This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP Security Knowledge Framework
OWASP Security Knowledge FrameworkThe OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. The 4 Core usage of SKF:
DescriptionThe OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3). Why Use The OWASP Security Knowledge Framework?Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers. Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design. The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of different checklists such as the application security verification standards. By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. LicensingThis program is free software: you can redistribute it and/or modify it under the terms of the link GNU Affero General Public License 3.0 as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
Donate
|
Project DownloadGithub/source-code: Installation guide: Project Online Demousername: admin password: test-skf Project website: Related Projects
Project LeadersGlenn ten Cate Classifications |
For detailed information, documentation, tutorials and guide's please visit:
https://skf.readme.io
OR
https://www.securityknowledgeframework.org
Slides of workshop DevOpsDays 2015 Amsterdam:
https://www.owasp.org/images/5/54/Skf-design-workshop.pptx.pdf
Next major release features
- Implement the MASVS Knowledge base items in the OWASP-SKF project
- Implement MASVS process flow under the new project section
- Implement dynamic checklist creation for custom checklists to process flow under the new project section
- Add CWE to Knowledge base items
- Add how to pentest section per Knowledge base item (OWASP-Testing Guide)
- Add internationalist feature to SKF for supporting multiple human languages
- Market and brand the new AI chat-bot implementation
- Add dynamic questionnaire creation that links questions to security requirements
Check out the detailed roadmap here:
Getting Involved
Submitting a Pull Request on Guthub:
Fork it. Create a branch (git checkout -b my_markup) Commit your changes (git commit -am "Added Snarkdown") Push to the branch (git push origin my_markup) Check Travis status if build is still working Open a Pull Request
One of the authors will check your sample code or knowledge-base item and add it to the master repo.
SKF uses the following services to provide quality over the code and releases.
CI-Pipeline
Travis-ci.org:
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes! SKF Build details:
https://travis-ci.org/blabla1337/skf-flask
Coveralls.io Python:
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite. SKF Coveralls details:
https://coveralls.io/r/blabla1337/skf-flask
codecov.io for Angular:
Code coverage done right. Highly integrated with GitHub, Bitbucket and GitLab. SKF codecov details:
https://codecov.io/gh/blabla1337/skf-flask
Scrutinizer-ci.com:
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality. SKF Scrutinizer details:
https://scrutinizer-ci.com/g/blabla1337/skf-flask/
Bithound.io NPM packages:
BitHound provides your Node team with comprehensive and prioritized issues in your code and npm packages. SKF Bithound details:
https://www.bithound.io/github/blabla1337/skf-flask
Requires.io pip packages:
Stay Up-to-date! Stay secure! Requires.io monitors your Python projects dependencies, and notify you whenever any of your dependency is out-of-date. SKF Requires details:
https://requires.io/github/blabla1337/skf-flask/requirements/
Black Duck Security Risk:
Announcing Black Duck CoPilot, a new service helping open source project teams catalog and report on their project's dependencies. SKF Requires details:
https://copilot.blackducksoftware.com/github/groups/blabla1337/locations/skf-flask/public/results
uptimerobot.com:
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.
ssllabs.com & sslbadge.org:
ssllabs.org: Bringing you the best SSL/TLS and PKI testing tools and documentation. sslbadge.org: Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.