OWASP Security Knowledge Framework - An expert system application that uses OWASP Application Security Verification Standard
Security Knowledge Framework is an expert system application that uses OWASP Application Security Verification Standard, code examples, helps developers in pre-development and post-development.
Introduction
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simply aren't aware of the risks and dangers which are lurking, waiting to be exploited by hackers.
Because of this we decided to develop a proof of concept framework in order to create a guide system available for all developers so they can develop applications secure by design.
The security knowledge framework is here to support developers create secure applications. By analysing processing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.
The second stage of the application is validating if the developer properly implemented different types of defence mechanisms by means of checklists with among others the OWASP Application security verification standards.
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defence mechanisms the developer forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.
Installing
Docker
When Docker is available, the fastest way to start using the SKF project is using the pre-built container hosted at Docker hub.
docker run -ti -p 127.0.0.1:443:5443 blabla1337/skf-flask
The application will greet you on: https://127.0.0.1 This container always has the very latest version from the repository.
Automated installation with Chef
The easiest way to use the SKF project is using the Chef cookbook that we created.
What is Chef?
Chef is a configuration management and automation platform from Opscode. Chef helps you describe your infrastructure with code. Because your infrastructure is managed with code, it can be automated, tested and reproduced with ease. Check out https://www.chef.io for more information about Chef
For using the SKF chef cookbook you will need to install the 3 software products on your machine/laptop. Those are all free to use.
VirtualBox
- VirtualBox is a free to use Virtual Machine that can load images.
- https://www.virtualbox.org/wiki/Downloads
- Chef Development Kit is a free to use tooling for testing and running cookbooks created with chef.
- https://downloads.chef.io/chef-dk/
- Vagrant is has pre-build images ready to use for stable and fast development
- https://www.vagrantup.com/downloads.html
cd ~/
wget https://github.com/blabla1337/owasp-skf-chef/archive/master.zip
unzip master.zip
cd owasp-skf-chef-master
kitchen converge default
The application will greet you on: https://192.168.33.118
Below are some useful Kitchen 101 commands.
# All the below commands should be run in the SKF chef directory
# Command for creating the VM with the SKF project
kitchen converge default
# Command for login to the VM with the SKF project
kitchen login default
# Command for detroying the VM with the SKF project
kitchen destroy
AWS installation
A CloudFormation template is provided to make it easy to set up the Security Knowledge Framework in AWS. For more information consult the README in the
cloudformation
directory . Ubuntu manual installation
To run SKF you need Python pip and sqlite3 database support.
On 64-bit platform:
sudo apt-get install python-pip sqlite3 lib32z1-dev python-dev libxml2-dev libxslt-dev libffi-dev libssl-dev
On 32-bit platform:
sudo apt-get install python-pip sqlite3 zlib1g-dev python-dev libxml2-dev libxslt-dev libffi-dev libssl-dev
sudo pip install https://github.com/mitsuhiko/flask/tarball/master
sudo pip install owasp-skf
python skf.py
Windows manual installation
Download and install Python 2.7.9
Run below commands in cmd (As Administrator):
C:\Python27\Scripts\pip.exe install https://github.com/mitsuhiko/flask/tarball/master
C:\Python27\Scripts\pip.exe install owasp-skf
Now you can start the program by opening the folder and run the skf.py file: cd C:\Python27\Lib\site-packages\skf
C:\Python27\python.exe skf.py
Mac OSX manual installation
The first step is to install brew
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
brew install python-pip sqlite3
sudo easy_install pip
sudo pip install https://github.com/mitsuhiko/flask/tarball/master
sudo pip install owasp-skf
sudo python skf.py
Ubuntu Apache WSGI Setup (manual installation)
To run the OWASP-SKF as a service (SaaS) you can hook it up to your existing webservers using the WSGI module.
First do the normal owasp-skf installation. User that is installing this software is foobar, change foobar for your own user
apt-get install git apache2 libapache2-mod-wsgi
sudo a2enmod wsgi
cd /home/foobar
git clone https://github.com/blabla1337/skf-flask.git
Edit the file file: /home/foobar/skf-flask/skf/skf.py
Change line:
app.run(host=bindaddr, port=5443, ssl_context='adhoc')
to:
app.run(host=bindaddr, port=5443)
Edit the following file and add this below the virtualHost config for port 80 /etc/apache2/sites-enabled/000-default.conf
WSGIRestrictStdout Off
Listen 5443
<VirtualHost *:5443>
WSGIDaemonProcess skf user=www-data group=www-data threads=5
WSGIScriptAlias / /home/foobar/skf-flask/skf/skf.wsgi
<Directory /home/foobar/skf-flask/skf>
WSGIProcessGroup skf
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
Require all granted
</Directory>
</VirtualHost>
Edit the following file: /etc/apache2/mods-enabled/wsgi.conf Add below inside the if_module of mod_wsgi:
<FilesMatch ".+\.py$">
SetHandler wsgi-script
</FilesMatch>
# Deny access to compiled binaries
# You should not serve these to anyone
<FilesMatch ".+\.py(c|o)$">
Order Deny,Allow
Deny from all
</FilesMatch>
Create new skf.py file: /home/foobar/skf-flask/skf/skf.wsgi
import sys, os
sys.path.insert (0,'/home/foobar/skf-flask/skf')
os.chdir("/home/foobar/skf-flask/skf")
from skf import app as application
chmod +x /home/foobar/skf-flask/skf/skf.py
chown -R www-data:www-data /home/foobar/skf-flask
sudo service apache2 restart
Usage
For more detailed information such as user guides and other documentation see:
Development
- Fork and clone https://github.com/blabla1337/skf-flask
- pip install -r requirements.txt
- cd skf && python ./skf.py
- Create your changes commit and open a PR from your fork to the master repo
Scrum Board
Waffle.io:
https://waffle.io/blabla1337/skf-flask
Testing
Travis-ci.org:
Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:
https://travis-ci.org/blabla1337/skf-flask Coveralls.io:
DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:
https://coveralls.io/r/blabla1337/skf-flask Scrutinizer-ci.com:
Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:
https://scrutinizer-ci.com/g/blabla1337/skf-flask/ uptimerobot.com:
Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.
ssllabs.com & sslbadge.org:
ssllabs.org:
Bringing you the best SSL/TLS and PKI testing tools and documentation.
sslbadge.org:
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.
Contributors
- Glenn ten Cate
- Riccardo ten Cate
- Alexander Kaasjager
- John Haley
- Daniel Paulus
- Erik de Kuijper
- Roderick Schaefer
- Jim Manico
- Martijn Gijsberti Hodenpijl
- Bithin Alangot
- Martin Knobloch
- Adam Fisher
- Tom Wirschell
- Joerg Stephan
- Simon Brakhane
- Gerco Grandia
- Ross Nanopoulos
- Bob van den Heuvel
- Mariano
OWASP Security Knowledge Framework - An expert system application that uses OWASP Application Security Verification Standard
Reviewed by Zion3R
on
10:30 AM
Rating: