />
<br />
* A developer can identify vulnerable code in the provided Appās and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.<br />
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.<br />
<br />
It is also encouraged to use the App(s) for education purpose during trainings and workshops.<br />
<br />
<br />
=== Creation of Android Code Samples ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated. <br />
<br />
For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App<br />
<br />
<br />
'''Expected Results:'''<br />
<br />
The following categories and their test cases are not fully added to the Android App:<br />
<br />
* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)<br />
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)<br />
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)<br />
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)<br />
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)<br />
<br />
For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.<br />
<br />
As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together. <br />
<br />
<br />
<br />
''' Getting started: '''<br />
Here are a few suggestion on how to get started.<br />
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes. <br />
* Browse through the MASVS and check the different areas and their defined requirements.<br />
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).<br />
<br />
'''Knowledge Prerequisites:'''<br />
General interest in Mobile and Security. Basic knowledge of Android and Java.<br />
<br />
<br />
'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader<br />
<br />
== OWASP ZAP ==<br />
<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the worldās most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
<br />
=== Field enumeration ===<br />
<br />
This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.<br />
<br />
The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.<br />
<br />
''' Expected Results '''<br />
<br />
* User able to specify a specific field to enumerate via the ZAP UI<br />
* A list of all valid characters to be returned from the sets of characters the user specifies<br />
* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible<br />
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
<br />
''' Knowledge Prerequisite: '''<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
''' Mentors '''<br />
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
<br />
=== Scripting Code Completion ===<br />
<br />
ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.<br />
<br />
''' Expected Results '''<br />
<br />
* Code completion for all of the parameters for all available functions in the standard scripts<br />
* Implementations for JavaScript, JRuby and Jython<br />
* Helper classes with code completion for commonly required functionality<br />
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
<br />
''' Knowledge Prerequisite: '''<br />
ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
<br />
'''Knowledge Prerequisites:'''<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== BLT / Bugheist ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes Bugheist even better<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team<br />
<br />
<br />
<br />
== OWASP Security Knowledge framework ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages <br />
showing how to prevent hackers gaining access and running exploits on your application.<br />
<br />
*In a nutshell*<br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development (Security by design, early feedback of possible security issues)<br />
<br />
- Security support post-development(Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
<br />
''' Getting started '''<br />
* Please send an email to riccardo.ten.cate@owasp.org or glenn.ten.cate@owasp.org and we would love to tell you all about it! :-)<br />
<br />
'''Expected Results:'''<br />
* Adding features.<br />
* Adding functions<br />
* Adding/updating code examples.<br />
* Adding/updating Knowledgebase items.<br />
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.<br />
* For writing knowledgebase items only technical knowledge of application security is required.<br />
* For writing /updating code examples you need to know a programming language along with secure development.<br />
* For writing the verification guide you need some penetration testing experience. <br />
<br />
'''Mentors:''' <br />
<br />
Riccardo ten Cate<br />
<br />
Glenn ten Cate</div>
Riiecco
https://wiki.owasp.org/index.php?title=GSOC2017_Ideas&diff=225508
GSOC2017 Ideas
2017-01-23T23:21:23Z
<p>Riiecco: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check out the suggested projects below<br />
* Contact the mentors and teams of the projects that you are interested in<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2017 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Tech Stack Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:<br />
<br />
* AngularJS 1.x with Bootstrap in the client<br />
* Express on top of NodeJS on the server with<br />
** SQLite as a database<br />
** Sequelize as an OR-Mapper<br />
*** sequelize-restful as an automatic API-generator on top of the DB entities<br />
* Jasmine 1.x to specify behavioral tests<br />
** Karma as a test runner for the client-side unit tests<br />
** Frisby.js for API tests on a dynamically launched server<br />
** Protractor for end-to-end testing of the challenge exploits<br />
* NPM for running/testing the application<br />
* Grunt for some of the custom build scripts<br />
<br />
Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].<br />
<br />
Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
== OWASP Mobile Hacking Playground ==<br />
<br />
The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects: <br />
<br />
* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)<br />
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)<br />
<br />
In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile Appās that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:<br />
<br />
* A developer can identify vulnerable code in the provided Appās and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.<br />
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.<br />
<br />
It is also encouraged to use the App(s) for education purpose during trainings and workshops.<br />
<br />
<br />
=== Creation of Android Code Samples ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated. <br />
<br />
For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App<br />
<br />
<br />
'''Expected Results:'''<br />
<br />
The following categories and their test cases are not fully added to the Android App:<br />
<br />
* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)<br />
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)<br />
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)<br />
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)<br />
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)<br />
<br />
For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.<br />
<br />
As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together. <br />
<br />
<br />
<br />
''' Getting started: '''<br />
Here are a few suggestion on how to get started.<br />
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes. <br />
* Browse through the MASVS and check the different areas and their defined requirements.<br />
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).<br />
<br />
'''Knowledge Prerequisites:'''<br />
General interest in Mobile and Security. Basic knowledge of Android and Java.<br />
<br />
<br />
'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader<br />
<br />
== OWASP ZAP ==<br />
<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the worldās most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
<br />
=== Field enumeration ===<br />
<br />
This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.<br />
<br />
The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.<br />
<br />
''' Expected Results '''<br />
<br />
* User able to specify a specific field to enumerate via the ZAP UI<br />
* A list of all valid characters to be returned from the sets of characters the user specifies<br />
* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible<br />
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
<br />
''' Knowledge Prerequisite: '''<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
''' Mentors '''<br />
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
<br />
=== Scripting Code Completion ===<br />
<br />
ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.<br />
<br />
''' Expected Results '''<br />
<br />
* Code completion for all of the parameters for all available functions in the standard scripts<br />
* Implementations for JavaScript, JRuby and Jython<br />
* Helper classes with code completion for commonly required functionality<br />
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
<br />
''' Knowledge Prerequisite: '''<br />
ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
<br />
'''Knowledge Prerequisites:'''<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== BLT / Bugheist ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes Bugheist even better<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team<br />
<br />
<br />
<br />
== OWASP Security Knowledge framework ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages <br />
showing how to prevent hackers gaining access and running exploits on your application.<br />
<br />
*In a nutshell*<br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development (Security by design, early feedback of possible security issues)<br />
<br />
- Security support post-development(Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
<br />
''' Getting started '''<br />
* Please send an email to riccardo.ten.cate@owasp.org or glenn.ten.cate@owasp.org and we would love to tell you all about it! :-)<br />
<br />
'''Expected Results:'''<br />
* Adding features.<br />
* Adding functions<br />
* Adding/updating code examples.<br />
* Adding/updating Knowledgebase items.<br />
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.<br />
* For writing knowledgebase items only technical knowledge of application security is required.<br />
* For writing /updating code examples you need to know a programming language along with secure development.<br />
* For writing the verification guide you need some penetration testing experience. <br />
<br />
'''Mentors:''' <br />
<br />
Riccardo ten Cate<br />
Glenn ten Cate</div>
Riiecco
https://wiki.owasp.org/index.php?title=GSOC2017_Ideas&diff=225507
GSOC2017 Ideas
2017-01-23T23:20:19Z
<p>Riiecco: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check out the suggested projects below<br />
* Contact the mentors and teams of the projects that you are interested in<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2017 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Tech Stack Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:<br />
<br />
* AngularJS 1.x with Bootstrap in the client<br />
* Express on top of NodeJS on the server with<br />
** SQLite as a database<br />
** Sequelize as an OR-Mapper<br />
*** sequelize-restful as an automatic API-generator on top of the DB entities<br />
* Jasmine 1.x to specify behavioral tests<br />
** Karma as a test runner for the client-side unit tests<br />
** Frisby.js for API tests on a dynamically launched server<br />
** Protractor for end-to-end testing of the challenge exploits<br />
* NPM for running/testing the application<br />
* Grunt for some of the custom build scripts<br />
<br />
Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].<br />
<br />
Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
== OWASP Mobile Hacking Playground ==<br />
<br />
The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects: <br />
<br />
* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)<br />
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)<br />
<br />
In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile Appās that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:<br />
<br />
* A developer can identify vulnerable code in the provided Appās and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.<br />
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.<br />
<br />
It is also encouraged to use the App(s) for education purpose during trainings and workshops.<br />
<br />
<br />
=== Creation of Android Code Samples ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated. <br />
<br />
For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App<br />
<br />
<br />
'''Expected Results:'''<br />
<br />
The following categories and their test cases are not fully added to the Android App:<br />
<br />
* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)<br />
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)<br />
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)<br />
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)<br />
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)<br />
<br />
For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.<br />
<br />
As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together. <br />
<br />
<br />
<br />
''' Getting started: '''<br />
Here are a few suggestion on how to get started.<br />
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes. <br />
* Browse through the MASVS and check the different areas and their defined requirements.<br />
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).<br />
<br />
'''Knowledge Prerequisites:'''<br />
General interest in Mobile and Security. Basic knowledge of Android and Java.<br />
<br />
<br />
'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader<br />
<br />
== OWASP ZAP ==<br />
<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the worldās most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
<br />
=== Field enumeration ===<br />
<br />
This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.<br />
<br />
The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.<br />
<br />
''' Expected Results '''<br />
<br />
* User able to specify a specific field to enumerate via the ZAP UI<br />
* A list of all valid characters to be returned from the sets of characters the user specifies<br />
* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible<br />
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
<br />
''' Knowledge Prerequisite: '''<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
''' Mentors '''<br />
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
<br />
=== Scripting Code Completion ===<br />
<br />
ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.<br />
<br />
''' Expected Results '''<br />
<br />
* Code completion for all of the parameters for all available functions in the standard scripts<br />
* Implementations for JavaScript, JRuby and Jython<br />
* Helper classes with code completion for commonly required functionality<br />
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
<br />
''' Knowledge Prerequisite: '''<br />
ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
<br />
'''Knowledge Prerequisites:'''<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== BLT / Bugheist ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes Bugheist even better<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team<br />
<br />
<br />
<br />
== OWASP Security Knowledge framework ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages <br />
showing how to prevent hackers gaining access and running exploits on your application.<br />
<br />
*In a nutshell*<br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development (Security by design, early feedback of possible security issues)<br />
<br />
- Security support post-development(Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
<br />
''' Getting started '''<br />
* Please send an email to riccardo.ten.cate@owasp.org or glenn.ten.cate@owasp.org and we would love to tell you all about it! :-)<br />
<br />
'''Expected Results:'''<br />
* Adding features.<br />
* Adding functions<br />
* Adding/updating code examples.<br />
* Adding/updating Knowledgebase items.<br />
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)<br />
<br />
'''Knowledge Prerequisites:'''<br />
1. For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.<br />
2. For writing knowledgebase items only technical knowledge of application security is required.<br />
3. For writing /updating code examples you need to know a programming language along with secure development.<br />
4. For writing the verification guide you need some penetration testing experience. <br />
<br />
'''Mentors:''' <br />
Riccardo ten Cate<br />
Glenn ten Cate</div>
Riiecco
https://wiki.owasp.org/index.php?title=GSOC2017_Ideas&diff=225506
GSOC2017 Ideas
2017-01-23T23:18:41Z
<p>Riiecco: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check out the suggested projects below<br />
* Contact the mentors and teams of the projects that you are interested in<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2017 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Tech Stack Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:<br />
<br />
* AngularJS 1.x with Bootstrap in the client<br />
* Express on top of NodeJS on the server with<br />
** SQLite as a database<br />
** Sequelize as an OR-Mapper<br />
*** sequelize-restful as an automatic API-generator on top of the DB entities<br />
* Jasmine 1.x to specify behavioral tests<br />
** Karma as a test runner for the client-side unit tests<br />
** Frisby.js for API tests on a dynamically launched server<br />
** Protractor for end-to-end testing of the challenge exploits<br />
* NPM for running/testing the application<br />
* Grunt for some of the custom build scripts<br />
<br />
Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].<br />
<br />
Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
== OWASP Mobile Hacking Playground ==<br />
<br />
The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects: <br />
<br />
* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)<br />
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)<br />
<br />
In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile Appās that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:<br />
<br />
* A developer can identify vulnerable code in the provided Appās and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.<br />
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.<br />
<br />
It is also encouraged to use the App(s) for education purpose during trainings and workshops.<br />
<br />
<br />
=== Creation of Android Code Samples ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated. <br />
<br />
For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App<br />
<br />
<br />
'''Expected Results:'''<br />
<br />
The following categories and their test cases are not fully added to the Android App:<br />
<br />
* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)<br />
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)<br />
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)<br />
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)<br />
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)<br />
<br />
For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.<br />
<br />
As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together. <br />
<br />
<br />
<br />
''' Getting started: '''<br />
Here are a few suggestion on how to get started.<br />
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes. <br />
* Browse through the MASVS and check the different areas and their defined requirements.<br />
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).<br />
<br />
'''Knowledge Prerequisites:'''<br />
General interest in Mobile and Security. Basic knowledge of Android and Java.<br />
<br />
<br />
'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader<br />
<br />
== OWASP ZAP ==<br />
<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the worldās most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
<br />
=== Field enumeration ===<br />
<br />
This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.<br />
<br />
The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.<br />
<br />
''' Expected Results '''<br />
<br />
* User able to specify a specific field to enumerate via the ZAP UI<br />
* A list of all valid characters to be returned from the sets of characters the user specifies<br />
* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible<br />
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
<br />
''' Knowledge Prerequisite: '''<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
''' Mentors '''<br />
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
<br />
=== Scripting Code Completion ===<br />
<br />
ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.<br />
<br />
''' Expected Results '''<br />
<br />
* Code completion for all of the parameters for all available functions in the standard scripts<br />
* Implementations for JavaScript, JRuby and Jython<br />
* Helper classes with code completion for commonly required functionality<br />
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
<br />
''' Knowledge Prerequisite: '''<br />
ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
<br />
'''Knowledge Prerequisites:'''<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== BLT / Bugheist ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes Bugheist even better<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team<br />
<br />
<br />
<br />
== OWASP Security Knowledge framework ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages <br />
showing how to prevent hackers gaining access and running exploits on your application.<br />
<br />
*In a nutshell<br />
- Training developers in writing secure code<br />
- Security support pre-development (Security by design, early feedback of possible security issues)<br />
- Security support post-development(Double check your code by means of the OWASP ASVS checklists )<br />
- Code examples for secure coding<br />
<br />
''' Getting started '''<br />
* Please send an email to riccardo.ten.cate@owasp.org or glenn.ten.cate@owasp.org and we would love to tell you all about it! :-)<br />
<br />
'''Expected Results:'''<br />
* Adding features.<br />
* Adding functions<br />
* Adding/updating code examples.<br />
* Adding/updating Knowledgebase items.<br />
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)<br />
<br />
'''Knowledge Prerequisites:'''<br />
1. For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.<br />
2. For writing knowledgebase items only technical knowledge of application security is required.<br />
3. For writing /updating code examples you need to know a programming language along with secure development.<br />
4. For writing the verification guide you need some penetration testing experience. <br />
<br />
'''Mentors:''' <br />
Riccardo ten Cate<br />
Glenn ten Cate</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=223716
OWASP Security Knowledge Framework
2016-11-29T09:50:34Z
<p>Riiecco: /* Contributors */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
* Security Requirements OWASP ASVS for development and for third party vendor applications <br />
* Security knowledge reference (Code examples/ Knowledge Base items)<br />
* Security is part of design with the pre-development functionality in SKF<br />
