OWASP Security Knowledge Framework: Making the Web Secure by Design

one quick announcement before we get started liking folks from 415 so if you're interested you can sign up the reception they have a list and i'll be going on afterwards so next up on this track we have that glenn who's going to be talking about how we can make the by the same place and everything and how sharing knowledge convey everything professor yes thank you so welcoming party and we glad to see there are so many people interested in this talk yeah i should notice i'm in the wiki section so many experienced presenting i will do my best he where i share the knowledge and so their security bowl scraper is a lost project that's being created by me

and my brother Ricardo then it couldn't be here today with Lulu and so yeah we start this project almost a year though because yeah we felt that we really needed to do something about the whole he had missing the missing information and not sharing and we wants to do something about it i have also an agenda to evernote view what you will see and go through so let's just start why the security knows framework so as i said before there was a lot of yeah missing security as a design so people and developers aren't really aware of all that possible yeah attack vectors that are cable and an application and well they go to development phase in

get a pen test and in there you have a lot of findings they met goes back again fixing them into the application and yeah curious basically then sort of a layer int 0 / 0 so it is just an after thingy right now and well I think it should be done by design correctly with the right awareness great certain functionality also what I'm really missing what we really see missing is the defensible coding approach so every example you will see on the internet if you really look hard you can get some good examples but again the defensive coding principle and yeah it's not in there also the security guidance so yeah you can have a security requirement

inside your company but then it's yeah basically per person on how to about how they see it and how they know and you know what type the information they have to do the correct follow the correct path on how to properly create functional you want so also guidance is sorry hungry guidance also yeah missing and of course like I mentioned before the security requirements a lot of developing parties don't have to security requirements so after they developed on the code there is a pressure on releasing and getting to the next project yeah they found out that a lot of things need to be takes a lot of time of them are structural issues like to pull cyclic as for intelligence or

properly escaping user input and yeah and then of course Security's heart you find a lot of ways on not how to do it and even the books and examples you will see to teach you how to program will not mention anything about security and yeah security really hard we think a security information should be available for everybody I mean this is knowledge that that is needs to be shared right i mean you know went to the heck about the database and people committing suicide and about you know the information that that got out there yeah and we need to team up right we need to do this together and know and when we doing this and making our

applications defensible and yeah really secure so that's basically why i really started the whole project like all the said most like a year already and now it's really in a mature phase rebels of all of us has adopted it and yeah speaking about it and so the interesting thing I think is what you will get me learn so yeah basically guy to secure program so like I said before do security by design and not implement insecurity afterwards big thing is also the security awareness it will inform you about address even before you write a single line of code and that is the specific core functionality inside the security knowledge rumor that I will show you later on so yeah it will create

awareness one developers yeah to know what is possible when dealing with certain functionality and of course I think this one is also very important one a central place for security reference because I also found out that when I was looking for good code examples or good explanation of an attack or mitigation I have to pull the Oval Internet do an assessment of the code found out of this bad code so it yet again the looking further it was really a time-consuming thing and the other thing was yeah who makes this user on the forum somewhere an authority that I should believe in that he said you know the correct thing it's not really over sores are easy to adjust its just

supporting both somewhere on the internet right and so that's why we also wanted to create a central place for all your security reference in application development and so yeah you don't have to google find in here Gary's the content you are looking for in the code examples everything is also yeah available on github so you have the ability it is over everybody can see edit modify and contribute and so that's why I think this is really also a good thing but you also will see later on I have two demos today so I hope they will be awesome and yeah again I will point this stuff also out with and the software development lifecycle of this

project itself so security multimeric is web application with all content code examples threat analysis checklist for verification all that yes but we also used same principles we tell in the project itself so we have fully automated it like a DevOps way the continuous integration to link you have to keep the quality and but I will go into depth at later so first I want to talk about the stages of development and so in the security knowledge world we have two stages of development we call them the pre-development face and the post development phase the free development phase that is basically when you're in the designing face so you have new project or new spray you have you know from that the over the

product owner area on this on this type of functionality and you will define it in the development phase so in here you can basically select the different type of functionality or functionality steps you want to implement or create in the new project or sprint and the security monitoring work will correlate those type functionality to a knowledge base item and the mocospace items basically saying hey this is the description of this item and with the description we try to explain what the attacker can do when a developer is not properly mitigation or mitigating yeah this issue or tech factor so this base is sort of a threat analysis system where yeah like I said before before you even write a

