This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Security Knowledge Framework"

From OWASP
Jump to: navigation, search
(Project Leader)
 
(131 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 
=Main=
 
=Main=
 +
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">http://www.securityknowledgeframework.org/img/banner-wiki-owasp.jpg</div>
 +
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div>
  
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
+
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 +
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
  
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
+
==OWASP Security Knowledge Framework==
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
+
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the <i>Secure Software Development Lifecycle</i>.
 +
 
 +
The 4 Core usage of SKF:
  
<span style="color:#ff0000">
+
* Security Requirements OWASP ASVS for development and for third party vendor applications
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.
+
* Security knowledge reference (Code examples/ Knowledge Base items)
</span>
+
* Security is part of design with the pre-development functionality in SKF
 +
* Use SKF to gather the right security requirements for your projects
 +
* SKF then gives extensive knowledgebase items that correlates to the security requirements
 +
* Developers can close "tickets" and leave an audit trail to determine possible technical depts or improvements
 +
* Security specialist can follow the "tickets" and audit trail and verify or Fail closed items and provide feedback.
  
==OWASP Security Knowledge Framework Project==
+
== Description ==
The OWASP Security Knowledge Framework Project is intended to be a tool used for building, verification and training.
 
  
==Description==
+
The <i>OWASP Security Knowledge Framework</i> is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).
  
It is an expert system web-application that uses OWASP Application Security Verification Standard.
+
== Why Use The OWASP Security Knowledge Framework? ==
It support developers in pre-development (Security by design)
 
It support developers after release of code (OWASP Checklist Level 1-3)
 
Code-examples
 
  
 
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.  
 
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.  
Line 35: Line 40:
  
 
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.   
 
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.   
 +
<br>
 +
 +
==Donate==
 +
{{#widget:PayPal Donation
  
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
+
|target=_blank
  
== Project Resources ==
+
|budget=OWASP SKF
<span style="color:#ff0000">
 
This is where you can link to the key locations for project files, including setup programs, the source code repository, online documentation, a Wiki Home Page, threaded discussions about the project, and Issue Tracking system, etc.
 
</span>
 
  
 +
}}
  
== Project Leader ==
+
| valign="top" style="padding-left:25px;width:125px;border-right: 1px dotted gray;padding-right:25px;" |
[mailto:glenntencate@gmail.com Glenn ten Cate]<br/>
+
 
[mailto:r.tencate77@gmail.com Riccardo ten Cate]
+
== Project Download ==
 +
'''Github/source-code:'''<br />
 +
* https://github.com/blabla1337/skf-flask<br />
 +
 
 +
<b>Installation guide:</b>
 +
* http://skf.readme.io/v1.0/docs/installation
 +
 
 +
== Project Online Demo ==
 +
'''username: admin password: test-skf'''
 +
* https://demo.securityknowledgeframework.org<br />
 +
 
 +
'''Project website:'''
 +
* http://www.secureby.design
  
 
== Related Projects ==
 
== Related Projects ==
<span style="color:#ff0000">
 
This is where you can link to other OWASP Projects that are similar to yours.
 
</span>
 
  
 +
[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''
 +
 +
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]
 +
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide OWASP Mobile Application Verification Standard Project]
 +
 +
== Project Leaders ==
 +
[mailto:[email protected] Glenn ten Cate]<br />
 +
[mailto:[email protected] Riccardo ten Cate]
  
 
==Classifications==
 
==Classifications==
Line 58: Line 82:
 
   {| width="200" cellpadding="2"
 
   {| width="200" cellpadding="2"
 
   |-
 
   |-
   | colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
+
   | colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
 
   |-
 
   |-
   | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
+
   | rowspan="2" align="center" valign="top" width="50%" | [[File:Mature projects.png|https://www.owasp.org/index.php?title=OWASP_Project_Stages]]
   | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]   
+
   | align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]   
 
   |-
 
   |-
 
   |-
 
   |-
   | colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
+
   | colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
 
   |}
 
   |}
  
| valign="top"  style="padding-left:25px;width:200px;" |
+
|}
 +
 
 +
=Documentation=
 +
 
 +
For detailed information, documentation, tutorials and guide's please visit:<br>
 +
https://skf.readme.io<br>
 +
OR<br>
 +
https://www.securityknowledgeframework.org<br>
 +
 
 +
Slides of workshop DevOpsDays 2015 Amsterdam:<br>
 +
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf
  
== News and Events ==
+
= Milestones / Roadmap and Getting Involved =
<span style="color:#ff0000">
 
This is where you can provide project updates, links to any events like conference presentations, Project Leader interviews, case studies on successful project implementations, and articles written about your project.
 