* Security post-development functionality in SKF for verification with the OWASP ASVS<br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br><br />
<br />
==Donate==<br />
<paypal>Security Knowledge Framework </paypal><br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br/><br />
<br />
<b>Installation guide with Chef:</b><br />
* https://skf.readme.io/docs/installation#section-automated-installation-with-chef<br/><br />
<br />
<b>Installation guide for AWS:</b><br />
* https://skf.readme.io/docs/installation#section-aws-installation<br/><br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br/><br />
* https://demo.securityknowledgeframework.org<br/><br />
<br />
'''Project website:'''<br/><br />
* http://www.secureby.design<br/><br />
<br />
== Video demo ==<br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br/><br />
<br />
== Project OWASP-SKF Pebble ==<br />
'''Released OWASP-SKF Pebble in the Appstore for free'''<br/><br />
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042<br/><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add generic Selenium test cases for the pre-development and post-development security controls.<br />
- Add current code examples and refer them in the advices of the pre-development and post-development items.<br />
- Add CWE to checklists<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Explain the SDLC more in-depth on our website and OWASP wiki page.<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== Travis-ci.org:==<br />
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!<br />
SKF Build details:<br />
<br />
https://travis-ci.org/blabla1337/skf-flask<br />
<br />
== Coveralls.io:==<br />
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.<br />
SKF Coveralls details:<br />
<br />
https://coveralls.io/r/blabla1337/skf-flask<br />
<br />
== Scrutinizer-ci.com==<br />
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.<br />
SKF Scrutinizer details:<br />
<br />
https://scrutinizer-ci.com/g/blabla1337/skf-flask/<br />
<br />
== Uptimerobot.com==<br />
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.<br />
<br />
== ssllabs.com & sslbadge.org ==<br />
<br />
ssllabs.org:<br />
Bringing you the best SSL/TLS and PKI testing tools and documentation.<br />
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org<br />
<br />
sslbadge.org:<br />
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.<br />
<br />
= Contributors =<br />
<br />
;[[user:Foobar|Glenn ten Cate]]<br />
;[[user:Riccardo_ten_Cate|Riccardo ten Cate]]<br />
;Alexander Kaasjager<br />
;John Haley<br />
;Daniel Paulus<br />
;Erik de Kuijper<br />
;Roderick Schaefer<br />
;[[user:Jmanico|Jim Manico]]<br />
;Martijn Gijsberti Hodenpijl<br />
;Bithin Alangot<br />
;[[user:Knoblochmartin|Martin Knobloch]]<br />
;Adam Fisher<br />
;Tom wirschell<br />
;[[user:johestephan|Joerg Stephan]]<br />
;Mihai Roman <br />
<br />
<br/><br />
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=User:Riccardo_ten_Cate&diff=219934
User:Riccardo ten Cate
2016-08-01T20:15:58Z
<p>Riiecco: </p>
<hr />
<div>As a penetration tester and software developer from the Netherlands Riccardo specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages.</div>
Riiecco
https://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2016&diff=208552
BeNeLux OWASP Day 2016
2016-02-12T06:34:27Z
<p>Riiecco: /* Glenn ten Cate, Riccardo ten Cate -- Security knowledge framework */</p>
<hr />
<div><center>[[Image:OWASP BeNeLux 2015.png|center|512px]]<br></center><br />
<br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Information =<br />
<br />
== OWASP BeNeLux Announcement ==<br />
We are proud to announce the dates of the next edition of BeNeLux OWASP Day!<br />
The event will take place on <span style="color:#ff0000">17 and 18 March 2016</span>, in Belval Campus, in Esch-sur-Alzette - Luxembourg.<br />
More information on the venue can be found {{#switchtablink:Venue|here}}.<br />
<br><br />
{{#switchtablink:Registration| Don't wait and register now!}}<br />
<br />
<!--<br />
== News ==<br />
* <br />
* <br />
<br><br />
<br />
== Confirmed trainers for Trainingday ==<br />
{{#switchtablink:Trainingday| <p><br />
* <br />
* <br />
* <br />
* <br />
}}<br />
<br><br />
--><br />
<br />
== Confirmed speakers Conference ==<br />
{{#switchtablink:Conferenceday| <p><br />
* Julie Gommes<br />
* Stefan Burgmair (OWASP Germany) <br />
* Erik Poll (Radboud University)<br />
* Arne Swinnen (Nviso)<br />
* Glenn & Riccardo Ten Cate<br />
* Christian Schneider & Alvaro MuƱoz (HPE)<br />
* Michael Hamm (CIRCL - Computer Incident Response Center Luxembourg)<br />
}}<br />
<br><br />
<br />
== The OWASP BeNeLux Program Committee ==<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch, OWASP Netherlands<br />
*Jocelyn Aubert, OWASP Luxembourg<br />
<br><br />
<br />
== Tweet! ==<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl16 #owaspbnl16]<br />
<br><br><br />
== Donate to OWASP BeNeLux ==<br />
[https://co.clickandpledge.com/?wid=72689 Donate]<br />
<br />
<!-- Second tab --><br />
<br />
= Registration =<br />
<br />
== OWASP BeNeLux training day and conference are free, but registration is required! ==<br />
<br />
Register today at https://owasp-benelux-day-2016.eventbrite.com . We only have a limited number of seats available for our trainings and conference. First come, first serve!<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
<br />
= Venue =<br />
<br />
== Venue is ==<br />
<br />
'''University of Luxembourg'''<br/><br />
'''Maison du Savoir'''<br/><br />
''2, avenue de l'UniversitƩ<br/><br />
L-4365 Esch-sur-Alzette''<br />
<br />
=== How to reach the venue? ===<br />
<br />
==== By car ====<br />
Check the [https://goo.gl/maps/d8lTe Belval Campus map] - available on google maps - for route information.<br />
<br />
Outdoor parking areas and underground car parks are available throughout the campus, particularly [http://www.cfl.lu/espaces/voyageurs/en/gares-et-services/auto-moto-v%C3%A9lo/p-r-belval-universit%C3%A9-1-622-places-%C3%A0-votre-disposition P+R Belval UniversitƩ], or [http://umbelval.lu/wp-content/uploads/2015/08/Tarifs-horaires-2015.pdf Square Mile parking] or [http://umbelval.lu/wp-content/uploads/2015/08/Tarifs-horaires-2015.pdf Belval Plaza].<br />
<br />
==== By train ====<br />
Trains departing every 15 minutes from Luxembourg Central Station are direct to "Belval-UniversitĆ©" - line is connection-free via Esch-sur-Alzette. Get information on train schedules on the [http://www.cfl.lu/en CFLās website].<br />
<br />
When on site, access to buildings is easy on foot.<br />
<br />
=== Hotel nearby ===<br />
[http://www.accorhotels.com/fr/hotel-7071-ibis-esch-belval/index.shtml Hotel Ibis Esch-Belval]<br/><br />
12, avenue du Rock'n'Roll<br/><br />
L-4361 Esch-sur-Alzette, Luxembourg<br/><br />
From 81 EUR per night<br />
<br />
<!-- Fourth tab --><br />
<br />
= Trainingday =<br />
<br />
=== Trainingday is March 17th ===<br />
<br />
== Location ==<br />
The training venue is at the same location as the {{#switchtablink:Venue|conference venue}}.<br />
<br />
== Agenda ==<br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | Application Security Primer by Martin Knobloch<br />
| rowspan="7" style="width:100px;" | Hands-on Threat Modeling by Sebastien Deleersnyder<br />
| rowspan="7" style="width:100px;" | Security Shepherd by Mark Denihan<br />
| rowspan="7" style="width:100px;" | O-saft by Achim Hoffman & Torsten Gigler<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
== Application Security Primer by Martin Knobloch ==<br />
TBD<br />
<br />
== Hands-on Threat Modeling by Sebastien Deleersnyder ==<br />
<br />
This is a 1 day, trainer-led, on-site, Threat Modeling course. The training material and hands-on workshops include real live Use Cases. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of threat modeling on:<br />
* B2B web and mobile applications, sharing the same REST backend<br />
* An Internet of Things (IoT) deployment with an on premise gateway and cloud-based secure update service<br />
<br />
Threat modeling is the primary security analysis task performed during the software design stage. Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. The security objectives, threats, and attacks modeling activities during the threat modeling are designed to help you find vulnerabilities in your application. You can use the identified vulnerabilities to help shape your design and direct and scope your security testing.<br />
<br />
Threat modeling allows you to consider, document, and discuss the security implications of designs in the context of their planned operational environment and in a structured fashion. Threat modeling also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model.<br />
<br />
This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications and databases. The students should bring their own laptop to the course.<br />
<br />
==== Course topics (1 day) ====<br />
<br />
Threat modeling introduction<br />
*Threat modeling in a secure development lifecycle<br />
*What is threat modeling<br />
*Why threat modeling?<br />
*Threat modeling stages<br />
*Diagrams<br />
*Identify threats<br />
*Addressing threats<br />
*Document a threat model<br />
Diagrams ā what are you building?<br />
*Understanding context<br />
*Doomsday scenarios<br />
*Data flow diagrams<br />
*Trust Boundaries<br />
*'''Hands-on: diagram B2B web and mobile applications, sharing the same REST backend'''<br />
Identifying threats ā what can go wrong?<br />
*STRIDE introduction<br />
*Spoofing threats<br />
*Tampering threats<br />
*Repudiation threats<br />
*Information disclosure threats<br />
*Denial of service threats<br />
*Elevation of privilege threats<br />
*'''Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and cloud-based secure update service'''<br />
Addressing each threat<br />
*Mitigation patterns<br />
*Authentication: mitigating spoofing<br />
*Integrity: mitigating tampering<br />
*Non-repudiation: mitigating repudiation<br />
*Confidentiality: mitigating information disclosure<br />
*Availability: mitigating denial of service<br />
*Authorization: mitigating elevation of privilege<br />
Threat modeling tools<br />
*General tools<br />
*Open-Source tools<br />
*Commercial tools<br />
<br />
The course students receive the following package as part of the course:<br />
*Hand-outs of the presentations<br />
*Work sheets of the use cases,<br />
*Detailed solution descriptions of the use cases<br />
*Template to document a threat model<br />
*Template to calculate risk levels of identified threats<br />
The students should bring their own laptop <br />
<br />
==== Threat Modeling ā real life use cases ====<br />
As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world.<br />
In order to minimize that gap we have developed practical Use Cases, based on real life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Using this methodology for the hands on workshops we provide our students with a robust training experience and the templates to incorporate threat modeling best practices in their daily work.<br />
The students will be challenged to perform the threat modeling in groups of 3 to 4 people performing the different stages of threat modeling on:<br />
*B2B web and mobile applications, sharing the same REST backend<br />
*An Internet of Things (IoT) deployment with an on premise gateway and cloud-based secure update service<br />
After each hands-on workshop, the results are discussed, and the students receive a documented solution.<br />
<br />
==== Sebastien Deleersnyder ====<br />
Sebastien Deleersnyder, managing partner and application security consultant at [http://www.toreon.com Toreon] will share his practical threat model experience. Sebastien led engagements in the domain of ICT-security, Web and Mobile Security with several customers including BNP Paribas Fortis, Atos Worldline, KBC, Nationale Nederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post , Flemish Community, Agfa-Gevaert and ING Insurance International. Sebastien is the Belgian OWASP Chapter Leader, served as vice-chair of the global OWASP Foundation Board and performed several public presentations on Web Application, Mobile and Web Services Security. Furthermore, Sebastien co-founded the yearly BruCON conference.<br />
<br />
== Security Shepherd by Mark Denihan ==<br />
TBD<br />
<br />
== O-saft by Achim Hoffman & Torsten Gigler ==<br />
==== Abstract ====<br />
The use of SSL/TLS to protect the transport of data has become very common today. On the other hand it does not work pretty 'out of the box'. Furthermore it has more and more secuirty issues. As a consequence it often does not protect as assumed. It is often difficult to understand, what are the root causes of the issues, and how to detect and <br />
finally avoid or fix them.<br><br />
This training will give a brief introduction to SSL, how it works i. g., what issues are related to the protocol, the PKI used, and the known vulnerabilities including potential attacks and provide tools to check for these issues. The main focus will be on SSL/TLS used in HTTPS. Other usages i.e. SSL for SMTP are a small subset. As a round-up there will be recommendations how to configure and maintain TLS securely.<br />
<br />
==== Course Topics ==== <br />
The main part of the course will be a hands-on-training showing by example how to check the established TLS/SSL connection (including ciphers) to a web server and show how to analyse the provided certificate. Various tools will be explained. It will be demonstrated how these tools can be used to detect weaknesses in the TLS/SSL connection and such.<br><br />
The explained tools are for example: openssl, sslscan, testssl.sh, o-saft, and some more, as well as some online checking tools like ssllabs.com. We show what are these tools useful for, what they can do, and what they cannot. Finally we show how the OWASP tool o-saft can be used to cover most of the previous shown techniques and how to use its advanced features like:<br />
* checking for ciphers<br />
* checking for special SSL settings<br />
* check multiple servers at a time<br />
* customizing the results<br />
* customizing o-saft itself<br />
* or simple debugging of various SSL connection problems.<br><br />
The purpose of this course is to provide a tool set for checking TLS/SSL to the participants, and teach the participants how and when to use which tool, and why some tools do not provide complete results (e.g. protocols, ciphers). The course is about analysing TLS/SSL from a client-site view. It will not go into the details of fuzzing or even breaking TLS/SSL, or exploiting vulnerabilities. Mostly we will analyse HTTPS, furthermore we will provide some examples for protocols using STARTTLS, too (e.g. SMTP).<br><br />
Additionally it will give system architects, administrator, or operational people, hints how to set-up and configure TLS/SSL in a proper secure way.<br />
<br><br />
<br />
==== Technical requirements ==== <br />
The participants should bring their own laptop with any operating system (recommended is Linux) and at least following tools installed:<br />
* openssl (1.0.1e or newer)<br />
* perl (5.8 or newer), on windows system Strawberry perl is recommended<br />
* Net::SSLeay (1.53 or newer), IO::Socket::SSL (1.37 or newer)<br />
* Tcl (8.5) optional, on a windows system ActiveTcl (8.6) is recommended<br />
* python (2.7) optional<br><br />
Optional, for smooth testing, a local SSL-enabled (SSLv2, SSLv3, TLS) web server should be running on the laptop (i.e. OWASP-BWA).<br />
<br><br><br />
<br />
==== Bio's ==== <br />
* Achim Hoffmann ... Starting with Linux/network security in the nineties. Achim Hoffmann has been working in web application security since more than 15 years. While working as a developer for web-application for several years he started concentrating on web application security as major subject in different roles like penetration tester, doing SCA and giving security workshops. He is author, co-author and maintainer of various papers about web application security at BSI (Germany), OWASP and WASC. He also published some tools (EnDe, EMiR, ReDoS, O-Saft) which aim to make web application security more visible. Achim is owner of sic[!]sec GmbH, Germany, a company that provides information security services. Outside work he is German OWASP Board Member and helps maintaining OWASP's mailing lists.<br />
* Torsten Gigler ... Internernal Security Consultant in a large scale enterprise >15 years (ICT-Infrastructure- and Application Security). He has been volunteering for OWASP since more than 3 years: since 2 years co-developer of O-Saft, contributed to the Transport Layer Protection Cheat Sheet (Cipher Section), project leader 'OWASP Top 10 fĆ¼r Entwickler' / OWASP Top 10 for Developers, contributed to the German translation of OWASP-Top-10 2013, supported the Top_10_2013-Project: Review, Wiki.<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
=== Conferenceday is March 18th ===<br />
<br />
<br />
== Agenda ==<br />
{| class="wikitable"<br />
! width="120pt" | Time<br />
! width="180pt" | Speaker !! Topic<br />
|- <br />
| 08h30 - 09h10<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 09h15 - 10h00 || Julie Gommes || Gamers, You're the new Botnets<br />
|-<br />
| 10h00 - 10h45 || Stefan Burgmair || OWASP Top 10 Privacy Risks <br />
|-<br />
| 10h45 - 11h15 <br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Morning Break'' <br />
|-<br />
| 11h15 - 12h00 || Erik Poll || LangSec meets State Machines<br />
|-<br />
| 12h00 - 12h45 || Arne Swinnen || The Tales of a Bug Bounty Hunter<br />
|-<br />
| 12h45 - 13h45<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h45 - 14h30 || Glenn & Riccardo Ten Cate || OWASP Secure Knowledge Framework (SKF)<br />
|-<br />
| 14h30 - 15h15 || University Luxembourg || Mobile Security<br />
|-<br />
| 15h15 - 15h45<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 15h45 - 16h30 || Christian Schneider & Alvaro MuƱoz || Serial Killer: Silently Pwning your Java Endpoints<br />
|-<br />
| 16h30 - 17h15 || Michael Hamm || Experiences with Paste-Monitoring<br />
|-<br />
| 17h15 - 17h30 || OWASP Benelux 2015 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br />
<br />
<div id="TBD"></div><br />
<br />
== Talks == <br />
<br />
=== Julie Gommes - Gamers, You're the New Botnets ===<br />
''Abstract:'' Downloading, playing, downloading, playing, downloading, playing, downloading, playing, downloading, playing... that is really funny.<br />
You can try new games every day but the guys who share those games are not just happy and funny people doing that just for pleasure to share "games".<br />
Yeas, they're sharing games, but lot of other Tools they enjoy to play with...<br />
Let's talk about malwares, about botnets, about backdoors and about some computer which can win a "botnet award".<br />
<br><br><br />
''Bio:'' Julie Gommes is a cybersecurity contractor, working in Paris on risk analysis, Security gap analysis, Security in project management, Audit, CISO support. She is also trainer for exposed professionals (journalists, lawyers, HR, employees of NGOs ...). https://fr.linkedin.com/in/juliegommes; Twitter : @JujuSete<br />
<br><br><br />
<br />
=== Stefan Burgmair - OWASP Top 10 Privacy Risks ===<br />
''Abstract:'' There are lively discussions about how to protect personal data especially with the upcoming EU Data Protection Regulation that requires Privacy by Design. But still there was no independent description of privacy risks specifically for web applications available. Thus, companies lack guidance to identify and avoid privacy risks during systems development. Therefore the OWASP Top 10 Privacy Risks project developed a list of the top 10 privacy risks in web applications. The project covers technical and organizational aspects like missing encryption or insufficient transparency and results and practical countermeasures are presented in this session.<br />
<br><br><br />
''Bio:'' Stefan Burgmair is a German security and privacy consultant at msg systems in Munich. He wrote his Master Thesis in information systems and management about the āTop 10 Privacy Risks for Web Applicationsā and continues to deliver key content for the project.<br />
<br><br><br />
<br />
=== Erik Poll - LangSec meets State Machines ===<br />
''Abstract:'' Language-theoretic Security, or LangSec for short, provides<br />
useful insights into the root causes of an important class<br />
security flaws - namely flaws in handling input - and ways to<br />
avoid these. This talk will discuss the core ideas of LangSec and<br />
the relation with security research we have done at over the<br />
years, where we used state machines as a means to systematically<br />
investigate GSM, bank cards, internet banking tokens, and TLS.<br />
<br><br><br />
''Bio:'' Erik Poll is Associate Professor in the Digital Security group of<br />
the Radboud University in Nijmegen. His research interests<br />
include smart cards, security protocols, the security of payment<br />
systems and smart grids, and formal methods that can improve<br />
security by providing a rigorous basis for design, analysis, and<br />
testing.<br />
<br><br><br />
<br />
=== Arne Swinnen - The Tales of a Bug Bounty Hunter ===<br />
''Abstract:'' Bug bounty hunting is the new black! During this technical talk, several interesting vulnerabilities identified in Instagram, the increasingly-popular photo-based social media platform, will be presented.<br><br />
All vulnerabilities were disclosed responsibly via Facebookās Public Bug Bounty program over the course of 2015 and 2016, and will be discussed in detail. Required advanced Mobile Security attack techniques for this Research, such as Binary Modification, Dynamic Hooking and Burp Suite Plugin Development will be covered, among other trickery.<br><br />
The most interesting vulnerabilities were hybrid: Combinations of complementary vulnerabilities in different environments (e.g. Web and Mobile). All identified issuesā root causes will be mapped onto the Software Development Life Cycle (SDLC), to analyze where they could have been prevented from materializing. Last but not least, the monetary rewards offered by Facebook for each vulnerability and general Bug Bounty Hunting advice will be shared with the community.<br />
<br><br><br />
''Bio:'' Arne Swinnen is an IT Security Consultant at NVISO, a Belgian Cyber Security Consulting firm. Arne specializes in Application Security and Digital Forensics. He co-organized the first edition of the Cyber Security Challenge Belgium in 2015, a National cyber security competition designed exclusively for Belgian students.<br><br />
Arne was a speaker at Black Hat USA and BruCON in 2014, presenting novel anti-virus detection and evasion techniques (āOne Packer to Rule Them Allā). Since 2015, he is also listed on Facebookās Bug Bounty Half of Fame''.<br><br />
<br><br />
<br />
=== Christian Schneider & Alvaro MuƱoz - Serial Killer: Silently Pwning your Java Endpoints ===<br />