single line of code developer is getting aware of all the attack vectors and so it can take that into consideration and into a CR project and you know and already take the rhythm and do it as by design and like we want to then when we have that face then we have also the post developer face and basically this is when you already created go to it's sort of a verification step the last final check before the developer hands over the code and it goes to do manual fantastic etc and by the checklist we are using the Lobos eyes yes the disturbed occasion security verification standard it's a project is already dating from 2011 and yes used by

military government's financial all kind of interesting organizations and why is that because it's yeah the name of already says itself it's really odd found stuff the security controls in the checklist are like around 100 the 70 items on different category for the whole step of your web application and basically they have lived different levels in it that's what I want to talk now because well you have to level one that's easy no too hard stuff but yeah you need starts somewhere right so the left one is to start then f of 2 and 3 this well this one is basically what i always use because where i work with it only critical web applications and so

for us the security requirement in our company would be everything it would be build new or improved is going to be used the ash vs level 3 as a security requirement because that's the really in depth yeah shield and you know that making your application defendable yeah and also very secure as i will show you later on so I now talked a little bit about a dispute no tremor the post and free development phase knowledgebase items and yeah and I really want to show the framework itself so basically what i want to do is show it and tell about the functionality and afterwards i want to give you complete overview of how yeah i'm basically using this in all side all

types of companies to think about my own company giving you no guidance in helping the developers there is also going to our partners and the parties to spend the day there explaining them to work the security mode framework and how to apply it in their organization and the security knowledge trailer is really was really intended to be for the developer so it was also created in the pie table floss micro back surface script language stuff that like that so you can run it on your local machine everything you need is on your load she but we also improving it and making it yeah like you can install this surface inside your company with usual roles management stuff like that um so I

first want to show you the demo environment so basically this is the security mode forever as you can see it is just the gap like I said a micro web surf web application and in here we can manage and use the security knowledge Kramer before I go into the free development phase post developers face I first want to start with the knowledge base items and the code examples because the knowledge base items that's something we yeah heavy depend on and poor labels in the pre-development face and then the post develop these days and as you can see you can search through the knowledge base items so if you want yeah a specific type of yeah reference

so you want to know if I upload injection oh yeah what was it about what type of things I need to think about so basically what you can do is then search the item in the lowest place and in here what I said before is trying to explain the different type of the tech factor cement take a guess when you're not dealing with this yeah tech factor we don't have something for it on the code level and in the solution we then try to yeah like I said guide developer in the right mindset to mitigate the defense against these type of attacks and so for all the ash vs items we have a mobile base article in there and also for all

the pre-development technology stack you can choose we also have knowledge base item for it so yeah I school a little bit down as you can see there are a lot of yeah items in there like I said let's do to the ass us that has 160 years of security control items in there but basically all those items you want to apply and implement as a design phase in your application from the beginning and to do so we have the premium post in philippines phase and also a thin what you notice i didn't really describe the attack factor in the knowledge base items like how an attacker would inject this or use this and we choose to not do that and just to

create a generic type of content and text only because like all of us has a lot of good you know examples forget already on the wiki with this and for the developer like just creating awareness the possibility he'll be aware like he doesn't know how to that is documented on places know and really reference in one framework where all the knowledge is in that's yeah nowhere so that's why we focus on that just bring your awareness to the developer and give them right mindset to mitigate the attack vectors but like i said before the text is really generic I mean that's also the problem I have it with a lot of paperwork it's just paperwork it's

really hard to use it and again they give you a sense of awareness but you all know that when it comes to implementing type of functionality or confusion or an idea you still can have we have big security issues in there so that's why we also decided to go to the next level in a level deeper right so what we did is we created for multiple code languages and I'm currently busy building parking examples jim manikan Martin foam almost are building a Java examples we now do at HP and look net already and we will continue adding new examples because we think yeah this is also very important this is really showing the developer technical level the same language he

speaks on how to properly mitigate and yeah how how to how to handle with it so again if I would take here for example then the file upload functionality so any RHP function or in this case applause where we do the file upload handling and don't know if you all familiar with PHP but in HP you can do follow the plot in three four lines of code and then you can have the functionality and they float your files but as we all know that gives if you do that way it gives the attacker the possibility to upload his own code compromised all server and from there go into your network or whatever he wants to do and then again look at this code

example how we try to really try to do all the steps and explain why we're doing type of of you know steps so for example here we do an input validation and why you will see this a lot in all the examples we always do a good validation and while we do that because we want to verify and also trigger and walk that in this case the user had an invalid following its one-year medium and a type of tech factor so if does go wrong we were yeah you can easily seen from the lot of this is interesting critical functionality that's not cool again well we do gather another look redirect and then well if those post is

