Public | Automated Build

Last pushed: 9 months ago
Short Description
Test build
Full Description

#OWASP Security Knowledge Framework

<br>Project status details:<br>


<br/>
Security Knowledge Framework is an expert system application that uses OWASP Application Security Verification Standard, code examples, helps developers in pre-development and post-development.

##Table of Contents

##<a name="introduction"></a>Introduction

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simply aren't aware of the risks and dangers which are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a proof of concept framework in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analysing processing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The second stage of the application is validating if the developer properly implemented different types of defence mechanisms by means of checklists with among others the OWASP Application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defence mechanisms the developer forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

##<a name="installing"></a>Installing

####Docker

When Docker is available, the fastest way to start using the SKF project is using the pre-built container hosted at Docker hub.

docker run -ti -p 127.0.0.1:443:5443 blabla1337/skf-flask

The application will greet you on:
https://127.0.0.1

This container always has the very latest version from the repository.

####Automated installation with Chef

The easiest way to use the SKF project is using the Chef cookbook that we created.

What is Chef?

Chef is a configuration management and automation platform from Opscode. Chef helps you describe your infrastructure with code. Because your infrastructure is managed with code, it can be automated, tested and reproduced with ease. Check out https://www.chef.io for more information about Chef

For using the SKF chef cookbook you will need to install the 3 software products on your machine/laptop. Those are all free to use.

VirtualBox

Chef Development Kit

Vagrant

When you have installed the above software you are now able to create a VirtualBox image with Vagrant configuration and using Chef to configure the SKF application. The SKF chef cookbook will do this all for you and you only need to follow the steps below on your machine/laptop.

cd ~/
wget https://github.com/blabla1337/owasp-skf-chef/archive/master.zip
unzip master.zip
cd owasp-skf-chef-master
kitchen converge default

Now you have to wait a few minutes and watch the magic happen! ^^
When the Chef run has completed (-----> Kitchen is finished!) the application is ready to use. When you will start the VirtualBox GUI you can see the cookbook created a new VB image that is running and holding the SKF application.

The application will greet you on:
https://192.168.33.118

Below are some useful Kitchen 101 commands.

# All the below commands should be run in the SKF chef directory

# Command for creating the VM with the SKF project
kitchen converge default

# Command for login to the VM with the SKF project
kitchen login default

# Command for detroying the VM with the SKF project
kitchen destroy

AWS installation

A CloudFormation template is provided to make it easy to set up the
Security Knowledge Framework in AWS. For more information consult
the README in the cloudformation directory.

####Ubuntu manual installation

To run SKF you need Python pip and sqlite3 database support.

  On 64-bit platform:
  sudo apt-get install python-pip sqlite3 lib32z1-dev python-dev libxml2-dev libxslt-dev libffi-dev libssl-dev

  On 32-bit platform:
  sudo apt-get install python-pip sqlite3 zlib1g-dev python-dev libxml2-dev libxslt-dev libffi-dev libssl-dev

After the prerequisites you can install the Python packages.

  sudo pip install https://github.com/mitsuhiko/flask/tarball/master
  sudo pip install owasp-skf

Now you can start the program by opening the folder (e.g. /opt/owasp-skf/) and run:

  python skf.py

####Windows manual installation

Download and install Python 2.7.9

Run below commands in cmd (As Administrator):

  C:\Python27\Scripts\pip.exe install https://github.com/mitsuhiko/flask/tarball/master
  C:\Python27\Scripts\pip.exe install owasp-skf

Now you can start the program by opening the folder and run the skf.py file:

  cd C:\Python27\Lib\site-packages\skf
  C:\Python27\python.exe skf.py

####Mac OSX manual installation

The first step is to install brew

  ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

After installing brew you can now install sqllite3

  brew install python-pip sqlite3

Now we install python pip

  sudo easy_install pip

After the prerequisites you can install the Python packages.

  sudo pip install https://github.com/mitsuhiko/flask/tarball/master
  sudo pip install owasp-skf

Now you can start the program by opening the folder (e.g. /opt/owasp-skf/) and run:

  sudo python skf.py

####Ubuntu Apache WSGI Setup (manual installation)

To run the OWASP-SKF as a service (SaaS) you can hook it up to your existing webservers using the WSGI module.