''Abstract:'' In this session we begin with modelling the attack surface of Java deserialization, which often leads to remote code execution (RCE), by showcasing vulnerabilities we found in modern and widely used applications and frameworks. We extend existing research about risks of deserialization broadening the attack surface. After a live demo of getting a Meterpreter shell in a modern Java endpoint setup we delve into the exploitation styles for this vulnerability to lay the foundation of the first of three key takeaways for the attendees. The first key takeaway is identification of test types that should be executed during a dynamic assessment of an application in order to find this kind of vulnerability. This includes analyzing the deserialization interface and using blackbox tests to create payloads with gadgets matching the applicationās classpath to verify the RCE. Discussion extends to cover indirect deserialization interfaces that use non-binary data formats, such as XML-based interfaces, which can also act as a driver for deserialization within the application. The next key takeaway covers the realm of static code analysis (SAST). We present code patterns security reviewers should look for when doing whitebox assessments of applications or frameworks. This is especially interesting for code offering dynamic functionality including AOP, generic mappings, reflection, interceptors, etc. - all of which have a high probability of including code that can facilitate as deserialization gadgets and thus help the attackers in exploiting deserialization vulnerabilities. In this section we present the techniques used to find the vulnerabilities within the popular frameworks showcased during the live demo at the sessionās start. Finally we conclude with tips on implementing different techniques of hardening measures for applications offering deserialisation interfaces (either direct binary deserialization interfaces or indirect XML-based ones) to give the attendees the third key takeaway: protecting applications properly. This includes ways to verify data integrity prior to deserialization and ways to properly inspect the data before itās handled by the Java deserialization process.<br />
<br />
''Bio's:'' <br />
* Christian Schneider (@cschneider4711) writes software since the nineties, works as a freelance software developer since 1997, focuses on Java since 1999 and on IT-Security - especially Pentesting - since 2005. He enjoys writing articles about web application security as well as speaks and trains at conferences (OWASP AppSecEU, JAX, WJAX, WebTechCon, DevOpsCon, HackPra, RSA). He blogs at [https://www.Christian-Schneider.net Christian-Schneider.net]<br />
* Alvaro MuƱoz (@pwntester) works as Principal Security Researcher with HPE Security Fortify. He enjoys researching different programming languages and web application frameworks for vulnerabilities and unsafe APIs. Before joining the HPE research team, he worked as an Application Security Consultant helping enterprises to start and improve their application security programs. He blogs at [http://www.pwntester.com pwntester.com]<br />
<br />
=== Michael Hamm - Experiences with Paste-Monitoring ===<br />
''Abstract:'' Paste platforms like Pastebin.com provide the possibility to store and share text online. Often this kind of services are used by programmers but also abused by attackers to present their achievements. CIRCL acts as a fire brigade and monitor several of those paste platforms to early detect potential incidents and help the victims. The findings vary from lists of vulnerable or compromised websites, leaked credentials, database dumps, opportunistic announcements, stolen credit card details and many more. We will present the used techniques, and some key experiences with the findings and introduce the AIL framework - Framework for Analysis of Information Leaks. AIL is designed to analyse unstructured data and identify potential data leaks.<br />
<br />
''Bio:'' Works since 2000 in the field of security and since 2010 as CIRCL Operator.<br />
<br />
<br />
<br />
=== Glenn ten Cate, Riccardo ten Cate -- Security knowledge framework ===<br />
Over 10 years of experience in web application security bundled into a single application. <br/><br />
The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. <br/><br />
Use SKF to learn and integrate security by design in your web application.<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages showing <br/><br />
you how to prevent hackers gaining access and running exploits on your application.<br/><br />
<br />
<b>We will be talking about:</b><br />
<ul><br />
<li>Training your developers in writing secure code</li><br />
<li>Security support pre-development (Security by design, early feedback of possible security issues)</li><br />
<li>Security support post-development(Double check your code by means of the OWASP ASVS checklists )</li><br />
<li>Code examples for secure coding</li><br />
</ul><br />
"Bio:"<br/><br />
<b>Glenn</b><br/><br />
As a coder, hacker, speaker, trainer and security researcher Glenn has over 10 years experience in the field of security. <br/><br />
His goal is to create an open-source software development life cycle with the tools and knowledge gathered over the years.<br/><br />
<br />
<br/><br />
<b>Riccardo</b><br/><br />
As a developer and penetration tester Riccardo specialises in web-application security and<br/><br />
has extensive knowledge in securing web applications in multiple coding languages.<br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
== Social Event ==<br />
'''Wait for it...'''<br />
<br />
= CTF =<br />
<br />
== Capture the Flag! ==<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux Day and participate in the Capture the Flag event. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
=== Become a sponsor of OWASP BeNeLux ===<br />
<br />
== Donate to OWASP BeNeLux ==<br />
<br />
[https://co.clickandpledge.com/?wid=72689 Sponsor] <br />
<br />
<br />
== Promotion ==<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2016!'''<br />
<!--<br />
Free your agenda on the 26th and 27th of November, 2015.<br />
--><br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 150 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
=== Made possible by our {{#switchtablink:Sponsor|Sponsors}}===<br />
<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2016&diff=208551
BeNeLux OWASP Day 2016
2016-02-12T06:33:46Z
<p>Riiecco: /* Glenn ten Cate, Riccardo ten Cate -- Security knowledge framework */</p>
<hr />
<div><center>[[Image:OWASP BeNeLux 2015.png|center|512px]]<br></center><br />
<br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Information =<br />
<br />
== OWASP BeNeLux Announcement ==<br />
We are proud to announce the dates of the next edition of BeNeLux OWASP Day!<br />
The event will take place on <span style="color:#ff0000">17 and 18 March 2016</span>, in Belval Campus, in Esch-sur-Alzette - Luxembourg.<br />
More information on the venue can be found {{#switchtablink:Venue|here}}.<br />
<br><br />
{{#switchtablink:Registration| Don't wait and register now!}}<br />
<br />
<!--<br />
== News ==<br />
* <br />
* <br />
<br><br />
<br />
== Confirmed trainers for Trainingday ==<br />
{{#switchtablink:Trainingday| <p><br />
* <br />
* <br />
* <br />
* <br />
}}<br />
<br><br />
--><br />
<br />
== Confirmed speakers Conference ==<br />
{{#switchtablink:Conferenceday| <p><br />
* Julie Gommes<br />
* Stefan Burgmair (OWASP Germany) <br />
* Erik Poll (Radboud University)<br />
* Arne Swinnen (Nviso)<br />
* Glenn & Riccardo Ten Cate<br />
* Christian Schneider & Alvaro MuƱoz (HPE)<br />
* Michael Hamm (CIRCL - Computer Incident Response Center Luxembourg)<br />
}}<br />
<br><br />
<br />
== The OWASP BeNeLux Program Committee ==<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch, OWASP Netherlands<br />
*Jocelyn Aubert, OWASP Luxembourg<br />
<br><br />
<br />
== Tweet! ==<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl16 #owaspbnl16]<br />
<br><br><br />
== Donate to OWASP BeNeLux ==<br />
[https://co.clickandpledge.com/?wid=72689 Donate]<br />
<br />
<!-- Second tab --><br />
<br />
= Registration =<br />
<br />
== OWASP BeNeLux training day and conference are free, but registration is required! ==<br />
<br />
Register today at https://owasp-benelux-day-2016.eventbrite.com . We only have a limited number of seats available for our trainings and conference. First come, first serve!<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
<br />
= Venue =<br />
<br />
== Venue is ==<br />
<br />
'''University of Luxembourg'''<br/><br />
'''Maison du Savoir'''<br/><br />
''2, avenue de l'UniversitƩ<br/><br />
L-4365 Esch-sur-Alzette''<br />
<br />
=== How to reach the venue? ===<br />
<br />
==== By car ====<br />
Check the [https://goo.gl/maps/d8lTe Belval Campus map] - available on google maps - for route information.<br />
<br />
Outdoor parking areas and underground car parks are available throughout the campus, particularly [http://www.cfl.lu/espaces/voyageurs/en/gares-et-services/auto-moto-v%C3%A9lo/p-r-belval-universit%C3%A9-1-622-places-%C3%A0-votre-disposition P+R Belval UniversitƩ], or [http://umbelval.lu/wp-content/uploads/2015/08/Tarifs-horaires-2015.pdf Square Mile parking] or [http://umbelval.lu/wp-content/uploads/2015/08/Tarifs-horaires-2015.pdf Belval Plaza].<br />
<br />
==== By train ====<br />
Trains departing every 15 minutes from Luxembourg Central Station are direct to "Belval-UniversitĆ©" - line is connection-free via Esch-sur-Alzette. Get information on train schedules on the [http://www.cfl.lu/en CFLās website].<br />
<br />
When on site, access to buildings is easy on foot.<br />
<br />
=== Hotel nearby ===<br />
[http://www.accorhotels.com/fr/hotel-7071-ibis-esch-belval/index.shtml Hotel Ibis Esch-Belval]<br/><br />
12, avenue du Rock'n'Roll<br/><br />
L-4361 Esch-sur-Alzette, Luxembourg<br/><br />
From 81 EUR per night<br />
<br />
<!-- Fourth tab --><br />
<br />
= Trainingday =<br />
<br />
=== Trainingday is March 17th ===<br />
<br />
== Location ==<br />
The training venue is at the same location as the {{#switchtablink:Venue|conference venue}}.<br />
<br />
== Agenda ==<br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | Application Security Primer by Martin Knobloch<br />
| rowspan="7" style="width:100px;" | Hands-on Threat Modeling by Sebastien Deleersnyder<br />
| rowspan="7" style="width:100px;" | Security Shepherd by Mark Denihan<br />
| rowspan="7" style="width:100px;" | O-saft by Achim Hoffman & Torsten Gigler<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
== Application Security Primer by Martin Knobloch ==<br />
TBD<br />
<br />
== Hands-on Threat Modeling by Sebastien Deleersnyder ==<br />
<br />
This is a 1 day, trainer-led, on-site, Threat Modeling course. The training material and hands-on workshops include real live Use Cases. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of threat modeling on:<br />
* B2B web and mobile applications, sharing the same REST backend<br />
* An Internet of Things (IoT) deployment with an on premise gateway and cloud-based secure update service<br />
<br />
Threat modeling is the primary security analysis task performed during the software design stage. Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. The security objectives, threats, and attacks modeling activities during the threat modeling are designed to help you find vulnerabilities in your application. You can use the identified vulnerabilities to help shape your design and direct and scope your security testing.<br />
<br />
Threat modeling allows you to consider, document, and discuss the security implications of designs in the context of their planned operational environment and in a structured fashion. Threat modeling also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model.<br />
<br />
This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications and databases. The students should bring their own laptop to the course.<br />
<br />
==== Course topics (1 day) ====<br />
<br />
Threat modeling introduction<br />
*Threat modeling in a secure development lifecycle<br />
*What is threat modeling<br />
*Why threat modeling?<br />
*Threat modeling stages<br />
*Diagrams<br />
*Identify threats<br />
*Addressing threats<br />
*Document a threat model<br />
Diagrams ā what are you building?<br />
*Understanding context<br />
*Doomsday scenarios<br />
*Data flow diagrams<br />
*Trust Boundaries<br />
*'''Hands-on: diagram B2B web and mobile applications, sharing the same REST backend'''<br />
Identifying threats ā what can go wrong?<br />
*STRIDE introduction<br />
*Spoofing threats<br />
*Tampering threats<br />
*Repudiation threats<br />
*Information disclosure threats<br />
*Denial of service threats<br />
*Elevation of privilege threats<br />
*'''Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and cloud-based secure update service'''<br />
Addressing each threat<br />
*Mitigation patterns<br />
*Authentication: mitigating spoofing<br />
*Integrity: mitigating tampering<br />
*Non-repudiation: mitigating repudiation<br />
*Confidentiality: mitigating information disclosure<br />
*Availability: mitigating denial of service<br />
*Authorization: mitigating elevation of privilege<br />
Threat modeling tools<br />
*General tools<br />
*Open-Source tools<br />
*Commercial tools<br />
<br />
The course students receive the following package as part of the course:<br />
*Hand-outs of the presentations<br />
*Work sheets of the use cases,<br />
*Detailed solution descriptions of the use cases<br />
*Template to document a threat model<br />
*Template to calculate risk levels of identified threats<br />
The students should bring their own laptop <br />
<br />
==== Threat Modeling ā real life use cases ====<br />
As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world.<br />
In order to minimize that gap we have developed practical Use Cases, based on real life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Using this methodology for the hands on workshops we provide our students with a robust training experience and the templates to incorporate threat modeling best practices in their daily work.<br />
The students will be challenged to perform the threat modeling in groups of 3 to 4 people performing the different stages of threat modeling on:<br />
*B2B web and mobile applications, sharing the same REST backend<br />
*An Internet of Things (IoT) deployment with an on premise gateway and cloud-based secure update service<br />
After each hands-on workshop, the results are discussed, and the students receive a documented solution.<br />
<br />
==== Sebastien Deleersnyder ====<br />
Sebastien Deleersnyder, managing partner and application security consultant at [http://www.toreon.com Toreon] will share his practical threat model experience. Sebastien led engagements in the domain of ICT-security, Web and Mobile Security with several customers including BNP Paribas Fortis, Atos Worldline, KBC, Nationale Nederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post , Flemish Community, Agfa-Gevaert and ING Insurance International. Sebastien is the Belgian OWASP Chapter Leader, served as vice-chair of the global OWASP Foundation Board and performed several public presentations on Web Application, Mobile and Web Services Security. Furthermore, Sebastien co-founded the yearly BruCON conference.<br />
<br />
== Security Shepherd by Mark Denihan ==<br />
TBD<br />
<br />
== O-saft by Achim Hoffman & Torsten Gigler ==<br />
==== Abstract ====<br />
The use of SSL/TLS to protect the transport of data has become very common today. On the other hand it does not work pretty 'out of the box'. Furthermore it has more and more secuirty issues. As a consequence it often does not protect as assumed. It is often difficult to understand, what are the root causes of the issues, and how to detect and <br />
finally avoid or fix them.<br><br />
This training will give a brief introduction to SSL, how it works i. g., what issues are related to the protocol, the PKI used, and the known vulnerabilities including potential attacks and provide tools to check for these issues. The main focus will be on SSL/TLS used in HTTPS. Other usages i.e. SSL for SMTP are a small subset. As a round-up there will be recommendations how to configure and maintain TLS securely.<br />
<br />
==== Course Topics ==== <br />
The main part of the course will be a hands-on-training showing by example how to check the established TLS/SSL connection (including ciphers) to a web server and show how to analyse the provided certificate. Various tools will be explained. It will be demonstrated how these tools can be used to detect weaknesses in the TLS/SSL connection and such.<br><br />
The explained tools are for example: openssl, sslscan, testssl.sh, o-saft, and some more, as well as some online checking tools like ssllabs.com. We show what are these tools useful for, what they can do, and what they cannot. Finally we show how the OWASP tool o-saft can be used to cover most of the previous shown techniques and how to use its advanced features like:<br />
* checking for ciphers<br />
* checking for special SSL settings<br />
* check multiple servers at a time<br />
* customizing the results<br />
* customizing o-saft itself<br />
* or simple debugging of various SSL connection problems.<br><br />
The purpose of this course is to provide a tool set for checking TLS/SSL to the participants, and teach the participants how and when to use which tool, and why some tools do not provide complete results (e.g. protocols, ciphers). The course is about analysing TLS/SSL from a client-site view. It will not go into the details of fuzzing or even breaking TLS/SSL, or exploiting vulnerabilities. Mostly we will analyse HTTPS, furthermore we will provide some examples for protocols using STARTTLS, too (e.g. SMTP).<br><br />
Additionally it will give system architects, administrator, or operational people, hints how to set-up and configure TLS/SSL in a proper secure way.<br />
<br><br />
<br />
==== Technical requirements ==== <br />
The participants should bring their own laptop with any operating system (recommended is Linux) and at least following tools installed:<br />
* openssl (1.0.1e or newer)<br />
* perl (5.8 or newer), on windows system Strawberry perl is recommended<br />
* Net::SSLeay (1.53 or newer), IO::Socket::SSL (1.37 or newer)<br />
* Tcl (8.5) optional, on a windows system ActiveTcl (8.6) is recommended<br />
* python (2.7) optional<br><br />
Optional, for smooth testing, a local SSL-enabled (SSLv2, SSLv3, TLS) web server should be running on the laptop (i.e. OWASP-BWA).<br />
<br><br><br />
<br />
==== Bio's ==== <br />
* Achim Hoffmann ... Starting with Linux/network security in the nineties. Achim Hoffmann has been working in web application security since more than 15 years. While working as a developer for web-application for several years he started concentrating on web application security as major subject in different roles like penetration tester, doing SCA and giving security workshops. He is author, co-author and maintainer of various papers about web application security at BSI (Germany), OWASP and WASC. He also published some tools (EnDe, EMiR, ReDoS, O-Saft) which aim to make web application security more visible. Achim is owner of sic[!]sec GmbH, Germany, a company that provides information security services. Outside work he is German OWASP Board Member and helps maintaining OWASP's mailing lists.<br />
* Torsten Gigler ... Internernal Security Consultant in a large scale enterprise >15 years (ICT-Infrastructure- and Application Security). He has been volunteering for OWASP since more than 3 years: since 2 years co-developer of O-Saft, contributed to the Transport Layer Protection Cheat Sheet (Cipher Section), project leader 'OWASP Top 10 fĆ¼r Entwickler' / OWASP Top 10 for Developers, contributed to the German translation of OWASP-Top-10 2013, supported the Top_10_2013-Project: Review, Wiki.<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
=== Conferenceday is March 18th ===<br />
<br />
<br />
== Agenda ==<br />
{| class="wikitable"<br />
! width="120pt" | Time<br />
! width="180pt" | Speaker !! Topic<br />
|- <br />
| 08h30 - 09h10<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 09h15 - 10h00 || Julie Gommes || Gamers, You're the new Botnets<br />
|-<br />
| 10h00 - 10h45 || Stefan Burgmair || OWASP Top 10 Privacy Risks <br />
|-<br />
| 10h45 - 11h15 <br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Morning Break'' <br />
|-<br />
| 11h15 - 12h00 || Erik Poll || LangSec meets State Machines<br />
|-<br />
| 12h00 - 12h45 || Arne Swinnen || The Tales of a Bug Bounty Hunter<br />
|-<br />
| 12h45 - 13h45<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h45 - 14h30 || Glenn & Riccardo Ten Cate || OWASP Secure Knowledge Framework (SKF)<br />
|-<br />
| 14h30 - 15h15 || University Luxembourg || Mobile Security<br />
|-<br />
| 15h15 - 15h45<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 15h45 - 16h30 || Christian Schneider & Alvaro MuƱoz || Serial Killer: Silently Pwning your Java Endpoints<br />
|-<br />
| 16h30 - 17h15 || Michael Hamm || Experiences with Paste-Monitoring<br />
|-<br />
| 17h15 - 17h30 || OWASP Benelux 2015 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br />
<br />
<div id="TBD"></div><br />
<br />
== Talks == <br />
<br />
=== Julie Gommes - Gamers, You're the New Botnets ===<br />
''Abstract:'' Downloading, playing, downloading, playing, downloading, playing, downloading, playing, downloading, playing... that is really funny.<br />
You can try new games every day but the guys who share those games are not just happy and funny people doing that just for pleasure to share "games".<br />
Yeas, they're sharing games, but lot of other Tools they enjoy to play with...<br />
Let's talk about malwares, about botnets, about backdoors and about some computer which can win a "botnet award".<br />
<br><br><br />
''Bio:'' Julie Gommes is a cybersecurity contractor, working in Paris on risk analysis, Security gap analysis, Security in project management, Audit, CISO support. She is also trainer for exposed professionals (journalists, lawyers, HR, employees of NGOs ...). https://fr.linkedin.com/in/juliegommes; Twitter : @JujuSete<br />
<br><br><br />
<br />
=== Stefan Burgmair - OWASP Top 10 Privacy Risks ===<br />
''Abstract:'' There are lively discussions about how to protect personal data especially with the upcoming EU Data Protection Regulation that requires Privacy by Design. But still there was no independent description of privacy risks specifically for web applications available. Thus, companies lack guidance to identify and avoid privacy risks during systems development. Therefore the OWASP Top 10 Privacy Risks project developed a list of the top 10 privacy risks in web applications. The project covers technical and organizational aspects like missing encryption or insufficient transparency and results and practical countermeasures are presented in this session.<br />
<br><br><br />
''Bio:'' Stefan Burgmair is a German security and privacy consultant at msg systems in Munich. He wrote his Master Thesis in information systems and management about the āTop 10 Privacy Risks for Web Applicationsā and continues to deliver key content for the project.<br />
<br><br><br />
<br />
=== Erik Poll - LangSec meets State Machines ===<br />
''Abstract:'' Language-theoretic Security, or LangSec for short, provides<br />
useful insights into the root causes of an important class<br />
security flaws - namely flaws in handling input - and ways to<br />
avoid these. This talk will discuss the core ideas of LangSec and<br />
the relation with security research we have done at over the<br />
years, where we used state machines as a means to systematically<br />
investigate GSM, bank cards, internet banking tokens, and TLS.<br />
<br><br><br />
''Bio:'' Erik Poll is Associate Professor in the Digital Security group of<br />
the Radboud University in Nijmegen. His research interests<br />
include smart cards, security protocols, the security of payment<br />
systems and smart grids, and formal methods that can improve<br />