we go through again we go validating make sure the Long's extension is preventing so you know the good old double extension trick so check register don't GP hey in there oh yeah this is good but yeah when you don't do it HP it will also just go through right and so again we have different type of medication for this so in here you see a piece of code that is doing the analysis and checking out the extension and again if it's not correct it will work and also well in this case cetera and high as a risk score and in here you see also when this fails then we set a counter in this example if the counter hits three

the user session must be terminated after three sessions terminations the account should be blocked since the high threat level will need to immediate termination so basically using the Intel and the thread so low me your mind and with that we can set higher or lower counters in our in the security knowledge Kramer in this framework if you try to inject here cosine script in SQL injection after five counters you will kicked out and account will the book of course walking out of accounts that can be also left in our service attack so and we choose to implement them in this way because then it's really visible also people trying to the heck table will be kicked out so again

what we really try to do in the code examples is really step for step going through and why are you doing this and now work for example this is also a very funny one so if you can remember on the header if you won't do this die then let me mention here wrestle to HP code is still being executed so if you would friends under these lines power apples from whatever the attacker can still see because that because there is going to die after another redirect for example so again we really try to for every step taking the developer give it the right guidance to ya how to tackle this attack vector and you know the code examples

the idea is not to copy paste we projected we injected the st. artists of all correct but it's only there for training right to get you right mindset and yeah hopefully you will then do yourself implement and blue security as design well we can also pick the book net version of uploads and then here you see how we do it in the book next version again the same principles before you do in action you love and before you love you Frankie date so here's Pierce validating checking if it's passing or not if not pass in your reporting and looking at after that one you woke it hey I'm going to do this action and after that then you do the action and it

sounds really like God but I see I saw a lot of cows and the law cooked analyzing and then all the thing and I saw a lot of times happening that they first uni action and then they look hey this action has been done or triggered or whatever but there is already a major flaw in it and it is when an attack has a successful attack vector and an expert that type of functionality and you log the action afterwards yeah then there is a chance that you won't see any evidence of the attack if it was successful so that's why you want to validate that's what you want to load and that's why yea though mindset the

whole approach from how to do this so you have that this basically at the context almost in the knowledge base the code examples are for reference to go in there to check okay what are the steps I need to take and again the knowledge base items are is being used in the pre and post development phase and so that is what i want to show you now is basically so how would i use this in in well third party Kristen other partners companies I would use it this first we need to define the security requirements because without that you know we cannot blame the developer anything if you don't give them requirements yeah this makes sense right so first we need to be

concerned about what type of security requirements should we apply so again I am a real pro active user of the ice vs the level 3 because that's critical for critical applications really go in depth and well basically you yeah you make that arrangement you say okay you're going to use and apply the level 3 and when we all agreed upon that then we can continue using the security notice river and so in here I want to create a project and it's just fictional projects or doesn't really matter the name now then I can select the project min and like I said before here we have the pre-development finished they add processing functions in this policy fellow finish but we

already have code so first I'm going through this one they had free development phase so in here you can see a different type of functions you can use and yeah are very common in web applications that there are sort of components technology stacks that are very yeah much used in applications and so what you can do is you can add new formula so you're in the designing face you want to create new functionality and well so in this print we do not do any user display just walking something like that that's well we use case a very common so what we now can do is add function and the add function suppose the drop down menu where we can select

the different technologies we're going to use for creating this type of function and so because we are going to display users and you look in we select happy Mel because yeah we're going to use hot melt display the user's name in there you're going to do forms and we're gonna do Bob sessions so now you can say add values game on both run over with me today oh so I said about validating right and we are very strict and validating so I put a plus in there an application on Ohio so now it's already flagged also the counter one up right like I mentioned before setting time please keep you Freddy if it has a

certain threshold taken action we decided effort like I said six times the whole application drops and is lot of course like intense and if you have a nuclear power plant that would be an issue but yeah so let me redo it so adding the half moon set forms sessions and so you get a function submarine as you can see function technology ok all done this is about what we deserve decided on this is the functionality want that and now the security framework has correlated those type of technology stacks yeah true knowledge base item so it hooks them up and correlate sort of the threat analysis and making the developer and already aware of yeah holder the danger zone and that are