</span>
 
  
|}
+
==Next major release features==
 +
* Implement the MASVS Knowledge base items in the OWASP-SKF project
  
=FAQs=
+
* Implement MASVS process flow under the new project section
 +
* Implement dynamic checklist creation for custom checklists to process flow under the new project section
 +
* Add CWE to Knowledge base items
 +
* Add how to pentest section per Knowledge base item (OWASP-Testing Guide) 
 +
* Add internationalist feature to SKF for supporting multiple human languages 
 +
* Market and brand the new AI chat-bot implementation 
 +
* Add dynamic questionnaire creation that links questions to security requirements 
  
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
+
Check out the detailed roadmap here:  
<span style="color:#ff0000">
 
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'
 
</span>
 
  
 +
'''[https://waffle.io/blabla1337/skf-flask Online Scrum Board] '''
  
 +
==Getting Involved==
  
= Acknowledgements =
+
Submitting a Pull Request on Guthub:
==Contributors==
 
  
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
+
    Fork it.
<span style="color:#ff0000">
+
    Create a branch (git checkout -b my_markup)
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project.
+
    Commit your changes (git commit -am "Added Snarkdown")
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project.
+
    Push to the branch (git push origin my_markup)
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.
+
    Check Travis status if build is still working
</span>
+
    Open a Pull Request
 +
   
 +
One of the authors will check your sample code or knowledge-base item and add it to the master repo.
  
[mailto:[email protected] Glenn ten Cate]
+
= SKF SDLC =
  
= Road Map and Getting Involved =
+
SKF uses the following services to provide quality over the code and releases.
  
 +
== CI-Pipeline ==
  
 +
=== Travis-ci.org: ===
 +
<code>Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes! SKF Build details:</code>
 +
<nowiki>https://travis-ci.org/blabla1337/skf-flask</nowiki>
  
==Roadmap==
+
=== Coveralls.io Python: ===
The project is almost ready for the first Official release. In the future we want to do the following things:
+
<code>DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite. SKF Coveralls details:</code>
 +
<nowiki>https://coveralls.io/r/blabla1337/skf-flask</nowiki>
  
Information/feedback gathering from users
+
=== codecov.io for Angular: ===
Design new layout for improved userbility
+
<code>Code coverage done right. Highly integrated with GitHub, Bitbucket and GitLab. SKF codecov details:</code>
Write new code examples
+
<nowiki>https://codecov.io/gh/blabla1337/skf-flask</nowiki>
Write new content for knowledge base
 
Iterate old examples for improvement
 
Hook code examples to knowledge-base items
 
  
==Getting Involved==
+
=== Scrutinizer-ci.com: ===
 +
<code>Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality. SKF Scrutinizer details:</code>
 +
<nowiki>https://scrutinizer-ci.com/g/blabla1337/skf-flask/</nowiki>
 +
 
 +
=== Bithound.io NPM packages: ===
 +
<code>BitHound provides your Node team with comprehensive and prioritized issues in your code and npm packages. SKF Bithound details:</code>
 +
<nowiki>https://www.bithound.io/github/blabla1337/skf-flask</nowiki>
 +
 
 +
=== Requires.io pip packages: ===
 +
<code>Stay Up-to-date! Stay secure! Requires.io monitors your Python projects dependencies, and notify you whenever any of your dependency is out-of-date. SKF Requires details:</code>
 +
<nowiki>https://requires.io/github/blabla1337/skf-flask/requirements/</nowiki>
  
 +
=== Black Duck Security Risk: ===
 +
<code>Announcing Black Duck CoPilot, a new service helping open source project teams catalog and report on their project's dependencies. SKF Requires details:</code>
 +
<nowiki>https://copilot.blackducksoftware.com/github/groups/blabla1337/locations/skf-flask/public/results</nowiki>
  
=Minimum Viable Product=
+
=== uptimerobot.com: ===
The goal is to deliver an web-application that is easy to set-up and can run on different OS.
+
<code>Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.</code>
For this we chosen the Python Flask, this runs both on Windows as Linux and is easy to install.
 