security by providing a rigorous basis for design, analysis, and<br />
testing.<br />
<br><br><br />
<br />
=== Arne Swinnen - The Tales of a Bug Bounty Hunter ===<br />
''Abstract:'' Bug bounty hunting is the new black! During this technical talk, several interesting vulnerabilities identified in Instagram, the increasingly-popular photo-based social media platform, will be presented.<br><br />
All vulnerabilities were disclosed responsibly via Facebookās Public Bug Bounty program over the course of 2015 and 2016, and will be discussed in detail. Required advanced Mobile Security attack techniques for this Research, such as Binary Modification, Dynamic Hooking and Burp Suite Plugin Development will be covered, among other trickery.<br><br />
The most interesting vulnerabilities were hybrid: Combinations of complementary vulnerabilities in different environments (e.g. Web and Mobile). All identified issuesā root causes will be mapped onto the Software Development Life Cycle (SDLC), to analyze where they could have been prevented from materializing. Last but not least, the monetary rewards offered by Facebook for each vulnerability and general Bug Bounty Hunting advice will be shared with the community.<br />
<br><br><br />
''Bio:'' Arne Swinnen is an IT Security Consultant at NVISO, a Belgian Cyber Security Consulting firm. Arne specializes in Application Security and Digital Forensics. He co-organized the first edition of the Cyber Security Challenge Belgium in 2015, a National cyber security competition designed exclusively for Belgian students.<br><br />
Arne was a speaker at Black Hat USA and BruCON in 2014, presenting novel anti-virus detection and evasion techniques (āOne Packer to Rule Them Allā). Since 2015, he is also listed on Facebookās Bug Bounty Half of Fame''.<br><br />
<br><br />
<br />
=== Christian Schneider & Alvaro MuƱoz - Serial Killer: Silently Pwning your Java Endpoints ===<br />
''Abstract:'' In this session we begin with modelling the attack surface of Java deserialization, which often leads to remote code execution (RCE), by showcasing vulnerabilities we found in modern and widely used applications and frameworks. We extend existing research about risks of deserialization broadening the attack surface. After a live demo of getting a Meterpreter shell in a modern Java endpoint setup we delve into the exploitation styles for this vulnerability to lay the foundation of the first of three key takeaways for the attendees. The first key takeaway is identification of test types that should be executed during a dynamic assessment of an application in order to find this kind of vulnerability. This includes analyzing the deserialization interface and using blackbox tests to create payloads with gadgets matching the applicationās classpath to verify the RCE. Discussion extends to cover indirect deserialization interfaces that use non-binary data formats, such as XML-based interfaces, which can also act as a driver for deserialization within the application. The next key takeaway covers the realm of static code analysis (SAST). We present code patterns security reviewers should look for when doing whitebox assessments of applications or frameworks. This is especially interesting for code offering dynamic functionality including AOP, generic mappings, reflection, interceptors, etc. - all of which have a high probability of including code that can facilitate as deserialization gadgets and thus help the attackers in exploiting deserialization vulnerabilities. In this section we present the techniques used to find the vulnerabilities within the popular frameworks showcased during the live demo at the sessionās start. Finally we conclude with tips on implementing different techniques of hardening measures for applications offering deserialisation interfaces (either direct binary deserialization interfaces or indirect XML-based ones) to give the attendees the third key takeaway: protecting applications properly. This includes ways to verify data integrity prior to deserialization and ways to properly inspect the data before itās handled by the Java deserialization process.<br />
<br />
''Bio's:'' <br />
* Christian Schneider (@cschneider4711) writes software since the nineties, works as a freelance software developer since 1997, focuses on Java since 1999 and on IT-Security - especially Pentesting - since 2005. He enjoys writing articles about web application security as well as speaks and trains at conferences (OWASP AppSecEU, JAX, WJAX, WebTechCon, DevOpsCon, HackPra, RSA). He blogs at [https://www.Christian-Schneider.net Christian-Schneider.net]<br />
* Alvaro MuƱoz (@pwntester) works as Principal Security Researcher with HPE Security Fortify. He enjoys researching different programming languages and web application frameworks for vulnerabilities and unsafe APIs. Before joining the HPE research team, he worked as an Application Security Consultant helping enterprises to start and improve their application security programs. He blogs at [http://www.pwntester.com pwntester.com]<br />
<br />
=== Michael Hamm - Experiences with Paste-Monitoring ===<br />
''Abstract:'' Paste platforms like Pastebin.com provide the possibility to store and share text online. Often this kind of services are used by programmers but also abused by attackers to present their achievements. CIRCL acts as a fire brigade and monitor several of those paste platforms to early detect potential incidents and help the victims. The findings vary from lists of vulnerable or compromised websites, leaked credentials, database dumps, opportunistic announcements, stolen credit card details and many more. We will present the used techniques, and some key experiences with the findings and introduce the AIL framework - Framework for Analysis of Information Leaks. AIL is designed to analyse unstructured data and identify potential data leaks.<br />
<br />
''Bio:'' Works since 2000 in the field of security and since 2010 as CIRCL Operator.<br />
<br />
<br />
<br />
=== Glenn ten Cate, Riccardo ten Cate -- Security knowledge framework ===<br />
Over 10 years of experience in web application security bundled into a single application. <br/><br />
The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. <br/><br />
Use SKF to learn and integrate security by design in your web application.<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages showing <br/><br />
you how to prevent hackers gaining access and running exploits on your application.<br/><br />
<br />
<b>We will be talking about:</b><br />
<ul><br />
<li>Training your developers in writing secure code</li><br />
<li>Security support pre-development (Security by design, early feedback of possible security issues)</li><br />
<li>Security support post-development(Double check your code by means of the OWASP ASVS checklists )</li><br />
<li>Code examples for secure coding</li><br />
</ul><br />
"Bio:"<br />
<b>Glenn</b><br/><br />
As a coder, hacker, speaker, trainer and security researcher Glenn has over 10 years experience in the field of security. <br/><br />
His goal is to create an open-source software development life cycle with the tools and knowledge gathered over the years.<br/><br />
<br />
<br/><br />
<b>Riccardo</b><br/><br />
As a developer and penetration tester Riccardo specialises in web-application security and<br/><br />
has extensive knowledge in securing web applications in multiple coding languages.<br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
== Social Event ==<br />
'''Wait for it...'''<br />
<br />
= CTF =<br />
<br />
== Capture the Flag! ==<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux Day and participate in the Capture the Flag event. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
=== Become a sponsor of OWASP BeNeLux ===<br />
<br />
== Donate to OWASP BeNeLux ==<br />
<br />
[https://co.clickandpledge.com/?wid=72689 Sponsor] <br />
<br />
<br />
== Promotion ==<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2016!'''<br />
<!--<br />
Free your agenda on the 26th and 27th of November, 2015.<br />
--><br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 150 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
=== Made possible by our {{#switchtablink:Sponsor|Sponsors}}===<br />
<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=BeNeLux_OWASP_Day_2016&diff=208550
BeNeLux OWASP Day 2016
2016-02-12T06:33:26Z
<p>Riiecco: /* Talks */</p>
<hr />
<div><center>[[Image:OWASP BeNeLux 2015.png|center|512px]]<br></center><br />
<br />
<br><!-- Header --><br />
<br />
<br />
<!-- First tab --><br />
= Information =<br />
<br />
== OWASP BeNeLux Announcement ==<br />
We are proud to announce the dates of the next edition of BeNeLux OWASP Day!<br />
The event will take place on <span style="color:#ff0000">17 and 18 March 2016</span>, in Belval Campus, in Esch-sur-Alzette - Luxembourg.<br />
More information on the venue can be found {{#switchtablink:Venue|here}}.<br />
<br><br />
{{#switchtablink:Registration| Don't wait and register now!}}<br />
<br />
<!--<br />
== News ==<br />
* <br />
* <br />
<br><br />
<br />
== Confirmed trainers for Trainingday ==<br />
{{#switchtablink:Trainingday| <p><br />
* <br />
* <br />
* <br />
* <br />
}}<br />
<br><br />
--><br />
<br />
== Confirmed speakers Conference ==<br />
{{#switchtablink:Conferenceday| <p><br />
* Julie Gommes<br />
* Stefan Burgmair (OWASP Germany) <br />
* Erik Poll (Radboud University)<br />
* Arne Swinnen (Nviso)<br />
* Glenn & Riccardo Ten Cate<br />
* Christian Schneider & Alvaro MuƱoz (HPE)<br />
* Michael Hamm (CIRCL - Computer Incident Response Center Luxembourg)<br />
}}<br />
<br><br />
<br />
== The OWASP BeNeLux Program Committee ==<br />
*Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium<br />
*Martin Knobloch, OWASP Netherlands<br />
*Jocelyn Aubert, OWASP Luxembourg<br />
<br><br />
<br />
== Tweet! ==<br />
Event tag is [http://twitter.com/#search?q=%23owaspbnl16 #owaspbnl16]<br />
<br><br><br />
== Donate to OWASP BeNeLux ==<br />
[https://co.clickandpledge.com/?wid=72689 Donate]<br />
<br />
<!-- Second tab --><br />
<br />
= Registration =<br />
<br />
== OWASP BeNeLux training day and conference are free, but registration is required! ==<br />
<br />
Register today at https://owasp-benelux-day-2016.eventbrite.com . We only have a limited number of seats available for our trainings and conference. First come, first serve!<br />
<br />
<br><br />
To support the OWASP organisation, consider to become a member, it's only US$50!<br />
<br> <br />
Check out the [[Membership]] page to find out more. <br />
<br><br />
<br />
<br />
<!-- Third tab --><br />
<br />
= Venue =<br />
<br />
== Venue is ==<br />
<br />
'''University of Luxembourg'''<br/><br />
'''Maison du Savoir'''<br/><br />
''2, avenue de l'UniversitƩ<br/><br />
L-4365 Esch-sur-Alzette''<br />
<br />
=== How to reach the venue? ===<br />
<br />
==== By car ====<br />
Check the [https://goo.gl/maps/d8lTe Belval Campus map] - available on google maps - for route information.<br />
<br />
Outdoor parking areas and underground car parks are available throughout the campus, particularly [http://www.cfl.lu/espaces/voyageurs/en/gares-et-services/auto-moto-v%C3%A9lo/p-r-belval-universit%C3%A9-1-622-places-%C3%A0-votre-disposition P+R Belval UniversitƩ], or [http://umbelval.lu/wp-content/uploads/2015/08/Tarifs-horaires-2015.pdf Square Mile parking] or [http://umbelval.lu/wp-content/uploads/2015/08/Tarifs-horaires-2015.pdf Belval Plaza].<br />
<br />
==== By train ====<br />
Trains departing every 15 minutes from Luxembourg Central Station are direct to "Belval-UniversitĆ©" - line is connection-free via Esch-sur-Alzette. Get information on train schedules on the [http://www.cfl.lu/en CFLās website].<br />
<br />
When on site, access to buildings is easy on foot.<br />
<br />
=== Hotel nearby ===<br />
[http://www.accorhotels.com/fr/hotel-7071-ibis-esch-belval/index.shtml Hotel Ibis Esch-Belval]<br/><br />
12, avenue du Rock'n'Roll<br/><br />
L-4361 Esch-sur-Alzette, Luxembourg<br/><br />
From 81 EUR per night<br />
<br />
<!-- Fourth tab --><br />
<br />
= Trainingday =<br />
<br />
=== Trainingday is March 17th ===<br />
<br />
== Location ==<br />
The training venue is at the same location as the {{#switchtablink:Venue|conference venue}}.<br />
<br />
== Agenda ==<br />
{| class="wikitable"<br />
! Time !! Description !! Room 1 !! Room 2 !! Room 3 !! Room 4<br />
|-<br />
| 08h30 - 9h30<br />
| colspan="5" style="text-align: center; background: grey; color: white;" | ''Registration''<br />
|-<br />
| 09h30 - 11h00 || Training<br />
| rowspan="7" style="width:100px;" | Application Security Primer by Martin Knobloch<br />
| rowspan="7" style="width:100px;" | Hands-on Threat Modeling by Sebastien Deleersnyder<br />
| rowspan="7" style="width:100px;" | Security Shepherd by Mark Denihan<br />
| rowspan="7" style="width:100px;" | O-saft by Achim Hoffman & Torsten Gigler<br />
|-<br />
| 11h00 - 11h30 || ''Coffee Break''<br />
|-<br />
| 11h30 - 13h00 || Training<br />
|-<br />
| 13h00 - 14h00 || ''Lunch''<br />
|-<br />
| 14h00 - 15h30 || Training<br />
|-<br />
| 15h30 - 16h00 || ''Coffee Break''<br />
|-<br />
| 16h00 - 17h30 || Training<br />
|}<br />
<br />
== Application Security Primer by Martin Knobloch ==<br />
TBD<br />
<br />
== Hands-on Threat Modeling by Sebastien Deleersnyder ==<br />
<br />
This is a 1 day, trainer-led, on-site, Threat Modeling course. The training material and hands-on workshops include real live Use Cases. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of threat modeling on:<br />
* B2B web and mobile applications, sharing the same REST backend<br />
* An Internet of Things (IoT) deployment with an on premise gateway and cloud-based secure update service<br />
<br />
Threat modeling is the primary security analysis task performed during the software design stage. Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. The security objectives, threats, and attacks modeling activities during the threat modeling are designed to help you find vulnerabilities in your application. You can use the identified vulnerabilities to help shape your design and direct and scope your security testing.<br />
<br />
Threat modeling allows you to consider, document, and discuss the security implications of designs in the context of their planned operational environment and in a structured fashion. Threat modeling also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model.<br />
<br />
This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications and databases. The students should bring their own laptop to the course.<br />
<br />
==== Course topics (1 day) ====<br />
<br />
Threat modeling introduction<br />
*Threat modeling in a secure development lifecycle<br />
*What is threat modeling<br />
*Why threat modeling?<br />
*Threat modeling stages<br />
*Diagrams<br />
*Identify threats<br />
*Addressing threats<br />
*Document a threat model<br />
Diagrams ā what are you building?<br />
*Understanding context<br />
*Doomsday scenarios<br />
*Data flow diagrams<br />
*Trust Boundaries<br />
*'''Hands-on: diagram B2B web and mobile applications, sharing the same REST backend'''<br />
Identifying threats ā what can go wrong?<br />
*STRIDE introduction<br />
*Spoofing threats<br />
*Tampering threats<br />
*Repudiation threats<br />
*Information disclosure threats<br />
*Denial of service threats<br />
*Elevation of privilege threats<br />
*'''Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and cloud-based secure update service'''<br />
Addressing each threat<br />
*Mitigation patterns<br />
*Authentication: mitigating spoofing<br />
*Integrity: mitigating tampering<br />
*Non-repudiation: mitigating repudiation<br />
*Confidentiality: mitigating information disclosure<br />
*Availability: mitigating denial of service<br />
*Authorization: mitigating elevation of privilege<br />
Threat modeling tools<br />
*General tools<br />
*Open-Source tools<br />
*Commercial tools<br />
<br />
The course students receive the following package as part of the course:<br />
*Hand-outs of the presentations<br />
*Work sheets of the use cases,<br />
*Detailed solution descriptions of the use cases<br />
*Template to document a threat model<br />
*Template to calculate risk levels of identified threats<br />
The students should bring their own laptop <br />
<br />
==== Threat Modeling ā real life use cases ====<br />
As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world.<br />
In order to minimize that gap we have developed practical Use Cases, based on real life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Using this methodology for the hands on workshops we provide our students with a robust training experience and the templates to incorporate threat modeling best practices in their daily work.<br />
The students will be challenged to perform the threat modeling in groups of 3 to 4 people performing the different stages of threat modeling on:<br />
*B2B web and mobile applications, sharing the same REST backend<br />
*An Internet of Things (IoT) deployment with an on premise gateway and cloud-based secure update service<br />
After each hands-on workshop, the results are discussed, and the students receive a documented solution.<br />
<br />
==== Sebastien Deleersnyder ====<br />
Sebastien Deleersnyder, managing partner and application security consultant at [http://www.toreon.com Toreon] will share his practical threat model experience. Sebastien led engagements in the domain of ICT-security, Web and Mobile Security with several customers including BNP Paribas Fortis, Atos Worldline, KBC, Nationale Nederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post , Flemish Community, Agfa-Gevaert and ING Insurance International. Sebastien is the Belgian OWASP Chapter Leader, served as vice-chair of the global OWASP Foundation Board and performed several public presentations on Web Application, Mobile and Web Services Security. Furthermore, Sebastien co-founded the yearly BruCON conference.<br />
<br />
== Security Shepherd by Mark Denihan ==<br />
TBD<br />
<br />
== O-saft by Achim Hoffman & Torsten Gigler ==<br />
==== Abstract ====<br />
The use of SSL/TLS to protect the transport of data has become very common today. On the other hand it does not work pretty 'out of the box'. Furthermore it has more and more secuirty issues. As a consequence it often does not protect as assumed. It is often difficult to understand, what are the root causes of the issues, and how to detect and <br />
finally avoid or fix them.<br><br />
This training will give a brief introduction to SSL, how it works i. g., what issues are related to the protocol, the PKI used, and the known vulnerabilities including potential attacks and provide tools to check for these issues. The main focus will be on SSL/TLS used in HTTPS. Other usages i.e. SSL for SMTP are a small subset. As a round-up there will be recommendations how to configure and maintain TLS securely.<br />
<br />
==== Course Topics ==== <br />
The main part of the course will be a hands-on-training showing by example how to check the established TLS/SSL connection (including ciphers) to a web server and show how to analyse the provided certificate. Various tools will be explained. It will be demonstrated how these tools can be used to detect weaknesses in the TLS/SSL connection and such.<br><br />
The explained tools are for example: openssl, sslscan, testssl.sh, o-saft, and some more, as well as some online checking tools like ssllabs.com. We show what are these tools useful for, what they can do, and what they cannot. Finally we show how the OWASP tool o-saft can be used to cover most of the previous shown techniques and how to use its advanced features like:<br />
* checking for ciphers<br />
* checking for special SSL settings<br />
* check multiple servers at a time<br />
* customizing the results<br />
* customizing o-saft itself<br />
* or simple debugging of various SSL connection problems.<br><br />
The purpose of this course is to provide a tool set for checking TLS/SSL to the participants, and teach the participants how and when to use which tool, and why some tools do not provide complete results (e.g. protocols, ciphers). The course is about analysing TLS/SSL from a client-site view. It will not go into the details of fuzzing or even breaking TLS/SSL, or exploiting vulnerabilities. Mostly we will analyse HTTPS, furthermore we will provide some examples for protocols using STARTTLS, too (e.g. SMTP).<br><br />
Additionally it will give system architects, administrator, or operational people, hints how to set-up and configure TLS/SSL in a proper secure way.<br />
<br><br />
<br />
==== Technical requirements ==== <br />
The participants should bring their own laptop with any operating system (recommended is Linux) and at least following tools installed:<br />
* openssl (1.0.1e or newer)<br />
* perl (5.8 or newer), on windows system Strawberry perl is recommended<br />
* Net::SSLeay (1.53 or newer), IO::Socket::SSL (1.37 or newer)<br />
* Tcl (8.5) optional, on a windows system ActiveTcl (8.6) is recommended<br />
* python (2.7) optional<br><br />
Optional, for smooth testing, a local SSL-enabled (SSLv2, SSLv3, TLS) web server should be running on the laptop (i.e. OWASP-BWA).<br />
<br><br><br />
<br />
==== Bio's ==== <br />
* Achim Hoffmann ... Starting with Linux/network security in the nineties. Achim Hoffmann has been working in web application security since more than 15 years. While working as a developer for web-application for several years he started concentrating on web application security as major subject in different roles like penetration tester, doing SCA and giving security workshops. He is author, co-author and maintainer of various papers about web application security at BSI (Germany), OWASP and WASC. He also published some tools (EnDe, EMiR, ReDoS, O-Saft) which aim to make web application security more visible. Achim is owner of sic[!]sec GmbH, Germany, a company that provides information security services. Outside work he is German OWASP Board Member and helps maintaining OWASP's mailing lists.<br />
* Torsten Gigler ... Internernal Security Consultant in a large scale enterprise >15 years (ICT-Infrastructure- and Application Security). He has been volunteering for OWASP since more than 3 years: since 2 years co-developer of O-Saft, contributed to the Transport Layer Protection Cheat Sheet (Cipher Section), project leader 'OWASP Top 10 fĆ¼r Entwickler' / OWASP Top 10 for Developers, contributed to the German translation of OWASP-Top-10 2013, supported the Top_10_2013-Project: Review, Wiki.<br />
<br />
<!-- Fifth tab --><br />
<br />
= Conferenceday =<br />
=== Conferenceday is March 18th ===<br />
<br />
<br />
== Agenda ==<br />
{| class="wikitable"<br />
! width="120pt" | Time<br />
! width="180pt" | Speaker !! Topic<br />
|- <br />
| 08h30 - 09h10<br />
| colspan="2" style="text-align: center; background: grey; color: white" | ''Registration''<br />
|- <br />
| 09h15 - 10h00 || Julie Gommes || Gamers, You're the new Botnets<br />
|-<br />
| 10h00 - 10h45 || Stefan Burgmair || OWASP Top 10 Privacy Risks <br />
|-<br />
| 10h45 - 11h15 <br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Morning Break'' <br />
|-<br />
| 11h15 - 12h00 || Erik Poll || LangSec meets State Machines<br />
|-<br />
| 12h00 - 12h45 || Arne Swinnen || The Tales of a Bug Bounty Hunter<br />
|-<br />
| 12h45 - 13h45<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Lunch'' <br />
|-<br />