lurking around the corner and as you can see for example when you are dealing with sessions it's it's not just only one thing you can do there is basically the whole design pattern you need to implement and again if you don't do one the whole session management layer is broken it can be defeated by it by my attackers so if you forget the hot spell if you like or the superior flag yeah it still is an attacker able to sniff it still it settled himself so again it's in this case it is a pattern that is yeah making developer aware of all the work and things that he needs to think of well again for the submitting of four

it is after all it is the best practice to say okay hey the first engineers you have the single user input validation controls and audibles in central place then of course the costs are depressed for three tokens that is the thing if you don't added in beginning and it's the structural issue you take a lot of time to implement it later on also there is the problem that it's really easy to forget one form so again yeah it should be part of the design right principal this privilege and of course the gas / post address think about which one you will use because if you're using again you submitting a password field or whatever you are you losing all that

information in the browser history in a defender and all the third party application that you hook in like Google and all the JavaScript stuff they all see that the information that's in together so even the difference between Austin get is important and again yeah we tried really to guide the developer in the right mindset to ya make the application really defensible and again for happy now a lot of problems can occur with that content spoofing image package action base-jumping element all right hand text areas there are so many cause of an attacker can go so like I said before this is the the pre-development face so now this is something a developer can click together

and have already know the awareness like hey think about this think about that and of course if you ask yes as a security requirement you have a very good starting point but of course like i said before implementing that can also be tricky there are the security controls in there so if you would also be on a monday morning LEM go fix those 100 consecutive hotels in your application I will probably forget like 10 or 20 or maybe 30 because I proved too too much so that's why I will also want to do a verification this is not enough this only awareness training the idea is when you use it more often that you basically can skip the pretty little

face in all everything and in the policy development phase here the verification step where you go through i will show you right now so when we have this developers have the document and i didn't show you that with all the information and the correlation of the items can also be downloaded some dog x document that you can send to other colleagues or management or whatever you also have for them here what items were applicable or not and so like I said that is pre-developed finish you didn't write the line of code yet now we're in the post defendant face you write your code it went through your build street it passed everything so basically you're

almost ready to deliver it to the next person that you live for your project but before we do you want to do a verification a verification if we have all the security protocols in place and we applied all the Ashley s levels as you can see here there is a low of top 10 list in here but yeah I call a technical debt and I also want to make clear something almost pooped n is not a secure requirement people call it the security department I should be taught and teach like no eyes yes that's a security requirement the top 10 is not so I want to make the difference really clear because I see a little in the security

industry they calling this a security standard and that isn't the ass yes that's the security standard like I said before we have different levels what I always uses of course the level 3 earphones and what we also that is created a Christian checklist and basically this is just a skeleton so yeah you don't have to really dive into the technical stuff of the framework and how you know the security notice Cramer but just adding markdown files to the gate airport yeah in the right folder it will automatically populate this and then you can point this one to knowledge base items but also i will show you that later in the software development life cycle of the security logs framework and

so we're now in the in the gap the policy development so i created the code and now I can start this section so what you will see is a lot of different categories well this one it starts with authentication verification requirement where we have different security controls to mitigate well issues and the tech factors on this topic also you can see the report that depending on which level this item is coming from and the lowest bass vs sort of good one this is really the level 3 die hard stuff for ya really important applications and again when we found out and this is a really helpful list but yeah I even had issues decrypting it like what what doing me

more what what do you want to achieve with this item and again because we all correlated have those items to a knowledge base we can also fetch the description of the item and show you when you hover over it so you get a little bit more context about the checklist item that you need to verify that you have implemented it so how I normally or how i am using this is basically together set with developer i am using my security mindset paranoid human taint analysis right go sit next to him and i'm asking the best game a fair fight outpatient resource econ authentication now and he will show me in the code because he has nicole TS

context-aware idealism house food and he will show me how he implemented it then i will challenge him saying hey you thought about this this I see this was about that challenging if it's a good you no answer good technical answer is all good and then we can just say yes this one we did next one and we go through the whole list I can already hear you guys think like yeah but it's a lot I don't want to go to the section management edge control malicious input keep them around reloading data protection communication and the best security delicious and business where you can blow some of these poor resources I can tell you it takes me

together like extreme programming in good old days it will take me like a day to do this together with the developer and assess and check all the implementations they did and then I'm talking about big web application project where months of work has been put into so really by using each other and like like i said i'm using my colleague developer because he has cooled act system how it's been created and I challenged him by using this checklist and looking with him and yeah challenging so when you submit it the whole list you can again save it the checklist and it will now correlate all those checklist items like a 74 to knowledge base item that is applicable