First do the normal owasp-skf installation.
User that is installing this software is foobar, change foobar for your own user

  apt-get install git apache2 libapache2-mod-wsgi
  sudo a2enmod wsgi
  cd /home/foobar
  git clone https://github.com/blabla1337/skf-flask.git

Now disable SSL settings, we want Apache to do this

Edit the file file:
/home/foobar/skf-flask/skf/skf.py

  Change line:
       app.run(host=bindaddr, port=5443, ssl_context='adhoc')
  to:
       app.run(host=bindaddr, port=5443)

Now we can edit the configuration file of Apache

Edit the following file and add this below the virtualHost config for port 80
/etc/apache2/sites-enabled/000-default.conf

  WSGIRestrictStdout Off
  Listen 5443
  <VirtualHost *:5443>

    WSGIDaemonProcess skf user=www-data group=www-data threads=5
    WSGIScriptAlias / /home/foobar/skf-flask/skf/skf.wsgi

    <Directory /home/foobar/skf-flask/skf>
        WSGIProcessGroup skf
        WSGIApplicationGroup %{GLOBAL}
        Order deny,allow
        Allow from all
        Require all granted
    </Directory>

  </VirtualHost>

Now edit the configuration file of WSGI

Edit the following file:
/etc/apache2/mods-enabled/wsgi.conf
Add below inside the if_module of mod_wsgi:

  <FilesMatch ".+\.py$">
    SetHandler wsgi-script
  </FilesMatch>

  # Deny access to compiled binaries
  # You should not serve these to anyone
  <FilesMatch ".+\.py(c|o)$">
    Order Deny,Allow
    Deny from all
  </FilesMatch>

Create the WSGI file so it can be loaded by Apache

Create new skf.py file:
/home/foobar/skf-flask/skf/skf.wsgi

  import sys, os
  sys.path.insert (0,'/home/foobar/skf-flask/skf')
  os.chdir("/home/foobar/skf-flask/skf")
  from skf import app as application

The final step:

  chmod +x /home/foobar/skf-flask/skf/skf.py
  chown -R www-data:www-data /home/foobar/skf-flask
  sudo service apache2 restart

The application can be visited at port http://the_ip_/:5443
Also now you can apply your favourite Apache SSL/TLS settings.

##<a name="usage"></a>Usage

For more detailed information such as user guides and other documentation see:
<br/>

##<a name="development"></a>Development

  1. Fork and clone https://github.com/blabla1337/skf-flask
  2. pip install -r requirements.txt
  3. cd skf && python ./skf.py
  4. Create your changes commit and open a PR from your fork to the master repo

##<a name="scrum"></a>Scrum Board

####Waffle.io:
https://waffle.io/blabla1337/skf-flask

##<a name="testing"></a>Testing

####Travis-ci.org:

Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:

https://travis-ci.org/blabla1337/skf-flask

####Coveralls.io:

DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:

https://coveralls.io/r/blabla1337/skf-flask

####Scrutinizer-ci.com:

Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:

https://scrutinizer-ci.com/g/blabla1337/skf-flask/

####uptimerobot.com:

Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

####ssllabs.com & sslbadge.org:

ssllabs.org:
Bringing you the best SSL/TLS and PKI testing tools and documentation.

sslbadge.org:
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.

##<a name="license"></a>License
Copyright (C) 2016 Glenn ten Cate, Riccardo ten Cate

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.

####SKF includes the following software:

##<a name="pebble"></a>Pebble OWASP-SKF
We have also created a Pebble application called: OWASP-SKF Pebble, check it out:
http://apps.getpebble.com/en_US/application/556b65b8389795176b000042

##<a name="contributors"></a>Contributors

Docker Pull Command
Owner
bheuvel
Source Repository

Comments (0)