| 13h45 - 14h30 || Glenn & Riccardo Ten Cate || OWASP Secure Knowledge Framework (SKF)<br />
|-<br />
| 14h30 - 15h15 || University Luxembourg || Mobile Security<br />
|-<br />
| 15h15 - 15h45<br />
| colspan="2" style="text-align: center;background: grey; color: white" | ''Break'' <br />
|-<br />
| 15h45 - 16h30 || Christian Schneider & Alvaro MuƱoz || Serial Killer: Silently Pwning your Java Endpoints<br />
|-<br />
| 16h30 - 17h15 || Michael Hamm || Experiences with Paste-Monitoring<br />
|-<br />
| 17h15 - 17h30 || OWASP Benelux 2015 organization || '''Closing Notes'''<br />
|}<br />
<br />
<br />
<br />
<div id="TBD"></div><br />
<br />
== Talks == <br />
<br />
=== Julie Gommes - Gamers, You're the New Botnets ===<br />
''Abstract:'' Downloading, playing, downloading, playing, downloading, playing, downloading, playing, downloading, playing... that is really funny.<br />
You can try new games every day but the guys who share those games are not just happy and funny people doing that just for pleasure to share "games".<br />
Yeas, they're sharing games, but lot of other Tools they enjoy to play with...<br />
Let's talk about malwares, about botnets, about backdoors and about some computer which can win a "botnet award".<br />
<br><br><br />
''Bio:'' Julie Gommes is a cybersecurity contractor, working in Paris on risk analysis, Security gap analysis, Security in project management, Audit, CISO support. She is also trainer for exposed professionals (journalists, lawyers, HR, employees of NGOs ...). https://fr.linkedin.com/in/juliegommes; Twitter : @JujuSete<br />
<br><br><br />
<br />
=== Stefan Burgmair - OWASP Top 10 Privacy Risks ===<br />
''Abstract:'' There are lively discussions about how to protect personal data especially with the upcoming EU Data Protection Regulation that requires Privacy by Design. But still there was no independent description of privacy risks specifically for web applications available. Thus, companies lack guidance to identify and avoid privacy risks during systems development. Therefore the OWASP Top 10 Privacy Risks project developed a list of the top 10 privacy risks in web applications. The project covers technical and organizational aspects like missing encryption or insufficient transparency and results and practical countermeasures are presented in this session.<br />
<br><br><br />
''Bio:'' Stefan Burgmair is a German security and privacy consultant at msg systems in Munich. He wrote his Master Thesis in information systems and management about the āTop 10 Privacy Risks for Web Applicationsā and continues to deliver key content for the project.<br />
<br><br><br />
<br />
=== Erik Poll - LangSec meets State Machines ===<br />
''Abstract:'' Language-theoretic Security, or LangSec for short, provides<br />
useful insights into the root causes of an important class<br />
security flaws - namely flaws in handling input - and ways to<br />
avoid these. This talk will discuss the core ideas of LangSec and<br />
the relation with security research we have done at over the<br />
years, where we used state machines as a means to systematically<br />
investigate GSM, bank cards, internet banking tokens, and TLS.<br />
<br><br><br />
''Bio:'' Erik Poll is Associate Professor in the Digital Security group of<br />
the Radboud University in Nijmegen. His research interests<br />
include smart cards, security protocols, the security of payment<br />
systems and smart grids, and formal methods that can improve<br />
security by providing a rigorous basis for design, analysis, and<br />
testing.<br />
<br><br><br />
<br />
=== Arne Swinnen - The Tales of a Bug Bounty Hunter ===<br />
''Abstract:'' Bug bounty hunting is the new black! During this technical talk, several interesting vulnerabilities identified in Instagram, the increasingly-popular photo-based social media platform, will be presented.<br><br />
All vulnerabilities were disclosed responsibly via Facebookās Public Bug Bounty program over the course of 2015 and 2016, and will be discussed in detail. Required advanced Mobile Security attack techniques for this Research, such as Binary Modification, Dynamic Hooking and Burp Suite Plugin Development will be covered, among other trickery.<br><br />
The most interesting vulnerabilities were hybrid: Combinations of complementary vulnerabilities in different environments (e.g. Web and Mobile). All identified issuesā root causes will be mapped onto the Software Development Life Cycle (SDLC), to analyze where they could have been prevented from materializing. Last but not least, the monetary rewards offered by Facebook for each vulnerability and general Bug Bounty Hunting advice will be shared with the community.<br />
<br><br><br />
''Bio:'' Arne Swinnen is an IT Security Consultant at NVISO, a Belgian Cyber Security Consulting firm. Arne specializes in Application Security and Digital Forensics. He co-organized the first edition of the Cyber Security Challenge Belgium in 2015, a National cyber security competition designed exclusively for Belgian students.<br><br />
Arne was a speaker at Black Hat USA and BruCON in 2014, presenting novel anti-virus detection and evasion techniques (āOne Packer to Rule Them Allā). Since 2015, he is also listed on Facebookās Bug Bounty Half of Fame''.<br><br />
<br><br />
<br />
=== Christian Schneider & Alvaro MuƱoz - Serial Killer: Silently Pwning your Java Endpoints ===<br />
''Abstract:'' In this session we begin with modelling the attack surface of Java deserialization, which often leads to remote code execution (RCE), by showcasing vulnerabilities we found in modern and widely used applications and frameworks. We extend existing research about risks of deserialization broadening the attack surface. After a live demo of getting a Meterpreter shell in a modern Java endpoint setup we delve into the exploitation styles for this vulnerability to lay the foundation of the first of three key takeaways for the attendees. The first key takeaway is identification of test types that should be executed during a dynamic assessment of an application in order to find this kind of vulnerability. This includes analyzing the deserialization interface and using blackbox tests to create payloads with gadgets matching the applicationās classpath to verify the RCE. Discussion extends to cover indirect deserialization interfaces that use non-binary data formats, such as XML-based interfaces, which can also act as a driver for deserialization within the application. The next key takeaway covers the realm of static code analysis (SAST). We present code patterns security reviewers should look for when doing whitebox assessments of applications or frameworks. This is especially interesting for code offering dynamic functionality including AOP, generic mappings, reflection, interceptors, etc. - all of which have a high probability of including code that can facilitate as deserialization gadgets and thus help the attackers in exploiting deserialization vulnerabilities. In this section we present the techniques used to find the vulnerabilities within the popular frameworks showcased during the live demo at the sessionās start. Finally we conclude with tips on implementing different techniques of hardening measures for applications offering deserialisation interfaces (either direct binary deserialization interfaces or indirect XML-based ones) to give the attendees the third key takeaway: protecting applications properly. This includes ways to verify data integrity prior to deserialization and ways to properly inspect the data before itās handled by the Java deserialization process.<br />
<br />
''Bio's:'' <br />
* Christian Schneider (@cschneider4711) writes software since the nineties, works as a freelance software developer since 1997, focuses on Java since 1999 and on IT-Security - especially Pentesting - since 2005. He enjoys writing articles about web application security as well as speaks and trains at conferences (OWASP AppSecEU, JAX, WJAX, WebTechCon, DevOpsCon, HackPra, RSA). He blogs at [https://www.Christian-Schneider.net Christian-Schneider.net]<br />
* Alvaro MuƱoz (@pwntester) works as Principal Security Researcher with HPE Security Fortify. He enjoys researching different programming languages and web application frameworks for vulnerabilities and unsafe APIs. Before joining the HPE research team, he worked as an Application Security Consultant helping enterprises to start and improve their application security programs. He blogs at [http://www.pwntester.com pwntester.com]<br />
<br />
=== Michael Hamm - Experiences with Paste-Monitoring ===<br />
''Abstract:'' Paste platforms like Pastebin.com provide the possibility to store and share text online. Often this kind of services are used by programmers but also abused by attackers to present their achievements. CIRCL acts as a fire brigade and monitor several of those paste platforms to early detect potential incidents and help the victims. The findings vary from lists of vulnerable or compromised websites, leaked credentials, database dumps, opportunistic announcements, stolen credit card details and many more. We will present the used techniques, and some key experiences with the findings and introduce the AIL framework - Framework for Analysis of Information Leaks. AIL is designed to analyse unstructured data and identify potential data leaks.<br />
<br />
''Bio:'' Works since 2000 in the field of security and since 2010 as CIRCL Operator.<br />
<br />
<br />
<br />
=== Glenn ten Cate, Riccardo ten Cate -- Security knowledge framework ===<br />
Over 10 years of experience in web application security bundled into a single application. <br/><br />
The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. <br/><br />
Use SKF to learn and integrate security by design in your web application.<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages showing <br/><br />
you how to prevent hackers gaining access and running exploits on your application.<br/><br />
<br />
<b>We will be talking about:</b><br />
<ul><br />
<li>Training your developers in writing secure code</li><br />
<li>Security support pre-development (Security by design, early feedback of possible security issues)</li><br />
<li>Security support post-development(Double check your code by means of the OWASP ASVS checklists )</li><br />
<li>Code examples for secure coding</li><br />
<br />
"Bio:"<br />
<b>Glenn</b><br/><br />
As a coder, hacker, speaker, trainer and security researcher Glenn has over 10 years experience in the field of security. <br/><br />
His goal is to create an open-source software development life cycle with the tools and knowledge gathered over the years.<br/><br />
<br />
<br/><br />
<b>Riccardo</b><br/><br />
As a developer and penetration tester Riccardo specialises in web-application security and<br/><br />
has extensive knowledge in securing web applications in multiple coding languages.<br />
<br />
<!-- Sixth tab --><br />
<br />
= Social Event =<br />
<br />
== Social Event ==<br />
'''Wait for it...'''<br />
<br />
= CTF =<br />
<br />
== Capture the Flag! ==<br />
<br />
* Do you like puzzles? <br />
* Do you like challenges? <br />
* Are you a hacker?<br />
<br />
Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux Day and participate in the Capture the Flag event. <br />
<br />
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.<br />
<br />
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools. <br />
<br />
So come, show off your skills, learn new tricks and above all have a good time at the CTF event. <br />
<br />
<br />
<!-- Eighth tab --><br />
<br />
= Sponsor =<br />
<br />
=== Become a sponsor of OWASP BeNeLux ===<br />
<br />
== Donate to OWASP BeNeLux ==<br />
<br />
[https://co.clickandpledge.com/?wid=72689 Sponsor] <br />
<br />
<br />
== Promotion ==<br />
''Feel free to use the text below to promote our event!''<br />
<br />
We invite you to our next OWASP event: the '''BeNeLux OWASP Days 2016!'''<br />
<!--<br />
Free your agenda on the 26th and 27th of November, 2015.<br />
--><br />
The good news: free! No fee!<br />
<br />
The bad news: there are only 150 seats available (first register, first serve)!<br />
<br />
<br />
<!-- Don't remove these two lines! --><br />
__NOTOC__ <br />
<headertabs/><br />
<br />
=== Made possible by our {{#switchtablink:Sponsor|Sponsors}}===<br />
<br />
<br><br />
<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_BeNeLux_Archives]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=Netherlands_February_18th,_2016&diff=208549
Netherlands February 18th, 2016
2016-02-12T06:32:45Z
<p>Riiecco: /* The OWASP Security Knowledge Framework */</p>
<hr />
<div>;[[Netherlands | OWASP Netherland Wiki]] <br />
;[[Netherlands_Previous_Events_2016 | All OWASP NL Events 2016]]<br />
= February 18th, 2016=<br />
Registration: Now open via [http://www.eventbrite.nl/e/tickets-owasp-netherlands-chapter-meeting-february-18th-2016-20828755368 EventBrite]<br />
<br />
== Venue ==<br />
;De Haagse Hogeschool<br />
:Johanna Westerdijkplein 75<br />
: 2521EN Den Haag<br />
<br />
==Programme:==<br />
:18:00 - 18:45 Registration & Pizzas<br />
:18:45 - 19:00 OWASP Netherland and Foundation Updates<br />
:19:00 - 21:00 Het OWASP Security Knowledge Framework (SKF)<br />
:21:00 - 21:30 Networking<br />
<br />
==Presentations==<br />
=== The OWASP Security Knowledge Framework ===<br />
Over 10 years of experience in web application security bundled into a single application. <br/><br />
The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. <br/><br />
Use SKF to learn and integrate security by design in your web application.<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages showing <br/><br />
you how to prevent hackers gaining access and running exploits on your application.<br/><br />
<br />
<b>We will be talking about:</b><br />
<ul><br />
<li>Training your developers in writing secure code</li><br />
<li>Security support pre-development (Security by design, early feedback of possible security issues)</li><br />
<li>Security support post-development(Double check your code by means of the OWASP ASVS checklists )</li><br />
<li>Code examples for secure coding</li><br />
<br />
</ul><br />
<br />
==Speakers==<br />
===Glenn en Riccardo Ten Cate===<br />
<b>Glenn</b><br/><br />
As a coder, hacker, speaker, trainer and security researcher Glenn has over 10 years experience in the field of security. <br/><br />
His goal is to create an open-source software development life cycle with the tools and knowledge gathered over the years.<br/><br />
<br />
<br/><br />
<b>Riccardo</b><br/><br />
As a developer and penetration tester Riccardo specialises in web-application security and<br/><br />
has extensive knowledge in securing web applications in multiple coding languages.</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=207696
OWASP Security Knowledge Framework
2016-01-29T21:16:01Z
<p>Riiecco: /* Contributors */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
* Security Requirements OWASP ASVS for development and for third party vendor applications <br />
* Security knowledge reference (Code examples/ Knowledge Base items)<br />
* Security is part of design with the pre-development functionality in SKF<br />
* Security post-development functionality in SKF for verification with the OWASP ASVS<br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br><br />
<br />
==Donate==<br />
<paypal>Security Knowledge Framework </paypal><br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br/><br />
<br />
<b>Installation guide with Chef:</b><br />
* https://skf.readme.io/docs/installation#section-automated-installation-with-chef<br/><br />
<br />
<b>Installation guide for AWS:</b><br />
* https://skf.readme.io/docs/installation#section-aws-installation<br/><br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br/><br />
* https://demo.securityknowledgeframework.org<br/><br />
<br />
'''Project website:'''<br/><br />
* http://www.secureby.design<br/><br />
<br />
== Video demo ==<br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br/><br />
<br />
== Project OWASP-SKF Pebble ==<br />
'''Released OWASP-SKF Pebble in the Appstore for free'''<br/><br />
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042<br/><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add generic Selenium test cases for the pre-development and post-development security controls.<br />
- Add current code examples and refer them in the advices of the pre-development and post-development items.<br />
- Add CWE to checklists<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Explain the SDLC more in-depth on our website and OWASP wiki page.<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== Travis-ci.org:==<br />
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!<br />
SKF Build details:<br />
<br />
https://travis-ci.org/blabla1337/skf-flask<br />
<br />
== Coveralls.io:==<br />
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.<br />
SKF Coveralls details:<br />
<br />
https://coveralls.io/r/blabla1337/skf-flask<br />
<br />
== Scrutinizer-ci.com==<br />
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.<br />
SKF Scrutinizer details:<br />
<br />
https://scrutinizer-ci.com/g/blabla1337/skf-flask/<br />
<br />
== Uptimerobot.com==<br />
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.<br />
<br />
== ssllabs.com & sslbadge.org ==<br />
<br />
ssllabs.org:<br />
Bringing you the best SSL/TLS and PKI testing tools and documentation.<br />
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org<br />
<br />
sslbadge.org:<br />
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.<br />
<br />
= Contributors =<br />
==Contributors==<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
Roderick Schaefer<br /><br />
Jim Manico<br /><br />
Martijn Gijsberti Hodenpijl<br /><br />
Bithin Alangot<br /><br />
Martin Knobloch<br /><br />
Adam Fisher<br /><br />
Tom wirschell<br />
<br />
<br/><br />
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=Netherlands_February_18th,_2016&diff=205932
Netherlands February 18th, 2016
2016-01-06T06:38:58Z
<p>Riiecco: /* Glenn en Riccardo Ten Cate */</p>
<hr />
<div>;[[Netherlands | OWASP Netherland Wiki]] <br />
;[[Netherlands_Previous_Events_2015 | All OWASP NL Events 2015]]<br />
= September 17th, 2015 =<br />
Registration: http://owasp-netherlands-chapter-meeting-201500917.eventbrite.nl<br />
<br />
== Venue ==<br />
;De Haagse Hogeschool<br />
:TBD<br />
<br />
==Programme:==<br />
:18:00 - 18:45 Registration & Pizzas<br />
:18:45 - 19:00 OWASP Netherland and Foundation Updates<br />
:19:00 - 21:00 Het OWASP Security Knowledge Framework (SKF)<br />
:21:00 - 21:30 Networking<br />
<br />
==Presentations==<br />
=== The OWASP Security Knowledge Framework ===<br />
Over 10 years of experience in web application security bundled into a single application. <br/><br />
The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. <br/><br />
Use SKF to learn and integrate security by design in your web application.<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages showing <br/><br />
you how to prevent hackers gaining access and running exploits on your application.<br/><br />
<br />
<b>We will be talking about:</b><br />
<ul><br />
<li>Training your developers in writing secure code</li><br />
<li>Security support pre-development (Security by design, early feedback of possible security issues)</li><br />
<li>Security support post-development(Double check your code by means of the OWASP ASVS checklists )</li><br />
<li>Code examples for secure coding</li><br />
<li>Introduction to TDD (test driven development)</li><br />
<li>Introduction to Unit testing</li><br />
</ul><br />
<br />
==Speakers==<br />
===Glenn en Riccardo Ten Cate===<br />
<b>Glenn</b><br/><br />
As a coder, hacker, speaker, trainer and security researcher Glenn has over 10 years experience in the field of security. <br/><br />
His goal is to create an open-source software development life cycle with the tools and knowledge gathered over the years.<br/><br />
<br />
<br/><br />
<b>Riccardo</b><br/><br />
As a developer and penetration tester Riccardo specialises in web-application security and<br/><br />
has extensive knowledge in securing web applications in multiple coding languages.</div>
Riiecco
https://wiki.owasp.org/index.php?title=Netherlands_February_18th,_2016&diff=205931
Netherlands February 18th, 2016
2016-01-06T06:37:21Z
<p>Riiecco: /* Glenn en Riccardo Ten Cate */</p>
<hr />
<div>;[[Netherlands | OWASP Netherland Wiki]] <br />
;[[Netherlands_Previous_Events_2015 | All OWASP NL Events 2015]]<br />
= September 17th, 2015 =<br />
Registration: http://owasp-netherlands-chapter-meeting-201500917.eventbrite.nl<br />
<br />
== Venue ==<br />
;De Haagse Hogeschool<br />
:TBD<br />
<br />
==Programme:==<br />
:18:00 - 18:45 Registration & Pizzas<br />
:18:45 - 19:00 OWASP Netherland and Foundation Updates<br />
:19:00 - 21:00 Het OWASP Security Knowledge Framework (SKF)<br />
:21:00 - 21:30 Networking<br />
<br />
==Presentations==<br />
=== The OWASP Security Knowledge Framework ===<br />
Over 10 years of experience in web application security bundled into a single application. <br/><br />
The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. <br/><br />
Use SKF to learn and integrate security by design in your web application.<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages showing <br/><br />
you how to prevent hackers gaining access and running exploits on your application.<br/><br />
<br />
<b>We will be talking about:</b><br />
<ul><br />
<li>Training your developers in writing secure code</li><br />
<li>Security support pre-development (Security by design, early feedback of possible security issues)</li><br />
<li>Security support post-development(Double check your code by means of the OWASP ASVS checklists )</li><br />
<li>Code examples for secure coding</li><br />
<li>Introduction to TDD (test driven development)</li><br />
<li>Introduction to Unit testing</li><br />
</ul><br />
<br />
==Speakers==<br />
===Glenn en Riccardo Ten Cate===<br />
<b>Glenn</b><br/><br />
As a coder, hacker, speaker, trainer and security researcher Glenn has over 10 years experience in the field of security. <br/><br />
Employed as a security engineer at Schuberg Philis in the Netherlands and speaking at multiple security conferences. <br/><br />
His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.<br/><br />
<br />
<br/><br />
<b>Riccardo</b><br/><br />
As a penetration tester from the Netherlands employed at The S-Unit, Riccardo specialises in web-application security and<br/><br />
has extensive knowledge in securing web applications in multiple coding languages.</div>
Riiecco
https://wiki.owasp.org/index.php?title=Netherlands_February_18th,_2016&diff=205930
Netherlands February 18th, 2016
2016-01-06T06:37:07Z
<p>Riiecco: /* Glenn en Riccardo Ten Cate */</p>
<hr />
<div>;[[Netherlands | OWASP Netherland Wiki]] <br />
;[[Netherlands_Previous_Events_2015 | All OWASP NL Events 2015]]<br />
= September 17th, 2015 =<br />
Registration: http://owasp-netherlands-chapter-meeting-201500917.eventbrite.nl<br />
<br />
== Venue ==<br />
;De Haagse Hogeschool<br />
:TBD<br />
<br />
==Programme:==<br />
:18:00 - 18:45 Registration & Pizzas<br />
:18:45 - 19:00 OWASP Netherland and Foundation Updates<br />
:19:00 - 21:00 Het OWASP Security Knowledge Framework (SKF)<br />
:21:00 - 21:30 Networking<br />
<br />
==Presentations==<br />
=== The OWASP Security Knowledge Framework ===<br />
Over 10 years of experience in web application security bundled into a single application. <br/><br />
The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. <br/><br />