yeah for this one we selected no no no no so this is a really big big list but basically this is the output that the application will give to the developer so first we're all at the 80s will fill securely and to ensure a text kind of looking of all intent occasion controls must feel securely so this is a knowledge-based item that that's yeah being correlated now to that checklist item well like I said this is a really big one and I wanted to show you all so that you can see it's working

so I found out that Safari year when you download and locate it puts food hakim el at the end of it I don't know why this it will say ever and all trace of course she will trigger too much like i said before then I machine no weapons

yeah this one does work Safari is not

so yeah like I said it will generate the topics and they can send around with project the day and get all the table contents of all the items that has been correlated yeah to that control security control item so basically this is like I said the lowest project yeah the first step in your software development lifecycle I mean this is like training getting the information to the developer and making them aware of all the attack vectors now I want to go and tell a little bit about software development lifecycle yeah we use in the security no tremor the security log framework uses a couple of continuous integration services for example Travis so yeah jacobs travels basically all sent and

well it does test in the toilet confidence easily seen Gator projects it has a hoop so if you change something on get there it will notice pulling the new source and start building your project I use cover models for displaying my unit testing information in grass and metrics very useful and I use fertilizer for a good quality check so it will check for duplication called that code that encode of all that stuff because it's like I said before it's all continuous integration so if the user would modify something on the Gator and the whole chain will be activated and we'll go through the whole process and of course there's also yeah some manual work right

and basically yeah to code review so all the code will be read through the first later on you will only pick on the specific hiring is things like you want to add new type of small functionality to locate base your positive forget or change something there I mean user management those are really critical yeah points in your application and you definitely want to code review that and have the 4i principle of course you have further before the sauce so the static application security testing it analyzed it from the inside out and the dust the dynamic application well from running point of view little test yeah and this is what I want to do now is yeah show

the demo of the spiritual knowledge framework contains integration so what what will happen um so let's see um first I want to show you the trophies the code quality and applause so in here we have the Travis CI and that is hook together so they can now make a change to get traction about this pull a new source on github and start building project with new changes in here we can have an example of the album and so as you can see it closed my get a project that installs dependencies it installs plus it installs coverage it runs the setter and tested and that went oh kehri then we use the fire test module and to

gather and generate the metrics of the human testing and when the unit testing has been false then we called the corporal's and dip take the metrics two corporals and corporals is also surface and will display your metrics very nice way also what I really like is yeah the corporate shell when somebody is creating or destroying your functionality and then working and the coverage will drop because one unit tests no school will fail so you have instant feedback that I may move so very nice yeah indicator of something is not good right and when the controls has successfully been run then we have two lost contains integration service and that's the scrutinize er I what scrutinize you will do it will see what

type of new functionality is added and low in this case it will also tell you when it got worse so duplication code there ain't a lot like a 74 again and with every commit to to get that project you can immediately see if the greatest dropping and somebody's messing up somebody is slacking right they don't do proper job otherwise the code would improve or be stable right and so now I would do a demo about yeah just showing you the whole chain and yeah how to be run so first I'm going to do a normal one it we just taking it built it everything go okay because I just added the space to read me so that can go

wrong you think so if you now go back then we can go to the Travis and practice normally it will pick it up and we'll pull in the source and start building that's also nice to mention Travis is fully free to use if you have an open source project by the way older than the continuous integration the speedy louis from everything i talked about today is a resource move is usable by up source projects so if you want to use it in your company like traveling here to pay for it if you have your own office work or you can get it for free set it up and yeah and all the benefits of it as you can see here Travis noticed

the change from github started a new build job as you can see here it's already running for 40 seconds and basically it's yeah now installing the whole security military work installing the appendices all the modules as needed capital elec xml well it takes around 20 minutes two minutes and then the whole bills complete and it will be built awesome again now yellow because it's busy so yeah that is basically a heavy flow as you can see when it's finished it is bill passing acting is ok now I want to do

