OWASP Projects and an Introduction to Security Knowledge Framework

    It has been a busy August for OWASP Projects.  After AppSec EU, the focus was on getting the project reviews from the event finalized and then to begin onboarding great, new projects.  From the AppSec EU event, we promoted two projects to Flagship status: DefectDojo and JuiceShop.  In addition to those projects, we have since brought on Amass, Attack Surface Detector, and Vulnerability Management Guide as incubator projects.  I encourage you to have a look at all these projects.  There are also quite a few projects that are in initial stages but not quite ready to be introduced. 

    In addition, as recently announced, we promoted the Security Knowledge Framework to Flagship status.  As part of an ongoing series highlighting project activities at OWASP, I asked the SKF team to provide some detailed information about their project which you can read below.

    Finally, work on the Services section for projects, as mentioned at AppSec EU is going on behind the scenes.  For those not attending the leaders meeting at AppSec EU, the Services section is planned to provide an area where leaders can go to discover various resources that would be useful for their project, including translation, development assistance, technical writing, and other such services. 

Harold L. Blankenship

Director, Projects & Technology

Introducing the security knowledge framework!

Why use the Security knowledge framework?

In our career as security professionals, we encountered a lot of developers making the same mistakes

over and over again. Determined to help them all getting their security maturity to the next level we decided

to build a framework to help them learn. This framework came to be known as the Security Knowledge Framework.

Or for short, the SKF.

We envisioned to give developers the right information without having to sweep the internet and

help them determine the right security requirements for every project and every sprint.

Really adding value by serving in-depth information about the requirements. At a very

minimal to empower them with the right knowledge and give them the handles and insight to get them going.

Getting their applications secure, by design.

We can see the latest trend in integrating security tooling into CI/CD pipelines. However, 

security tooling integrated into your security pipe-lines will not cover the whole attack surface.

This is because most tooling will not be able to detect more complex attacks, 

and most tooling can never understand the full context of the application's functions and logic.

Who, can?

The developers of course!

With SKF we can train and teach software developers to become aware of vulnerabilities 

and give them the handles to create resilient and defensible applications.

What is the S.K.F?

SKF is an open source security knowledgebase including manageable projects with checklists and

best practice code examples in multiple programming languages showing you how to prevent hackers 

gaining access and running exploits on your application.

Over 10 years of experience in web application security bundled into a single framework. 

The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. 

Use SKF to learn and integrate security by design in your web application.

SKF is currently fully focused on integrating the OWASP-ASVS in your software development lifecycle 

by selecting the right requirements for your needs as you define technology stacks by means of a 

well-thought-through questionnaire.

The security requirements are then correlated to the corresponding knowledge base items and are presented 

together to give more insight about what the requirement means in depth, and how to tackle it during development.

The features so far?

Through dynamic checklists, we generate an easy to manage overview of all the different requirements

provided by OWASP-ASVS and OWASP-MASVS. All the requirements in this overview are also

coupled to a knowledgebase item so whenever you are scrolling through the checklists it is easy to get

more context about the different requirements, attack vectors, and implementation criteria.

Aside from the checklists, we created a wizard that provides a small questionnaire to determine the

technology stack that is being used. The framework uses this funnel to deliver a more workable subset

of the checklists.

Requirements are now presented as tickets and can be closed, re-opened, verified, rejected and keep an

audit trail of all the changes that are being made(also exportable to CSV).

Through this years GSOC(Google Summer of Code) we managed to build a Chatbot client in the API that

is able to understand different intents that give back different knowledgebase items and code examples

when asked upon. This is ideal whenever a developer wants to have quick information about requirements

or threats. The chatbot now exists as an integration into Gitter but is also available as a stand-alone

cross-platform desktop application. 

Where do we want to go to?

Currently, we only support the OWASP-ASVS in the wizard flow of selecting the right security requirements.

From here we want to create the option to implement your own dynamic questionnaires. These

questionnaires can be correlated to OWASP-ASVS, OWASP-MASVS, PCI DSS, or any other checklist

or standard of your choice. Now the SKF becomes specific for your business and tailored made for your needs.

We also want to include a very extensive testing guide on how to test implementations and vulnerabilities

on a high level. This testing guide will derive from the online OWASP testing guide along with all the different

cheat sheets out there. 

Out of the box SKF will ultimately be delivered with both questionnaires for OWASP-ASVS and OWASP-MASVS

but as said, it will become fully customizable.

Finally

As with any cool project, greatness and awesomeness can only be achieved by bringing great minds

together and a big thank you to all who contributed! Therefore we also ask you to test, break, consume,

develop and contribute to the SKF and help us take it to the next level! Together let us empower each other

to make the web secure, by design!

With kind regards,

The Security knowledge framework project team!