OWASP Security Knowledge Framework

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP Security Knowledge Framework Project
The OWASP Security Knowledge Framework Project is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

The 4 Core usage of SKF:

- Security Requirements OWASP ASVS for development and for third party vendor applications - Security knowledge reference (Code examples/ Knowledge Base items) - Security is part of design with the pre-development functionality in SKF - Security post-development functionality in SKF for verification with the OWASP ASVS

Description
The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. It can be used to support developers in pre-development (security by design) as well as after code is released (OWASP ASVS Level 1-3).

Why Use The OWASP Security Knowledge Framework?
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simpy aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing proccessing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The seccond stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

Licensing
This program is free software: you can redistribute it and/or modify it under the terms of the link GNU Affero General Public License 3.0 as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

Project Resources
Github/source-code:
 * https://github.com/blabla1337/skf-flask

Installation guide:
 * http://skf.readme.io/v1.0/docs/installation

Video tutorials: Pre development stage: Post development stage: Knowledge base:
 * https://youtu.be/wETuGtaCCfc
 * https://youtu.be/ntmiLNH_ECI
 * https://youtu.be/p1bQQmLY7CA

Related Projects
OWASP Resources


 * OWASP Application Security Verification Standard Project

Project Leaders
[mailto:glenntencate@gmail.com Glenn ten Cate] [mailto:r.tencate77@gmail.com Riccardo ten Cate]

Classifications

 * valign="top" style="padding-left:25px;width:200px;" |

News and Events
[24-03-2015:] First stable release of the OWASP Security Knowledge Framework! [17-03-2015:] First Alpha release of the Security Knowledge Framework!


 * }

=FAQs=

For documentation, tutorials and guide's please visit: http://www.securityknowledgeframework.com, for more detailed information.

= Acknowledgements =

Contributors
Glenn ten Cate Riccardo ten Cate Alexander Kaasjager John Haley

Daniel Paulus

Erik de Kuijper

Thank you to my colleagues at Schuberg Philis for helping and giving feedback.

= Roadmap and Getting Involved =

Roadmap
Check out the: Online Scrum Board

Getting Involved
Submitting a Pull Request on Guthub:

Fork it. Create a branch (git checkout -b my_markup) Commit your changes (git commit -am "Added Snarkdown") Push to the branch (git push origin my_markup) Open a Pull Request One of the authors will check your sample code or knowledge-base item and add it to the master repo.

=Minimum Viable Product=

We already have a lot of content and experience with the expert system that we created in the PoC version build with PHP. The goal is to deliver a web-application that is easy to set-up and can be run on different platforms. For this we chose the Python Flask framework which runs on many platforms and is easy to install.