OWASP Security Knowledge Framework - An expert system application that uses OWASP Application Security Verification Standard



Tuesday, January 31, 2017


Security Knowledge Framework is an expert system application that uses OWASP Application Security Verification Standard, code examples, helps developers in pre-development and post-development.

Introduction
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simply aren't aware of the risks and dangers which are lurking, waiting to be exploited by hackers.
Because of this we decided to develop a proof of concept framework in order to create a guide system available for all developers so they can develop applications secure by design.
The security knowledge framework is here to support developers create secure applications. By analysing processing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.
The second stage of the application is validating if the developer properly implemented different types of defence mechanisms by means of checklists with among others the OWASP Application security verification standards.
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defence mechanisms the developer forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

Installing

Docker

When Docker is available, the fastest way to start using the SKF project is using the pre-built container hosted at Docker hub.
docker run -ti -p 127.0.0.1:443:5443 blabla1337/skf-flask
The application will greet you on: https://127.0.0.1
This container always has the very latest version from the repository.

Automated installation with Chef

The easiest way to use the SKF project is using the Chef cookbook that we created.
What is Chef?
Chef is a configuration management and automation platform from Opscode. Chef helps you describe your infrastructure with code. Because your infrastructure is managed with code, it can be automated, tested and reproduced with ease. Check out https://www.chef.io for more information about Chef
For using the SKF chef cookbook you will need to install the 3 software products on your machine/laptop. Those are all free to use.
VirtualBox
Chef Development Kit
Vagrant
When you have installed the above software you are now able to create a VirtualBox image with Vagrant configuration and using Chef to configure the SKF application. The SKF chef cookbook will do this all for you and you only need to follow the steps below on your machine/laptop.
cd ~/
wget https://github.com/blabla1337/owasp-skf-chef/archive/master.zip
unzip master.zip
cd owasp-skf-chef-master
kitchen converge default
Now you have to wait a few minutes and watch the magic happen! ^^ When the Chef run has completed (-----> Kitchen is finished!) the application is ready to use. When you will start the VirtualBox GUI you can see the cookbook created a new VB image that is running and holding the SKF application.
The application will greet you on: https://192.168.33.118
Below are some useful Kitchen 101 commands.
# All the below commands should be run in the SKF chef directory

# Command for creating the VM with the SKF project
kitchen converge default

# Command for login to the VM with the SKF project
kitchen login default

# Command for detroying the VM with the SKF project
kitchen destroy

AWS installation
A CloudFormation template is provided to make it easy to set up the Security Knowledge Framework in AWS. For more information consult the README in the cloudformation directory .

Ubuntu manual installation

To run SKF you need Python pip and sqlite3 database support.
  On 64-bit platform:
  sudo apt-get install python-pip sqlite3 lib32z1-dev python-dev libxml2-dev libxslt-dev libffi-dev libssl-dev

  On 32-bit platform:
  sudo apt-get install python-pip sqlite3 zlib1g-dev python-dev libxml2-dev libxslt-dev libffi-dev libssl-dev
After the prerequisites you can install the Python packages.
  sudo pip install https://github.com/mitsuhiko/flask/tarball/master
  sudo pip install owasp-skf
Now you can start the program by opening the folder (e.g. /opt/owasp-skf/) and run:
  python skf.py

Windows manual installation

Download and install Python 2.7.9
Run below commands in cmd (As Administrator):
  C:\Python27\Scripts\pip.exe install https://github.com/mitsuhiko/flask/tarball/master
  C:\Python27\Scripts\pip.exe install owasp-skf
Now you can start the program by opening the folder and run the skf.py file:
  cd C:\Python27\Lib\site-packages\skf
  C:\Python27\python.exe skf.py

Mac OSX manual installation

The first step is to install brew
  ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
After installing brew you can now install sqllite3
  brew install python-pip sqlite3
Now we install python pip
  sudo easy_install pip
After the prerequisites you can install the Python packages.
  sudo pip install https://github.com/mitsuhiko/flask/tarball/master
  sudo pip install owasp-skf
Now you can start the program by opening the folder (e.g. /opt/owasp-skf/) and run:
  sudo python skf.py

Ubuntu Apache WSGI Setup (manual installation)

To run the OWASP-SKF as a service (SaaS) you can hook it up to your existing webservers using the WSGI module.
First do the normal owasp-skf installation. User that is installing this software is foobar, change foobar for your own user
  apt-get install git apache2 libapache2-mod-wsgi
  sudo a2enmod wsgi
  cd /home/foobar
  git clone https://github.com/blabla1337/skf-flask.git
Now disable SSL settings, we want Apache to do this
Edit the file file: /home/foobar/skf-flask/skf/skf.py
  Change line:
       app.run(host=bindaddr, port=5443, ssl_context='adhoc')
  to:
       app.run(host=bindaddr, port=5443)
Now we can edit the configuration file of Apache
Edit the following file and add this below the virtualHost config for port 80 /etc/apache2/sites-enabled/000-default.conf
  WSGIRestrictStdout Off
  Listen 5443
  <VirtualHost *:5443>

    WSGIDaemonProcess skf user=www-data group=www-data threads=5
    WSGIScriptAlias / /home/foobar/skf-flask/skf/skf.wsgi

    <Directory /home/foobar/skf-flask/skf>
        WSGIProcessGroup skf
        WSGIApplicationGroup %{GLOBAL}
        Order deny,allow
        Allow from all
        Require all granted
    </Directory>

  </VirtualHost>
Now edit the configuration file of WSGI
Edit the following file: /etc/apache2/mods-enabled/wsgi.conf Add below inside the if_module of mod_wsgi:
  <FilesMatch ".+\.py$">
    SetHandler wsgi-script
  </FilesMatch>

  # Deny access to compiled binaries
  # You should not serve these to anyone
  <FilesMatch ".+\.py(c|o)$">
    Order Deny,Allow
    Deny from all
  </FilesMatch>
Create the WSGI file so it can be loaded by Apache
Create new skf.py file: /home/foobar/skf-flask/skf/skf.wsgi
  import sys, os
  sys.path.insert (0,'/home/foobar/skf-flask/skf')
  os.chdir("/home/foobar/skf-flask/skf")
  from skf import app as application
The final step:
  chmod +x /home/foobar/skf-flask/skf/skf.py
  chown -R www-data:www-data /home/foobar/skf-flask
  sudo service apache2 restart
The application can be visited at port http://the_ip_/:5443 Also now you can apply your favourite Apache SSL/TLS settings.

Usage
For more detailed information such as user guides and other documentation see:


Development
  1. Fork and clone https://github.com/blabla1337/skf-flask
  2. pip install -r requirements.txt
  3. cd skf && python ./skf.py
  4. Create your changes commit and open a PR from your fork to the master repo

Scrum Board

Waffle.io:
https://waffle.io/blabla1337/skf-flask
Throughput Graph

Testing

Travis-ci.org:

Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:
https://travis-ci.org/blabla1337/skf-flask

Coveralls.io:

DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:
https://coveralls.io/r/blabla1337/skf-flask

Scrutinizer-ci.com:

Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:
https://scrutinizer-ci.com/g/blabla1337/skf-flask/

uptimerobot.com:

Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

ssllabs.com & sslbadge.org:

ssllabs.org:
Bringing you the best SSL/TLS and PKI testing tools and documentation.

sslbadge.org:
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.
SSL Rating

Contributors




Subscribe via e-mail for updates!