Use SKF to learn and integrate security by design in your web application.<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages showing <br/><br />
you how to prevent hackers gaining access and running exploits on your application.<br/><br />
<br />
<b>We will be talking about:</b><br />
<ul><br />
<li>Training your developers in writing secure code</li><br />
<li>Security support pre-development (Security by design, early feedback of possible security issues)</li><br />
<li>Security support post-development(Double check your code by means of the OWASP ASVS checklists )</li><br />
<li>Code examples for secure coding</li><br />
<li>Introduction to TDD (test driven development)</li><br />
<li>Introduction to Unit testing</li><br />
</ul><br />
<br />
==Speakers==<br />
===Glenn en Riccardo Ten Cate===<br />
<b>Glenn</b><br/><br />
As a coder, hacker, speaker, trainer and security researcher Glenn has over 10 years experience in the field of security. <br/><br />
Employed as a security engineer at Schuberg Philis in the Netherlands and speaking at multiple security conferences. <br/><br />
His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.<br/><br />
<br />
<br/><br />
<b>Riccardo</b><br/><br />
As a penetration tester from the Netherlands employed at The S-Unit, Riccardo specialises in web-application security and<br/><br />
has extensive knowledge in securing web applications in multiple coding languages.</div>
Riiecco
https://wiki.owasp.org/index.php?title=Netherlands_February_18th,_2016&diff=205929
Netherlands February 18th, 2016
2016-01-06T06:36:32Z
<p>Riiecco: /* Glenn en Riccardo Ten Cate */</p>
<hr />
<div>;[[Netherlands | OWASP Netherland Wiki]] <br />
;[[Netherlands_Previous_Events_2015 | All OWASP NL Events 2015]]<br />
= September 17th, 2015 =<br />
Registration: http://owasp-netherlands-chapter-meeting-201500917.eventbrite.nl<br />
<br />
== Venue ==<br />
;De Haagse Hogeschool<br />
:TBD<br />
<br />
==Programme:==<br />
:18:00 - 18:45 Registration & Pizzas<br />
:18:45 - 19:00 OWASP Netherland and Foundation Updates<br />
:19:00 - 21:00 Het OWASP Security Knowledge Framework (SKF)<br />
:21:00 - 21:30 Networking<br />
<br />
==Presentations==<br />
=== The OWASP Security Knowledge Framework ===<br />
Over 10 years of experience in web application security bundled into a single application. <br/><br />
The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. <br/><br />
Use SKF to learn and integrate security by design in your web application.<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages showing <br/><br />
you how to prevent hackers gaining access and running exploits on your application.<br/><br />
<br />
<b>We will be talking about:</b><br />
<ul><br />
<li>Training your developers in writing secure code</li><br />
<li>Security support pre-development (Security by design, early feedback of possible security issues)</li><br />
<li>Security support post-development(Double check your code by means of the OWASP ASVS checklists )</li><br />
<li>Code examples for secure coding</li><br />
<li>Introduction to TDD (test driven development)</li><br />
<li>Introduction to Unit testing</li><br />
</ul><br />
<br />
==Speakers==<br />
===Glenn en Riccardo Ten Cate===<br />
<b>Glenn</b><br />
As a coder, hacker, speaker, trainer and security researcher Glenn has over 10 years experience in the field of security. <br/><br />
Employed as a security engineer at Schuberg Philis in the Netherlands and speaking at multiple security conferences. <br/><br />
His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.<br/><br />
<br />
<br/><br />
<b>Riccardo</b><br />
As a penetration tester from the Netherlands employed at The S-Unit, Riccardo specialises in web-application security and<br />
<br/><br />
has extensive knowledge in securing web applications in multiple coding languages.</div>
Riiecco
https://wiki.owasp.org/index.php?title=Netherlands_February_18th,_2016&diff=205928
Netherlands February 18th, 2016
2016-01-06T06:35:43Z
<p>Riiecco: /* Glenn en Riccardo Ten Cate */</p>
<hr />
<div>;[[Netherlands | OWASP Netherland Wiki]] <br />
;[[Netherlands_Previous_Events_2015 | All OWASP NL Events 2015]]<br />
= September 17th, 2015 =<br />
Registration: http://owasp-netherlands-chapter-meeting-201500917.eventbrite.nl<br />
<br />
== Venue ==<br />
;De Haagse Hogeschool<br />
:TBD<br />
<br />
==Programme:==<br />
:18:00 - 18:45 Registration & Pizzas<br />
:18:45 - 19:00 OWASP Netherland and Foundation Updates<br />
:19:00 - 21:00 Het OWASP Security Knowledge Framework (SKF)<br />
:21:00 - 21:30 Networking<br />
<br />
==Presentations==<br />
=== The OWASP Security Knowledge Framework ===<br />
Over 10 years of experience in web application security bundled into a single application. <br/><br />
The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. <br/><br />
Use SKF to learn and integrate security by design in your web application.<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages showing <br/><br />
you how to prevent hackers gaining access and running exploits on your application.<br/><br />
<br />
<b>We will be talking about:</b><br />
<ul><br />
<li>Training your developers in writing secure code</li><br />
<li>Security support pre-development (Security by design, early feedback of possible security issues)</li><br />
<li>Security support post-development(Double check your code by means of the OWASP ASVS checklists )</li><br />
<li>Code examples for secure coding</li><br />
<li>Introduction to TDD (test driven development)</li><br />
<li>Introduction to Unit testing</li><br />
</ul><br />
<br />
==Speakers==<br />
===Glenn en Riccardo Ten Cate===<br />
As a coder, hacker, speaker, trainer and security researcher Glenn has over 10 years experience in the field of security. <br/><br />
Employed as a security engineer at Schuberg Philis in the Netherlands and speaking at multiple security conferences. <br/><br />
His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.<br/><br />
<br />
<br/><br/><br />
<br />
As a penetration tester from the Netherlands employed at The S-Unit Riccardo specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages.</div>
Riiecco
https://wiki.owasp.org/index.php?title=Netherlands_February_18th,_2016&diff=205927
Netherlands February 18th, 2016
2016-01-06T06:34:13Z
<p>Riiecco: /* The OWASP Security Knowledge Framework */</p>
<hr />
<div>;[[Netherlands | OWASP Netherland Wiki]] <br />
;[[Netherlands_Previous_Events_2015 | All OWASP NL Events 2015]]<br />
= September 17th, 2015 =<br />
Registration: http://owasp-netherlands-chapter-meeting-201500917.eventbrite.nl<br />
<br />
== Venue ==<br />
;De Haagse Hogeschool<br />
:TBD<br />
<br />
==Programme:==<br />
:18:00 - 18:45 Registration & Pizzas<br />
:18:45 - 19:00 OWASP Netherland and Foundation Updates<br />
:19:00 - 21:00 Het OWASP Security Knowledge Framework (SKF)<br />
:21:00 - 21:30 Networking<br />
<br />
==Presentations==<br />
=== The OWASP Security Knowledge Framework ===<br />
Over 10 years of experience in web application security bundled into a single application. <br/><br />
The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. <br/><br />
Use SKF to learn and integrate security by design in your web application.<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages showing <br/><br />
you how to prevent hackers gaining access and running exploits on your application.<br/><br />
<br />
<b>We will be talking about:</b><br />
<ul><br />
<li>Training your developers in writing secure code</li><br />
<li>Security support pre-development (Security by design, early feedback of possible security issues)</li><br />
<li>Security support post-development(Double check your code by means of the OWASP ASVS checklists )</li><br />
<li>Code examples for secure coding</li><br />
<li>Introduction to TDD (test driven development)</li><br />
<li>Introduction to Unit testing</li><br />
</ul><br />
<br />
==Speakers==<br />
===Glenn en Riccardo Ten Cate===<br />
TBD</div>
Riiecco
https://wiki.owasp.org/index.php?title=Netherlands_February_18th,_2016&diff=205926
Netherlands February 18th, 2016
2016-01-06T06:30:43Z
<p>Riiecco: /* The OWASP Security Knowledge Framework */</p>
<hr />
<div>;[[Netherlands | OWASP Netherland Wiki]] <br />
;[[Netherlands_Previous_Events_2015 | All OWASP NL Events 2015]]<br />
= September 17th, 2015 =<br />
Registration: http://owasp-netherlands-chapter-meeting-201500917.eventbrite.nl<br />
<br />
== Venue ==<br />
;De Haagse Hogeschool<br />
:TBD<br />
<br />
==Programme:==<br />
:18:00 - 18:45 Registration & Pizzas<br />
:18:45 - 19:00 OWASP Netherland and Foundation Updates<br />
:19:00 - 21:00 Het OWASP Security Knowledge Framework (SKF)<br />
:21:00 - 21:30 Networking<br />
<br />
==Presentations==<br />
=== The OWASP Security Knowledge Framework ===<br />
Over 10 years of experience in web application security bundled into a single application. <br/><br />
The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. <br/><br />
Use SKF to learn and integrate security by design in your web application.<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages showing <br/><br />
you how to prevent hackers gaining access and running exploits on your application.<br/><br />
<br />
<b>In a nutshel</b><br />
<ul><br />
<li>Training your developers in writing secure code</li><br />
<li>Security support pre-development (Security by design, early feedback of possible security issues)</li><br />
<li>Security support post-development(Double check your code by means of the OWASP ASVS checklists )</li><br />
<li>Code examples for secure coding</li><br />
</ul><br />
<br />
==Speakers==<br />
===Glenn en Riccardo Ten Cate===<br />
TBD</div>
Riiecco
https://wiki.owasp.org/index.php?title=Netherlands_February_18th,_2016&diff=205925
Netherlands February 18th, 2016
2016-01-06T06:30:32Z
<p>Riiecco: /* The OWASP Security Knowledge Framework */</p>
<hr />
<div>;[[Netherlands | OWASP Netherland Wiki]] <br />
;[[Netherlands_Previous_Events_2015 | All OWASP NL Events 2015]]<br />
= September 17th, 2015 =<br />
Registration: http://owasp-netherlands-chapter-meeting-201500917.eventbrite.nl<br />
<br />
== Venue ==<br />
;De Haagse Hogeschool<br />
:TBD<br />
<br />
==Programme:==<br />
:18:00 - 18:45 Registration & Pizzas<br />
:18:45 - 19:00 OWASP Netherland and Foundation Updates<br />
:19:00 - 21:00 Het OWASP Security Knowledge Framework (SKF)<br />
:21:00 - 21:30 Networking<br />
<br />
==Presentations==<br />
=== The OWASP Security Knowledge Framework ===<br />
Over 10 years of experience in web application security bundled into a single application. <br/><br />
The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. <br/><br />
Use SKF to learn and integrate security by design in your web application.<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages showing <br/><br />
you how to prevent hackers gaining access and running exploits on your application.<br/><br />
<br />
<b>In a nutshel<b><br />
<ul><br />
<li>Training your developers in writing secure code</li><br />
<li>Security support pre-development (Security by design, early feedback of possible security issues)</li><br />
<li>Security support post-development(Double check your code by means of the OWASP ASVS checklists )</li><br />
<li>Code examples for secure coding</li><br />
</ul><br />
<br />
==Speakers==<br />
===Glenn en Riccardo Ten Cate===<br />
TBD</div>
Riiecco
https://wiki.owasp.org/index.php?title=Netherlands_February_18th,_2016&diff=205924
Netherlands February 18th, 2016
2016-01-06T06:30:02Z
<p>Riiecco: /* The OWASP Security Knowledge Framework */</p>
<hr />
<div>;[[Netherlands | OWASP Netherland Wiki]] <br />
;[[Netherlands_Previous_Events_2015 | All OWASP NL Events 2015]]<br />
= September 17th, 2015 =<br />
Registration: http://owasp-netherlands-chapter-meeting-201500917.eventbrite.nl<br />
<br />
== Venue ==<br />
;De Haagse Hogeschool<br />
:TBD<br />
<br />
==Programme:==<br />
:18:00 - 18:45 Registration & Pizzas<br />
:18:45 - 19:00 OWASP Netherland and Foundation Updates<br />
:19:00 - 21:00 Het OWASP Security Knowledge Framework (SKF)<br />
:21:00 - 21:30 Networking<br />
<br />
==Presentations==<br />
=== The OWASP Security Knowledge Framework ===<br />
Over 10 years of experience in web application security bundled into a single application. <br/><br />
The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. <br/><br />
Use SKF to learn and integrate security by design in your web application.<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages showing <br/><br />
you how to prevent hackers gaining access and running exploits on your application.<br/><br />
<br />
<h5>In a nutshel</h5><br />
<ul><br />
<li>Training your developers in writing secure code</li><br />
<li>Security support pre-development (Security by design, early feedback of possible security issues)</li><br />
<li>Security support post-development(Double check your code by means of the OWASP ASVS checklists )</li><br />
<li>Code examples for secure coding</li><br />
</ul><br />
<br />
==Speakers==<br />
===Glenn en Riccardo Ten Cate===<br />
TBD</div>
Riiecco
https://wiki.owasp.org/index.php?title=Netherlands_February_18th,_2016&diff=205923
Netherlands February 18th, 2016
2016-01-06T06:29:48Z
<p>Riiecco: /* The OWASP Security Knowledge Framework */</p>
<hr />
<div>;[[Netherlands | OWASP Netherland Wiki]] <br />
;[[Netherlands_Previous_Events_2015 | All OWASP NL Events 2015]]<br />
= September 17th, 2015 =<br />
Registration: http://owasp-netherlands-chapter-meeting-201500917.eventbrite.nl<br />
<br />
== Venue ==<br />
;De Haagse Hogeschool<br />
:TBD<br />
<br />
==Programme:==<br />
:18:00 - 18:45 Registration & Pizzas<br />
:18:45 - 19:00 OWASP Netherland and Foundation Updates<br />
:19:00 - 21:00 Het OWASP Security Knowledge Framework (SKF)<br />
:21:00 - 21:30 Networking<br />
<br />
==Presentations==<br />
=== The OWASP Security Knowledge Framework ===<br />
Over 10 years of experience in web application security bundled into a single application. <br/><br />
The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. <br/><br />
Use SKF to learn and integrate security by design in your web application.<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages showing <br/><br />
you how to prevent hackers gaining access and running exploits on your application.<br/><br />
<br />
<h4>In a nutshel</h4><br />
<ul><br />
<li>Training your developers in writing secure code</li><br />
<li>Security support pre-development (Security by design, early feedback of possible security issues)</li><br />
<li>Security support post-development(Double check your code by means of the OWASP ASVS checklists )</li><br />
<li>Code examples for secure coding</li><br />
</ul><br />
<br />
==Speakers==<br />
===Glenn en Riccardo Ten Cate===<br />
TBD</div>
Riiecco
https://wiki.owasp.org/index.php?title=Netherlands_February_18th,_2016&diff=205922
Netherlands February 18th, 2016
2016-01-06T06:29:29Z
<p>Riiecco: /* The OWASP Security Knowledge Framework */</p>
<hr />
<div>;[[Netherlands | OWASP Netherland Wiki]] <br />
;[[Netherlands_Previous_Events_2015 | All OWASP NL Events 2015]]<br />
= September 17th, 2015 =<br />
Registration: http://owasp-netherlands-chapter-meeting-201500917.eventbrite.nl<br />
<br />
== Venue ==<br />
;De Haagse Hogeschool<br />
:TBD<br />
<br />
==Programme:==<br />
:18:00 - 18:45 Registration & Pizzas<br />
:18:45 - 19:00 OWASP Netherland and Foundation Updates<br />
:19:00 - 21:00 Het OWASP Security Knowledge Framework (SKF)<br />
:21:00 - 21:30 Networking<br />
<br />
==Presentations==<br />
=== The OWASP Security Knowledge Framework ===<br />
Over 10 years of experience in web application security bundled into a single application. <br/><br />
The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. <br/><br />
Use SKF to learn and integrate security by design in your web application.<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages showing <br/><br />
you how to prevent hackers gaining access and running exploits on your application.<br/><br />
<br />
<h3>In a nutshel</h3><br />
<ul><br />
<li>Training your developers in writing secure code</li><br />
<li>Security support pre-development (Security by design, early feedback of possible security issues)</li><br />
<li>Security support post-development(Double check your code by means of the OWASP ASVS checklists )</li><br />
<li>Code examples for secure coding</li><br />
</ul><br />
<br />
==Speakers==<br />
===Glenn en Riccardo Ten Cate===<br />
TBD</div>
Riiecco
https://wiki.owasp.org/index.php?title=Netherlands_February_18th,_2016&diff=205921
Netherlands February 18th, 2016
2016-01-06T06:28:13Z
<p>Riiecco: /* The OWASP Security Knowledge Framework */</p>
<hr />
<div>;[[Netherlands | OWASP Netherland Wiki]] <br />
;[[Netherlands_Previous_Events_2015 | All OWASP NL Events 2015]]<br />
= September 17th, 2015 =<br />
Registration: http://owasp-netherlands-chapter-meeting-201500917.eventbrite.nl<br />
<br />
== Venue ==<br />
;De Haagse Hogeschool<br />
:TBD<br />
<br />
==Programme:==<br />
:18:00 - 18:45 Registration & Pizzas<br />
:18:45 - 19:00 OWASP Netherland and Foundation Updates<br />
:19:00 - 21:00 Het OWASP Security Knowledge Framework (SKF)<br />
:21:00 - 21:30 Networking<br />
<br />
==Presentations==<br />
=== The OWASP Security Knowledge Framework ===<br />
Over 10 years of experience in web application security bundled into a single application. <br/><br />
The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. <br/><br />
Use SKF to learn and integrate security by design in your web application.<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages showing <br/><br />
you how to prevent hackers gaining access and running exploits on your application.<br/><br />
<br />
==Speakers==<br />
===Glenn en Riccardo Ten Cate===<br />
TBD</div>
Riiecco
https://wiki.owasp.org/index.php?title=Netherlands_February_18th,_2016&diff=205920
Netherlands February 18th, 2016
2016-01-06T06:27:41Z
<p>Riiecco: /* The OWASP Security Knowledge Framework */</p>
<hr />
<div>;[[Netherlands | OWASP Netherland Wiki]] <br />
;[[Netherlands_Previous_Events_2015 | All OWASP NL Events 2015]]<br />
= September 17th, 2015 =<br />
Registration: http://owasp-netherlands-chapter-meeting-201500917.eventbrite.nl<br />
<br />
== Venue ==<br />
;De Haagse Hogeschool<br />
:TBD<br />
<br />
==Programme:==<br />
:18:00 - 18:45 Registration & Pizzas<br />
:18:45 - 19:00 OWASP Netherland and Foundation Updates<br />
:19:00 - 21:00 Het OWASP Security Knowledge Framework (SKF)<br />
:21:00 - 21:30 Networking<br />
<br />
==Presentations==<br />
=== The OWASP Security Knowledge Framework ===<br />
Over 10 years of experience in web application security bundled into a single application. <br />
The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. <br />
Use SKF to learn and integrate security by design in your web application.<br />
<br />
SKF is an open source security knowledgebase including manageble projects with checklists and best practice code examples in multiple programming languages showing <br />
you how to prevent hackers gaining access and running exploits on your application.<br />
<br />
==Speakers==<br />
===Glenn en Riccardo Ten Cate===<br />
TBD</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=202917
OWASP Security Knowledge Framework
2015-11-01T13:24:25Z
<p>Riiecco: /* Project Online Demo */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
* Security Requirements OWASP ASVS for development and for third party vendor applications <br />
* Security knowledge reference (Code examples/ Knowledge Base items)<br />
* Security is part of design with the pre-development functionality in SKF<br />
* Security post-development functionality in SKF for verification with the OWASP ASVS<br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br><br />
<br />
==Donate==<br />
<paypal>Security Knowledge Framework </paypal><br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br/><br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br/><br />
* https://demo.securityknowledgeframework.org<br/><br />
<br />
'''Project website:'''<br/><br />
* http://www.secureby.design<br/><br />
<br />
== Video demo ==<br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br/><br />
<br />
== Project OWASP-SKF Pebble ==<br />
'''Released OWASP-SKF Pebble in the Appstore for free'''<br/><br />
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042<br/><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add CWE to checklists<br />
- Add user management<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== Travis-ci.org:==<br />
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!<br />
SKF Build details:<br />
<br />
https://travis-ci.org/blabla1337/skf-flask<br />
<br />
== Coveralls.io:==<br />
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.<br />
SKF Coveralls details:<br />
<br />
https://coveralls.io/r/blabla1337/skf-flask<br />
<br />
== Scrutinizer-ci.com==<br />
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.<br />
SKF Scrutinizer details:<br />
<br />
https://scrutinizer-ci.com/g/blabla1337/skf-flask/<br />
<br />
== Uptimerobot.com==<br />
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.<br />
<br />
== ssllabs.com & sslbadge.org ==<br />
<br />
ssllabs.org:<br />
Bringing you the best SSL/TLS and PKI testing tools and documentation.<br />
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org<br />
<br />
sslbadge.org:<br />
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.<br />
<br />
= Contributors =<br />
==Contributors==<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
Roderick Schaefer<br /><br />
Jim Manico<br /><br />
Martijn Gijsberti Hodenpijl<br /><br />
Bithin Alangot<br /><br />
<br />
<br/><br />
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=202916
OWASP Security Knowledge Framework
2015-11-01T13:24:06Z
<p>Riiecco: /* Project Online Demo */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
* Security Requirements OWASP ASVS for development and for third party vendor applications <br />
* Security knowledge reference (Code examples/ Knowledge Base items)<br />
* Security is part of design with the pre-development functionality in SKF<br />
* Security post-development functionality in SKF for verification with the OWASP ASVS<br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br><br />
<br />
==Donate==<br />
<paypal>Security Knowledge Framework </paypal><br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br/><br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br/><br />
* https://demo.securityknowledgeframework.org<br/><br />
<br />
'''Project website:'''<br/><br />
* https://www.secureby.design<br/><br />
<br />
== Video demo ==<br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br/><br />
<br />
== Project OWASP-SKF Pebble ==<br />
'''Released OWASP-SKF Pebble in the Appstore for free'''<br/><br />
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042<br/><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add CWE to checklists<br />
- Add user management<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== Travis-ci.org:==<br />
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!<br />
SKF Build details:<br />
<br />
https://travis-ci.org/blabla1337/skf-flask<br />
<br />
== Coveralls.io:==<br />
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.<br />
SKF Coveralls details:<br />
<br />
https://coveralls.io/r/blabla1337/skf-flask<br />
<br />
== Scrutinizer-ci.com==<br />
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.<br />
SKF Scrutinizer details:<br />
<br />
