OWASP Developer Guide

Security Knowledge Framework

3.3 Security Knowledge Framework

The Security Knowledge Framework (SKF) is an expert system application that uses various open source projects to support development teams and security architects in building secure applications. The Security Knowledge Framework uses the OWASP [Application Security Verification Standard] (ASVS) with code examples to help developers in pre-development and post-development phases and create applications that are secure by design.

Having been an OWASP flagship project for many years the SKF is now no longer within the OWASP organization; and it will continue to be referenced in the OWASP Wayfinder and other OWASP projects because it is a flagship project for any organization.

What is the Security Knowledge Framework?

The SKF is a web application that is available from the github repo. There is a demo version of SKF that is useful for exploring the multiple benefits of the SKF. Note that SKF is in a process of migrating to a new repository so the download link may change.

The SKF provides training and guidance for application security:

  • Requirements organizer
  • Learning courses:
    • Developing Secure Software (LFD121)
    • Understanding the OWASP Top 10 Security Threats (SKF100)
    • Secure Software Development: Implementation (LFD105x)
  • Practice labs
  • Documentation on installing and using the SKF

Why use the SKF for requirements?

The SKF organizes security requirements into various categories that provides a good starting point for application security.

  • API and Web Service
  • Access Control
  • Architecture Design and Threat Modeling
  • Authentication
  • Business Logic
  • Communication
  • Configuration
  • Data Protection
  • Error Handling and Logging
  • Files and Resources
  • Malicious Code
  • Session Management
  • Stored Cryptography
  • Validation Sanitization and Encoding

How to use the SKF for requirements

Visit the requirements tool website and select the relevant requirements from the various categories. Export the selection to the format of your choice (Markdown, spreadsheet CSV or plain text) and use this as a starting point for the application security requirements.

The OWASP Spotlight series provides an overview of the SKF: ‘Project 7 - Security Knowledge Framework (SKF)’.

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.