  
 +
=== ssllabs.com & sslbadge.org: ===
 +
<code>ssllabs.org: Bringing you the best SSL/TLS and PKI testing tools and documentation. sslbadge.org: Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.</code>
  
__NOTOC__ <headertabs />  
+
__NOTOC__ <headertabs></headertabs>  
  
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]
+
[[Category:OWASP Project]]
 +
[[Category:OWASP_Builders]]
 +
[[Category:OWASP_Defenders]]
 +
[[Category:OWASP_Tool]]

Latest revision as of 10:50, 5 September 2018

banner-wiki-owasp.jpg
Flagship big.jpg

OWASP Security Knowledge Framework

The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

  • Security Requirements OWASP ASVS for development and for third party vendor applications
  • Security knowledge reference (Code examples/ Knowledge Base items)
  • Security is part of design with the pre-development functionality in SKF
  • Use SKF to gather the right security requirements for your projects
  • SKF then gives extensive knowledgebase items that correlates to the security requirements
  • Developers can close "tickets" and leave an audit trail to determine possible technical depts or improvements
  • Security specialist can follow the "tickets" and audit trail and verify or Fail closed items and provide feedback.

Description

The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

Why Use The OWASP Security Knowledge Framework?

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

Licensing

This program is free software: you can redistribute it and/or modify it under the terms of the link GNU Affero General Public License 3.0 as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Project Download

Github/source-code:

Installation guide:

Project Online Demo

username: admin password: test-skf

Project website:

Related Projects

Asvs-satellite.jpgOWASP Resources

Project Leaders

Glenn ten Cate
Riccardo ten Cate

Classifications

Project Type Files TOOL.jpg
https://www.owasp.org/index.php?title=OWASP_Project_Stages Owasp-builders-small.png
Affero General Public License 3.0

For detailed information, documentation, tutorials and guide's please visit:
https://skf.readme.io
OR
https://www.securityknowledgeframework.org

Slides of workshop DevOpsDays 2015 Amsterdam:
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf

Next major release features

  • Implement the MASVS Knowledge base items in the OWASP-SKF project
  • Implement MASVS process flow under the new project section
  • Implement dynamic checklist creation for custom checklists to process flow under the new project section
  • Add CWE to Knowledge base items
  • Add how to pentest section per Knowledge base item (OWASP-Testing Guide)
  • Add internationalist feature to SKF for supporting multiple human languages
  • Market and brand the new AI chat-bot implementation
  • Add dynamic questionnaire creation that links questions to security requirements

Check out the detailed roadmap here:

Online Scrum Board

Getting Involved

Submitting a Pull Request on Guthub: 

   Fork it.
   Create a branch (git checkout -b my_markup)
   Commit your changes (git commit -am "Added Snarkdown")
   Push to the branch (git push origin my_markup)
   Check Travis status if build is still working
   Open a Pull Request

One of the authors will check your sample code or knowledge-base item and add it to the master repo.

SKF uses the following services to provide quality over the code and releases.

CI-Pipeline

Travis-ci.org:

Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes! SKF Build details:

https://travis-ci.org/blabla1337/skf-flask

Coveralls.io Python:

DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite. SKF Coveralls details:

https://coveralls.io/r/blabla1337/skf-flask

codecov.io for Angular:

Code coverage done right. Highly integrated with GitHub, Bitbucket and GitLab. SKF codecov details:

https://codecov.io/gh/blabla1337/skf-flask

Scrutinizer-ci.com:

Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality. SKF Scrutinizer details:

https://scrutinizer-ci.com/g/blabla1337/skf-flask/

Bithound.io NPM packages:

BitHound provides your Node team with comprehensive and prioritized issues in your code and npm packages. SKF Bithound details:

https://www.bithound.io/github/blabla1337/skf-flask

Requires.io pip packages:

Stay Up-to-date! Stay secure! Requires.io monitors your Python projects dependencies, and notify you whenever any of your dependency is out-of-date. SKF Requires details:

https://requires.io/github/blabla1337/skf-flask/requirements/

Black Duck Security Risk:

Announcing Black Duck CoPilot, a new service helping open source project teams catalog and report on their project's dependencies. SKF Requires details:

https://copilot.blackducksoftware.com/github/groups/blabla1337/locations/skf-flask/public/results

uptimerobot.com:

Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

ssllabs.com & sslbadge.org:

ssllabs.org: Bringing you the best SSL/TLS and PKI testing tools and documentation. sslbadge.org: Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.
Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Security_Knowledge_Framework&oldid=243178"