https://scrutinizer-ci.com/g/blabla1337/skf-flask/<br />
<br />
== Uptimerobot.com==<br />
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.<br />
<br />
== ssllabs.com & sslbadge.org ==<br />
<br />
ssllabs.org:<br />
Bringing you the best SSL/TLS and PKI testing tools and documentation.<br />
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org<br />
<br />
sslbadge.org:<br />
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.<br />
<br />
= Contributors =<br />
==Contributors==<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
Roderick Schaefer<br /><br />
Jim Manico<br /><br />
Martijn Gijsberti Hodenpijl<br /><br />
Bithin Alangot<br /><br />
<br />
<br/><br />
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=202915
OWASP Security Knowledge Framework
2015-11-01T13:22:54Z
<p>Riiecco: /* OWASP Security Knowledge Framework */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
* Security Requirements OWASP ASVS for development and for third party vendor applications <br />
* Security knowledge reference (Code examples/ Knowledge Base items)<br />
* Security is part of design with the pre-development functionality in SKF<br />
* Security post-development functionality in SKF for verification with the OWASP ASVS<br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br><br />
<br />
==Donate==<br />
<paypal>Security Knowledge Framework </paypal><br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br/><br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br/><br />
* https://demo.securityknowledgeframework.org<br/><br />
<br />
'''Project website:'''<br/><br />
* https://www.securityknowledgeframework.org<br/><br />
<br />
== Video demo ==<br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br/><br />
<br />
== Project OWASP-SKF Pebble ==<br />
'''Released OWASP-SKF Pebble in the Appstore for free'''<br/><br />
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042<br/><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add CWE to checklists<br />
- Add user management<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== Travis-ci.org:==<br />
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!<br />
SKF Build details:<br />
<br />
https://travis-ci.org/blabla1337/skf-flask<br />
<br />
== Coveralls.io:==<br />
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.<br />
SKF Coveralls details:<br />
<br />
https://coveralls.io/r/blabla1337/skf-flask<br />
<br />
== Scrutinizer-ci.com==<br />
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.<br />
SKF Scrutinizer details:<br />
<br />
https://scrutinizer-ci.com/g/blabla1337/skf-flask/<br />
<br />
== Uptimerobot.com==<br />
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.<br />
<br />
== ssllabs.com & sslbadge.org ==<br />
<br />
ssllabs.org:<br />
Bringing you the best SSL/TLS and PKI testing tools and documentation.<br />
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org<br />
<br />
sslbadge.org:<br />
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.<br />
<br />
= Contributors =<br />
==Contributors==<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
Roderick Schaefer<br /><br />
Jim Manico<br /><br />
Martijn Gijsberti Hodenpijl<br /><br />
Bithin Alangot<br /><br />
<br />
<br/><br />
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=202914
OWASP Security Knowledge Framework
2015-11-01T13:21:18Z
<p>Riiecco: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
- Security Requirements OWASP ASVS for development and for third party vendor applications <br><br />
- Security knowledge reference (Code examples/ Knowledge Base items)<br><br />
- Security is part of design with the pre-development functionality in SKF<br><br />
- Security post-development functionality in SKF for verification with the OWASP ASVS <br><br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br><br />
<br />
==Donate==<br />
<paypal>Security Knowledge Framework </paypal><br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br/><br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br/><br />
* https://demo.securityknowledgeframework.org<br/><br />
<br />
'''Project website:'''<br/><br />
* https://www.securityknowledgeframework.org<br/><br />
<br />
== Video demo ==<br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br/><br />
<br />
== Project OWASP-SKF Pebble ==<br />
'''Released OWASP-SKF Pebble in the Appstore for free'''<br/><br />
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042<br/><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add CWE to checklists<br />
- Add user management<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== Travis-ci.org:==<br />
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!<br />
SKF Build details:<br />
<br />
https://travis-ci.org/blabla1337/skf-flask<br />
<br />
== Coveralls.io:==<br />
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.<br />
SKF Coveralls details:<br />
<br />
https://coveralls.io/r/blabla1337/skf-flask<br />
<br />
== Scrutinizer-ci.com==<br />
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.<br />
SKF Scrutinizer details:<br />
<br />
https://scrutinizer-ci.com/g/blabla1337/skf-flask/<br />
<br />
== Uptimerobot.com==<br />
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.<br />
<br />
== ssllabs.com & sslbadge.org ==<br />
<br />
ssllabs.org:<br />
Bringing you the best SSL/TLS and PKI testing tools and documentation.<br />
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org<br />
<br />
sslbadge.org:<br />
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.<br />
<br />
= Contributors =<br />
==Contributors==<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
Roderick Schaefer<br /><br />
Jim Manico<br /><br />
Martijn Gijsberti Hodenpijl<br /><br />
Bithin Alangot<br /><br />
<br />
<br/><br />
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=202913
OWASP Security Knowledge Framework
2015-11-01T13:20:30Z
<p>Riiecco: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;"><img src="http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg" /></div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
- Security Requirements OWASP ASVS for development and for third party vendor applications <br><br />
- Security knowledge reference (Code examples/ Knowledge Base items)<br><br />
- Security is part of design with the pre-development functionality in SKF<br><br />
- Security post-development functionality in SKF for verification with the OWASP ASVS <br><br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br><br />
<br />
==Donate==<br />
<paypal>Security Knowledge Framework </paypal><br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br/><br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br/><br />
* https://demo.securityknowledgeframework.org<br/><br />
<br />
'''Project website:'''<br/><br />
* https://www.securityknowledgeframework.org<br/><br />
<br />
== Video demo ==<br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br/><br />
<br />
== Project OWASP-SKF Pebble ==<br />
'''Released OWASP-SKF Pebble in the Appstore for free'''<br/><br />
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042<br/><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add CWE to checklists<br />
- Add user management<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== Travis-ci.org:==<br />
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!<br />
SKF Build details:<br />
<br />
https://travis-ci.org/blabla1337/skf-flask<br />
<br />
== Coveralls.io:==<br />
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.<br />
SKF Coveralls details:<br />
<br />
https://coveralls.io/r/blabla1337/skf-flask<br />
<br />
== Scrutinizer-ci.com==<br />
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.<br />
SKF Scrutinizer details:<br />
<br />
https://scrutinizer-ci.com/g/blabla1337/skf-flask/<br />
<br />
== Uptimerobot.com==<br />
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.<br />
<br />
== ssllabs.com & sslbadge.org ==<br />
<br />
ssllabs.org:<br />
Bringing you the best SSL/TLS and PKI testing tools and documentation.<br />
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org<br />
<br />
sslbadge.org:<br />
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.<br />
<br />
= Contributors =<br />
==Contributors==<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
Roderick Schaefer<br /><br />
Jim Manico<br /><br />
Martijn Gijsberti Hodenpijl<br /><br />
Bithin Alangot<br /><br />
<br />
<br/><br />
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=202912
OWASP Security Knowledge Framework
2015-11-01T13:19:51Z
<p>Riiecco: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
- Security Requirements OWASP ASVS for development and for third party vendor applications <br><br />
- Security knowledge reference (Code examples/ Knowledge Base items)<br><br />
- Security is part of design with the pre-development functionality in SKF<br><br />
- Security post-development functionality in SKF for verification with the OWASP ASVS <br><br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br><br />
<br />
==Donate==<br />
<paypal>Security Knowledge Framework </paypal><br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br/><br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br/><br />
* https://demo.securityknowledgeframework.org<br/><br />
<br />
'''Project website:'''<br/><br />
* https://www.securityknowledgeframework.org<br/><br />
<br />
== Video demo ==<br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br/><br />
<br />
== Project OWASP-SKF Pebble ==<br />
'''Released OWASP-SKF Pebble in the Appstore for free'''<br/><br />
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042<br/><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add CWE to checklists<br />
- Add user management<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== Travis-ci.org:==<br />
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!<br />
SKF Build details:<br />
<br />
https://travis-ci.org/blabla1337/skf-flask<br />
<br />
== Coveralls.io:==<br />
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.<br />
SKF Coveralls details:<br />
<br />
https://coveralls.io/r/blabla1337/skf-flask<br />
<br />
== Scrutinizer-ci.com==<br />
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.<br />
SKF Scrutinizer details:<br />
<br />
https://scrutinizer-ci.com/g/blabla1337/skf-flask/<br />
<br />
== Uptimerobot.com==<br />
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.<br />
<br />
== ssllabs.com & sslbadge.org ==<br />
<br />
ssllabs.org:<br />
Bringing you the best SSL/TLS and PKI testing tools and documentation.<br />
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org<br />
<br />
sslbadge.org:<br />
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.<br />
<br />
= Contributors =<br />
==Contributors==<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
Roderick Schaefer<br /><br />
Jim Manico<br /><br />
Martijn Gijsberti Hodenpijl<br /><br />
Bithin Alangot<br /><br />
<br />
<br/><br />
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=202911
OWASP Security Knowledge Framework
2015-11-01T13:19:36Z
<p>Riiecco: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:https://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
- Security Requirements OWASP ASVS for development and for third party vendor applications <br><br />
- Security knowledge reference (Code examples/ Knowledge Base items)<br><br />
- Security is part of design with the pre-development functionality in SKF<br><br />
- Security post-development functionality in SKF for verification with the OWASP ASVS <br><br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br><br />
<br />
==Donate==<br />
<paypal>Security Knowledge Framework </paypal><br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br/><br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br/><br />
* https://demo.securityknowledgeframework.org<br/><br />
<br />
'''Project website:'''<br/><br />
* https://www.securityknowledgeframework.org<br/><br />
<br />
== Video demo ==<br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br/><br />
<br />
== Project OWASP-SKF Pebble ==<br />
'''Released OWASP-SKF Pebble in the Appstore for free'''<br/><br />
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042<br/><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add CWE to checklists<br />
- Add user management<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== Travis-ci.org:==<br />
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!<br />
SKF Build details:<br />
<br />
https://travis-ci.org/blabla1337/skf-flask<br />
<br />
== Coveralls.io:==<br />
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.<br />
SKF Coveralls details:<br />
<br />
https://coveralls.io/r/blabla1337/skf-flask<br />
<br />
== Scrutinizer-ci.com==<br />
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.<br />
SKF Scrutinizer details:<br />
<br />
https://scrutinizer-ci.com/g/blabla1337/skf-flask/<br />
<br />
== Uptimerobot.com==<br />
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.<br />
<br />
== ssllabs.com & sslbadge.org ==<br />
<br />
ssllabs.org:<br />
Bringing you the best SSL/TLS and PKI testing tools and documentation.<br />
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org<br />
<br />
sslbadge.org:<br />
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.<br />
<br />
= Contributors =<br />
==Contributors==<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
Roderick Schaefer<br /><br />
Jim Manico<br /><br />
Martijn Gijsberti Hodenpijl<br /><br />
Bithin Alangot<br /><br />
<br />
<br/><br />
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=202910
OWASP Security Knowledge Framework
2015-11-01T13:19:03Z
<p>Riiecco: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:https://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
- Security Requirements OWASP ASVS for development and for third party vendor applications <br><br />
- Security knowledge reference (Code examples/ Knowledge Base items)<br><br />
- Security is part of design with the pre-development functionality in SKF<br><br />
- Security post-development functionality in SKF for verification with the OWASP ASVS <br><br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br><br />
<br />
==Donate==<br />
<paypal>Security Knowledge Framework </paypal><br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br/><br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br/><br />
* https://demo.securityknowledgeframework.org<br/><br />
<br />
'''Project website:'''<br/><br />
* https://www.securityknowledgeframework.org<br/><br />
<br />
== Video demo ==<br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br/><br />
<br />
== Project OWASP-SKF Pebble ==<br />
'''Released OWASP-SKF Pebble in the Appstore for free'''<br/><br />
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042<br/><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add CWE to checklists<br />
- Add user management<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== Travis-ci.org:==<br />
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!<br />
SKF Build details:<br />
<br />
https://travis-ci.org/blabla1337/skf-flask<br />
<br />
== Coveralls.io:==<br />
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.<br />
SKF Coveralls details:<br />
<br />
https://coveralls.io/r/blabla1337/skf-flask<br />
<br />
== Scrutinizer-ci.com==<br />
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.<br />
SKF Scrutinizer details:<br />
<br />
https://scrutinizer-ci.com/g/blabla1337/skf-flask/<br />
<br />
== Uptimerobot.com==<br />
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.<br />
<br />
== ssllabs.com & sslbadge.org ==<br />
<br />
ssllabs.org:<br />
Bringing you the best SSL/TLS and PKI testing tools and documentation.<br />
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org<br />
<br />
sslbadge.org:<br />
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.<br />
<br />
= Contributors =<br />
==Contributors==<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
Roderick Schaefer<br /><br />
Jim Manico<br /><br />
Martijn Gijsberti Hodenpijl<br /><br />
Bithin Alangot<br /><br />
<br />
<br/><br />
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=User:Riccardo_ten_Cate&diff=202516
User:Riccardo ten Cate
2015-10-22T19:20:02Z
<p>Riiecco: </p>
<hr />
<div>Penetration tester @ The S-unit from The Netherlands.</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=198888
OWASP Security Knowledge Framework
2015-08-11T19:50:09Z
<p>Riiecco: /* Demo video */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
- Security Requirements OWASP ASVS for development and for third party vendor applications <br><br />
- Security knowledge reference (Code examples/ Knowledge Base items)<br><br />
- Security is part of design with the pre-development functionality in SKF<br><br />
- Security post-development functionality in SKF for verification with the OWASP ASVS <br><br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br/><br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br/><br />
* https://demo.securityknowledgeframework.org<br/><br />
<br />
'''Project website:'''<br/><br />
* https://www.securityknowledgeframework.org<br/><br />
<br />
== Video demo ==<br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br/><br />
<br />
== Project OWASP-SKF Pebble ==<br />
'''Released OWASP-SKF Pebble in the Appstore for free'''<br/><br />
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042<br/><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add CWE to checklists<br />
- Add user management<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== Travis-ci.org:==<br />
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!<br />
SKF Build details:<br />
<br />
https://travis-ci.org/blabla1337/skf-flask<br />
<br />
== Coveralls.io:==<br />
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.<br />
SKF Coveralls details:<br />
<br />
https://coveralls.io/r/blabla1337/skf-flask<br />
<br />
== Scrutinizer-ci.com==<br />
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.<br />
SKF Scrutinizer details:<br />
<br />
https://scrutinizer-ci.com/g/blabla1337/skf-flask/<br />
<br />
== Uptimerobot.com==<br />
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.<br />
<br />
== ssllabs.com & sslbadge.org ==<br />
<br />
ssllabs.org:<br />
Bringing you the best SSL/TLS and PKI testing tools and documentation.<br />
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org<br />
<br />
sslbadge.org:<br />
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.<br />
<br />
= Contributors =<br />
==Contributors==<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
Roderick Schaefer<br /><br />
Jim Manico<br /><br />
Martijn Gijsberti Hodenpijl<br /><br />
Bithin Alangot<br /><br />
<br />
<br/><br />
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=198887
OWASP Security Knowledge Framework
2015-08-11T19:49:51Z
<p>Riiecco: /* Video Demo */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
- Security Requirements OWASP ASVS for development and for third party vendor applications <br><br />
- Security knowledge reference (Code examples/ Knowledge Base items)<br><br />
- Security is part of design with the pre-development functionality in SKF<br><br />
- Security post-development functionality in SKF for verification with the OWASP ASVS <br><br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br/><br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br/><br />
* https://demo.securityknowledgeframework.org<br/><br />
<br />
'''Project website:'''<br/><br />
* https://www.securityknowledgeframework.org<br/><br />
<br />
== Demo video ==<br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br/><br />
<br />
== Project OWASP-SKF Pebble ==<br />
'''Released OWASP-SKF Pebble in the Appstore for free'''<br/><br />
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042<br/><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add CWE to checklists<br />
- Add user management<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== Travis-ci.org:==<br />
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!<br />
SKF Build details:<br />
<br />
https://travis-ci.org/blabla1337/skf-flask<br />
<br />
== Coveralls.io:==<br />
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.<br />
SKF Coveralls details:<br />
<br />
https://coveralls.io/r/blabla1337/skf-flask<br />
<br />
== Scrutinizer-ci.com==<br />
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.<br />
SKF Scrutinizer details:<br />
<br />
https://scrutinizer-ci.com/g/blabla1337/skf-flask/<br />
<br />
== Uptimerobot.com==<br />
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.<br />
<br />
== ssllabs.com & sslbadge.org ==<br />
<br />
ssllabs.org:<br />
Bringing you the best SSL/TLS and PKI testing tools and documentation.<br />
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org<br />
<br />
sslbadge.org:<br />
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.<br />
<br />
= Contributors =<br />
==Contributors==<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
Roderick Schaefer<br /><br />
Jim Manico<br /><br />
Martijn Gijsberti Hodenpijl<br /><br />
Bithin Alangot<br /><br />
<br />
<br/><br />
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=198886
OWASP Security Knowledge Framework
2015-08-11T19:49:06Z
<p>Riiecco: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
- Security Requirements OWASP ASVS for development and for third party vendor applications <br><br />
- Security knowledge reference (Code examples/ Knowledge Base items)<br><br />
- Security is part of design with the pre-development functionality in SKF<br><br />
- Security post-development functionality in SKF for verification with the OWASP ASVS <br><br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br/><br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br/><br />
* https://demo.securityknowledgeframework.org<br/><br />
<br />
'''Project website:'''<br/><br />
* https://www.securityknowledgeframework.org<br/><br />
<br />
== Video Demo ==<br />
<br/><br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br/><br />
<br />
== Project OWASP-SKF Pebble ==<br />
'''Released OWASP-SKF Pebble in the Appstore for free'''<br/><br />
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042<br/><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add CWE to checklists<br />
- Add user management<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== Travis-ci.org:==<br />
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!<br />
SKF Build details:<br />
<br />
https://travis-ci.org/blabla1337/skf-flask<br />
<br />
== Coveralls.io:==<br />
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.<br />
SKF Coveralls details:<br />
<br />
https://coveralls.io/r/blabla1337/skf-flask<br />
<br />
== Scrutinizer-ci.com==<br />
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.<br />
SKF Scrutinizer details:<br />
<br />
https://scrutinizer-ci.com/g/blabla1337/skf-flask/<br />
<br />
== Uptimerobot.com==<br />
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.<br />
<br />
== ssllabs.com & sslbadge.org ==<br />
<br />
ssllabs.org:<br />
Bringing you the best SSL/TLS and PKI testing tools and documentation.<br />
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org<br />
<br />
sslbadge.org:<br />
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.<br />
<br />
= Contributors =<br />
==Contributors==<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
Roderick Schaefer<br /><br />
Jim Manico<br /><br />
Martijn Gijsberti Hodenpijl<br /><br />
Bithin Alangot<br /><br />
<br />
<br/><br />
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=198885
OWASP Security Knowledge Framework
2015-08-11T19:47:29Z
<p>Riiecco: /* Video Demo */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
- Security Requirements OWASP ASVS for development and for third party vendor applications <br><br />
- Security knowledge reference (Code examples/ Knowledge Base items)<br><br />
- Security is part of design with the pre-development functionality in SKF<br><br />
- Security post-development functionality in SKF for verification with the OWASP ASVS <br><br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Video Demo ==<br />
''''<br/><br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br/><br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br/><br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br/><br />
* https://demo.securityknowledgeframework.org<br/><br />
<br />
'''Project website:'''<br/><br />
* https://www.securityknowledgeframework.org<br/><br />
<br />
== Project OWASP-SKF Pebble ==<br />
'''Released OWASP-SKF Pebble in the Appstore for free'''<br/><br />
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042<br/><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add CWE to checklists<br />
- Add user management<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== Travis-ci.org:==<br />
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!<br />
SKF Build details:<br />
<br />
https://travis-ci.org/blabla1337/skf-flask<br />
<br />
== Coveralls.io:==<br />
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.<br />
SKF Coveralls details:<br />
<br />
https://coveralls.io/r/blabla1337/skf-flask<br />
<br />
== Scrutinizer-ci.com==<br />
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.<br />
SKF Scrutinizer details:<br />
<br />
https://scrutinizer-ci.com/g/blabla1337/skf-flask/<br />
<br />
== Uptimerobot.com==<br />
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.<br />
<br />
== ssllabs.com & sslbadge.org ==<br />
<br />
ssllabs.org:<br />
Bringing you the best SSL/TLS and PKI testing tools and documentation.<br />
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org<br />
<br />
sslbadge.org:<br />
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.<br />
<br />
= Contributors =<br />
==Contributors==<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
Roderick Schaefer<br /><br />
Jim Manico<br /><br />
Martijn Gijsberti Hodenpijl<br /><br />
Bithin Alangot<br /><br />
<br />
<br/><br />
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=198884
OWASP Security Knowledge Framework
2015-08-11T19:47:20Z
<p>Riiecco: /* Video Demo */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
- Security Requirements OWASP ASVS for development and for third party vendor applications <br><br />
- Security knowledge reference (Code examples/ Knowledge Base items)<br><br />
- Security is part of design with the pre-development functionality in SKF<br><br />
- Security post-development functionality in SKF for verification with the OWASP ASVS <br><br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Video Demo ==<br />
''Watch''<br/><br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br/><br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br/><br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br/><br />
* https://demo.securityknowledgeframework.org<br/><br />
<br />
'''Project website:'''<br/><br />
* https://www.securityknowledgeframework.org<br/><br />
<br />
== Project OWASP-SKF Pebble ==<br />
'''Released OWASP-SKF Pebble in the Appstore for free'''<br/><br />
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042<br/><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add CWE to checklists<br />
- Add user management<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== Travis-ci.org:==<br />
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!<br />
SKF Build details:<br />
<br />
https://travis-ci.org/blabla1337/skf-flask<br />
<br />
== Coveralls.io:==<br />
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.<br />
SKF Coveralls details:<br />
<br />
https://coveralls.io/r/blabla1337/skf-flask<br />
<br />
== Scrutinizer-ci.com==<br />
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.<br />
SKF Scrutinizer details:<br />
<br />
https://scrutinizer-ci.com/g/blabla1337/skf-flask/<br />
<br />
== Uptimerobot.com==<br />
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.<br />
<br />
== ssllabs.com & sslbadge.org ==<br />
<br />
ssllabs.org:<br />
Bringing you the best SSL/TLS and PKI testing tools and documentation.<br />
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org<br />
<br />
sslbadge.org:<br />
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.<br />
<br />
= Contributors =<br />
==Contributors==<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
Roderick Schaefer<br /><br />
Jim Manico<br /><br />
Martijn Gijsberti Hodenpijl<br /><br />
Bithin Alangot<br /><br />
<br />
<br/><br />
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=198883
OWASP Security Knowledge Framework
2015-08-11T19:46:23Z
<p>Riiecco: /* Video Demo */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
- Security Requirements OWASP ASVS for development and for third party vendor applications <br><br />
- Security knowledge reference (Code examples/ Knowledge Base items)<br><br />
- Security is part of design with the pre-development functionality in SKF<br><br />
- Security post-development functionality in SKF for verification with the OWASP ASVS <br><br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Video Demo ==<br />
''Video:''<br/><br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br/><br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br/><br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br/><br />
* https://demo.securityknowledgeframework.org<br/><br />
<br />
'''Project website:'''<br/><br />
* https://www.securityknowledgeframework.org<br/><br />
<br />
== Project OWASP-SKF Pebble ==<br />
'''Released OWASP-SKF Pebble in the Appstore for free'''<br/><br />
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042<br/><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add CWE to checklists<br />
- Add user management<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== Travis-ci.org:==<br />
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!<br />
SKF Build details:<br />
<br />
https://travis-ci.org/blabla1337/skf-flask<br />
<br />
== Coveralls.io:==<br />
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.<br />
SKF Coveralls details:<br />
<br />
https://coveralls.io/r/blabla1337/skf-flask<br />
<br />
== Scrutinizer-ci.com==<br />
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.<br />
SKF Scrutinizer details:<br />
<br />
https://scrutinizer-ci.com/g/blabla1337/skf-flask/<br />
<br />
== Uptimerobot.com==<br />
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.<br />
<br />
== ssllabs.com & sslbadge.org ==<br />
<br />
ssllabs.org:<br />
Bringing you the best SSL/TLS and PKI testing tools and documentation.<br />
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org<br />
<br />
sslbadge.org:<br />
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.<br />
<br />
= Contributors =<br />
==Contributors==<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
Roderick Schaefer<br /><br />
Jim Manico<br /><br />
Martijn Gijsberti Hodenpijl<br /><br />
Bithin Alangot<br /><br />
<br />
<br/><br />
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=198882
OWASP Security Knowledge Framework
2015-08-11T19:46:07Z
<p>Riiecco: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework==<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.<br />
<br />
The 4 Core usage of SKF:<br />
<br />
- Security Requirements OWASP ASVS for development and for third party vendor applications <br><br />
- Security knowledge reference (Code examples/ Knowledge Base items)<br><br />
- Security is part of design with the pre-development functionality in SKF<br><br />
- Security post-development functionality in SKF for verification with the OWASP ASVS <br><br />
<br />
== Description ==<br />
<br />
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).<br />
<br />
== Why Use The OWASP Security Knowledge Framework? ==<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Video Demo ==<br />
''Video:'''<br/><br />
* https://www.youtube.com/watch?v=ogzCVtI8-qE&feature=youtu.be<br/><br />
<br />
== Project Download ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br/><br />
<br />
== Project Online Demo ==<br />
'''username: admin password: test-skf'''<br/><br />
* https://demo.securityknowledgeframework.org<br/><br />
<br />
'''Project website:'''<br/><br />
* https://www.securityknowledgeframework.org<br/><br />
<br />
== Project OWASP-SKF Pebble ==<br />
'''Released OWASP-SKF Pebble in the Appstore for free'''<br/><br />
* http://apps.getpebble.com/en_US/application/556b65b8389795176b000042<br/><br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
|}<br />
<br />
=Documentation=<br />
<br />
For detailed information, documentation, tutorials and guide's please visit:<br><br />
https://skf.readme.io<br><br />
OR<br><br />
https://www.securityknowledgeframework.org<br><br />
<br />
Slides of workshop DevOpsDays 2015 Amsterdam:<br><br />
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf<br />
<br />
= Roadmap and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: ''' [https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''<br />
<br />
- Add code examples -> relevant knowledge-base items in results<br />
- Add CWE to checklists<br />
- Add user management<br />
- Add Python code examples<br />
- Add Java code examples<br />
- Add Go/Ruby/??? code examples<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Check Travis status if build is still working<br />
Open a Pull Request<br />
<br />
One of the authors will check your sample code or knowledge-base item and add it to the master repo.<br />
<br />
= SKF SDLC =<br />
<br />
SKF uses the following services to provide quality over the code and releases.<br />
<br />
== Travis-ci.org:==<br />
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!<br />
SKF Build details:<br />
<br />
https://travis-ci.org/blabla1337/skf-flask<br />
<br />
== Coveralls.io:==<br />
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.<br />
SKF Coveralls details:<br />
<br />
https://coveralls.io/r/blabla1337/skf-flask<br />
<br />
== Scrutinizer-ci.com==<br />
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.<br />
SKF Scrutinizer details:<br />
<br />
https://scrutinizer-ci.com/g/blabla1337/skf-flask/<br />
<br />
== Uptimerobot.com==<br />
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.<br />
<br />
== ssllabs.com & sslbadge.org ==<br />
<br />
ssllabs.org:<br />
Bringing you the best SSL/TLS and PKI testing tools and documentation.<br />
https://www.ssllabs.com/ssltest/analyze.html?d=securityknowledgeframework.org<br />
<br />
sslbadge.org:<br />
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.<br />
<br />
= Contributors =<br />
==Contributors==<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
Roderick Schaefer<br /><br />
Jim Manico<br /><br />
Martijn Gijsberti Hodenpijl<br /><br />
Bithin Alangot<br /><br />
<br />
<br/><br />
Thank you to my colleagues at Schuberg Philis for helping and giving feedback.<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=195107
OWASP Security Knowledge Framework
2015-05-21T09:19:21Z
<p>Riiecco: /* Project Resources */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework Project==<br />
The OWASP Security Knowledge Framework Project is intended to be a tool used for building, verification and training. It's the first step in the Software (AND Security) Development Life Cycle.<br />
<br/><br />
<br/><br />
<br />
==Description==<br />
<br />
It is an expert system web-application that uses OWASP Application Security Verification Standard.<br />
It support developers in pre-development (Security by design)<br />
It support developers after release of code (OWASP Checklist Level 1-3)<br />
Code-examples<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide:</b><br />
* http://skf.readme.io/v1.0/docs/installation<br/><br />
<br />
'''Video tutorials:'''<br/><br />
Pre development stage:<br/><br />
* https://youtu.be/wETuGtaCCfc<br />
Post development stage:<br/><br />
* https://youtu.be/ntmiLNH_ECI<br />
Knowledge base:<br/><br />
* https://youtu.be/p1bQQmLY7CA<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
<span style="color:black;"><br />
'''[24-03-2015:]''' <br/> First Stable release of the Security Knowledge Framework! Easy install with: pip install owasp-skf Check out the Github page for more details. Unix and Windows support<br />
</span><br />
<br/><br/><br />
<span style="color:black;"><br />
'''[17-03-2015:]''' <br/> First Alpha release of the Security Knowledge Framework!<br />
</span><br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
For documentation, tutorials and guide's please visit:<br />
http://www.securityknowledgeframework.com,<br />
for more detailed information.<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
<br/><br />
Allot of colleagues at Schuberg Philis for helping and giving feedback.<br/><br />
Thank you guys, let's make it more Awesome!<br />
<br />
= Road Map and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: [https://waffle.io/blabla1337/skf-flask Online Scrum Board]<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Open a Pull Request<br />
<br />
One of the authors will check your code example or knowledge-base item and add it to the master repo<br />
<br />
=Minimum Viable Product=<br />
<br />
We already had allot of the content and experience with the expert system that we created in the PoC version build with PHP.<br/><br />
The goal is to deliver an web-application that is easy to set-up and can run on different OS.<br><br />
For this we chosen the [http://flask.pocoo.org/ Python Flask], this runs both on Windows as Linux and is easy to install.<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=195106
OWASP Security Knowledge Framework
2015-05-21T09:18:44Z
<p>Riiecco: /* Project Resources */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework Project==<br />
The OWASP Security Knowledge Framework Project is intended to be a tool used for building, verification and training. It's the first step in the Software (AND Security) Development Life Cycle.<br />
<br/><br />
<br/><br />
<br />
==Description==<br />
<br />
It is an expert system web-application that uses OWASP Application Security Verification Standard.<br />
It support developers in pre-development (Security by design)<br />
It support developers after release of code (OWASP Checklist Level 1-3)<br />
Code-examples<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide and extended documentation:</b><br />
* http://skf.readme.io/<br/><br />
<br />
'''Video tutorials:'''<br/><br />
Pre development stage:<br/><br />
* https://youtu.be/wETuGtaCCfc<br />
Post development stage:<br/><br />
* https://youtu.be/ntmiLNH_ECI<br />
Knowledge base:<br/><br />
* https://youtu.be/p1bQQmLY7CA<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
<span style="color:black;"><br />
'''[24-03-2015:]''' <br/> First Stable release of the Security Knowledge Framework! Easy install with: pip install owasp-skf Check out the Github page for more details. Unix and Windows support<br />
</span><br />
<br/><br/><br />
<span style="color:black;"><br />
'''[17-03-2015:]''' <br/> First Alpha release of the Security Knowledge Framework!<br />
</span><br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
For documentation, tutorials and guide's please visit:<br />
http://www.securityknowledgeframework.com,<br />
for more detailed information.<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
<br/><br />
Allot of colleagues at Schuberg Philis for helping and giving feedback.<br/><br />
Thank you guys, let's make it more Awesome!<br />
<br />
= Road Map and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: [https://waffle.io/blabla1337/skf-flask Online Scrum Board]<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Open a Pull Request<br />
<br />
One of the authors will check your code example or knowledge-base item and add it to the master repo<br />
<br />
=Minimum Viable Product=<br />
<br />
We already had allot of the content and experience with the expert system that we created in the PoC version build with PHP.<br/><br />
The goal is to deliver an web-application that is easy to set-up and can run on different OS.<br><br />
For this we chosen the [http://flask.pocoo.org/ Python Flask], this runs both on Windows as Linux and is easy to install.<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=194736
OWASP Security Knowledge Framework
2015-05-11T21:25:36Z
<p>Riiecco: /* Project Resources */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework Project==<br />
The OWASP Security Knowledge Framework Project is intended to be a tool used for building, verification and training. It's the first step in the Software (AND Security) Development Life Cycle.<br />
<br/><br />
<br/><br />
<br />
==Description==<br />
<br />
It is an expert system web-application that uses OWASP Application Security Verification Standard.<br />
It support developers in pre-development (Security by design)<br />
It support developers after release of code (OWASP Checklist Level 1-3)<br />
Code-examples<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
<b>Installation guide</b><br />
* https://github.com/blabla1337/skf-flask/blob/master/README.md<br/><br />
<br />
'''Video tutorials:'''<br/><br />
Pre development stage:<br/><br />
* https://youtu.be/wETuGtaCCfc<br />
Post development stage:<br/><br />
* https://youtu.be/ntmiLNH_ECI<br />
Knowledge base:<br/><br />
* https://youtu.be/p1bQQmLY7CA<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
<span style="color:black;"><br />
'''[24-03-2015:]''' <br/> First Stable release of the Security Knowledge Framework! Easy install with: pip install owasp-skf Check out the Github page for more details. Unix and Windows support<br />
</span><br />
<br/><br/><br />
<span style="color:black;"><br />
'''[17-03-2015:]''' <br/> First Alpha release of the Security Knowledge Framework!<br />
</span><br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
For documentation, tutorials and guide's please visit:<br />
http://www.securityknowledgeframework.com,<br />
for more detailed information.<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
<br/><br />
Allot of colleagues at Schuberg Philis for helping and giving feedback.<br/><br />
Thank you guys, let's make it more Awesome!<br />
<br />
= Road Map and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: [https://waffle.io/blabla1337/skf-flask Online Scrum Board]<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Open a Pull Request<br />
<br />
One of the authors will check your code example or knowledge-base item and add it to the master repo<br />
<br />
=Minimum Viable Product=<br />
<br />
We already had allot of the content and experience with the expert system that we created in the PoC version build with PHP.<br/><br />
The goal is to deliver an web-application that is easy to set-up and can run on different OS.<br><br />
For this we chosen the [http://flask.pocoo.org/ Python Flask], this runs both on Windows as Linux and is easy to install.<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>
Riiecco
https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&diff=194735
OWASP Security Knowledge Framework
2015-05-11T21:25:06Z
<p>Riiecco: /* Project Resources */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Knowledge Framework Project==<br />
The OWASP Security Knowledge Framework Project is intended to be a tool used for building, verification and training. It's the first step in the Software (AND Security) Development Life Cycle.<br />
<br/><br />
<br/><br />
<br />
==Description==<br />
<br />
It is an expert system web-application that uses OWASP Application Security Verification Standard.<br />
It support developers in pre-development (Security by design)<br />
It support developers after release of code (OWASP Checklist Level 1-3)<br />
Code-examples<br />
<br />
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. <br />
<br />
Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.<br />
<br />
The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. <br />
<br />
The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of<br />
different checklists such as the application security verification standards.<br />
<br />
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.<br />
<br />
==Licensing==<br />
<br />
<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Resources ==<br />
'''Github/source-code:'''<br/><br />
* https://github.com/blabla1337/skf-flask<br/><br />
<br />
'''Guide's and tutorials:'''<br/><br />
<br />
<b>Installation guide</b><br />
* https://github.com/blabla1337/skf-flask/blob/master/README.md<br/><br />
* http://www.securityknowledgeframework.org/index.html?#guide<br/><br />
<br />
'''Video tutorials:'''<br/><br />
Pre development stage:<br/><br />
* https://youtu.be/wETuGtaCCfc<br />
Post development stage:<br/><br />
* https://youtu.be/ntmiLNH_ECI<br />
Knowledge base:<br/><br />
* https://youtu.be/p1bQQmLY7CA<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
<br />
== Project Leaders ==<br />
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/><br />
[mailto:r.tencate77@gmail.com Riccardo ten Cate]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]<br />
|}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
<span style="color:black;"><br />
'''[24-03-2015:]''' <br/> First Stable release of the Security Knowledge Framework! Easy install with: pip install owasp-skf Check out the Github page for more details. Unix and Windows support<br />
</span><br />
<br/><br/><br />
<span style="color:black;"><br />
'''[17-03-2015:]''' <br/> First Alpha release of the Security Knowledge Framework!<br />
</span><br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
For documentation, tutorials and guide's please visit:<br />
http://www.securityknowledgeframework.com,<br />
for more detailed information.<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
<br />
Glenn ten Cate<br/><br />
Riccardo ten Cate<br/><br />
Alexander Kaasjager<br/><br />
John Haley<br /><br />
Daniel Paulus<br /><br />
Erik de Kuijper<br /><br />
<br/><br />
Allot of colleagues at Schuberg Philis for helping and giving feedback.<br/><br />
Thank you guys, let's make it more Awesome!<br />
<br />
= Road Map and Getting Involved =<br />
<br />
==Roadmap==<br />
<br />
Check out the: [https://waffle.io/blabla1337/skf-flask Online Scrum Board]<br />
<br />
==Getting Involved==<br />
<br />
Submitting a Pull Request on Guthub:<br />
<br />
Fork it.<br />
Create a branch (git checkout -b my_markup)<br />
Commit your changes (git commit -am "Added Snarkdown")<br />
Push to the branch (git push origin my_markup)<br />
Open a Pull Request<br />
<br />
One of the authors will check your code example or knowledge-base item and add it to the master repo<br />
<br />
=Minimum Viable Product=<br />
<br />
We already had allot of the content and experience with the expert system that we created in the PoC version build with PHP.<br/><br />
The goal is to deliver an web-application that is easy to set-up and can run on different OS.<br><br />
For this we chosen the [http://flask.pocoo.org/ Python Flask], this runs both on Windows as Linux and is easy to install.<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>
Riiecco