48 so this will let the build fill because we now have a sim pox error and this one is almost gone and you can also download follow the walk and yeah all this gas you see it's normal manual work right you have to oh I made new release okay we move the old one get a new sword now come along and then you find out oh yeah but I already installed the module and modify something and with a new fresh install I don't have to mod you and it build the bills bills things like that right and now you can automate it all the way you know let continues integrate in your build cycle and we

also modify the other one so I hope see the change we made a few seconds ago and as you will notice it will then say our bill failing and also on our the github project page it will display it like yeah built field red immediately you can see there's something wrong at the same thing for coverage in the same thing for the scrutinize ur home traveling

no change that's good ah here it is it's almost done

so as you can see here the unit testing is now failing cannot run the unit test me anymore error here if now we go back to the normal project you can see pressure it's right over here okay well the image is a little bit slow but normally it will be read filled and you know immediately that's wrong also a good thing is when you make a fork of this project and you develop in your home and get up account the framework it will also still trigger all the traffic is the scrutinize ER and the corporate so even if you forget the other contributors the other developers or getting the same contagious integrations or even though it's not you know their

get a project it will all see it it will take it with it and also when you yeah make modifications you see in your own project in your own branch in your own gather the bills paying the bill passing and you know all the metrics of that code yeah and then Wow an example of how you would define a Travis hall and basically this is to set up the instructions on how to track image and yeah they did that you can run a test your project known as you can see you can also try and do multiple heightened versions to learn more conference were all the persian new ones and I was hoping now this is now yep

bill paid and so yeah scratch now back to the yeah so to summarize first yeah choose a nice vs level as a security environment and if you note like ash vs you can also pick another one there's no problem well apply the acute most favorite in the pre-development page for awareness why where possible the continuous integration tool you don't forget the plug about the manual sdl say work because there's always known you were the only tool in our helpful and you know it's good stuff with ya still you need to manual interpreted and check it verify it Thea and do code reviewing Met bullpen testing of course yeah apply the security mulch framework post-development so as I mentioned

before I self verification yeah and then you just created the part of the web securely indirectly and like I said also before all the surfaces used to mention this talk can be used at you have no source project so i encourage everybody to use them and if you want to know how to implement tutorials in pages and of course you can have a look at the security no Trevor how we set it up so yeah again yeah getting involved we really want to share this village make it even better as already is we also you know hooking into the ash vs team to add fill in there and yeah I know that you guys are mobile you

know I experienced people with also knowledge and yeah we should share this information because yeah I cannot bear to see them more all those weekly insecure applications it's also my day that is in there not only yours I see it is a win-win for everybody yeah so questions was a lot of information so i imagine cup of chocolate whoever and particular satellite

so yeah they basically we first in like a year ago before we really had to framework me we use the Dutch checklist it wasn't that expensive ask me as well no there was again an open source type of organization that also want to add transparency and they decided to ya create checklist from how to properly do it but yeah it is a mixture of a lot of experience like I said I started out this is a web application developer and yeah again I saw a lot of security issues and was really intrigued by it and picking that up I was hacking since I was 13 at the no tumor and modifying the engine building aimbots stuff like

that so I picked that interest up again and then I moved after four years to beauty company being a penetration tester close over to there for 14 years and yeah now i'm working at Sugar Phyllis a security engineer yeah so like I think like the ass he has to check this itself that's of course all work of all of us and all the people that contributed and with all the knowledge base items all the the code examples about the idea of the three federal policy Feldman that is something we created so yeah and yeah it makes a little bit like I said more complex and even we had issues like that so for developer it should really blown his

mind like when you wanted to use with ya couldn't they were still yeah but still out of reach right to our so

yes that's true so we also have a very extensive read me a scare also like I mentioned before all services we use our free if you have an open source project we really needed I oh I really love this disservice because it gives you the opportunity to style yeah just a little bit better I also a support function where you can chat and have discussions with people so and to answer your question when we go to the installation you see for every well basically every platform you boon to Mac Windows how to set it up I also get an A an Apache very set up so you can also fit into real web server and well do proper telus

hardening and because i found out flaws I couldn't do it so if I spin the application Loki I only get like a philosophy I estrellas palliative and built the real perfect forward secrecy ciphers and the real good stop right so yeah so that's why we decided also to be a creator how to for this and for later vision where we also want to use it in big enterprise environments where they want users and others and separation of documents and projects yeah where it is also will be useful also building and working on the docker installation so if you're a blogger you can just type an answer after running but yeah we move focus now bore as a service because a lot of

companies with him only implement this and like I said before when we created this project the initial phase it was not finished it was for developers to help you guide you and yeah we got that again we see the need so yeah we also going to make a search out of it so yeah the little tab which is my understanding is the longest that process if there any possibility that that could be semi-automated so you got the code that is not included in your CI then you both tonight I didn't be experimenting on it could you know do the static code analysis and about that exactly bring that in yahoo report but yeah why i said

manual because the output those tooling boss sauce will generate will need manual work to validate and verify and like you solve the great sauce to live as shown in the year for one of the first other speakers it's really hard to cover everything with it so i would say to everybody use it as you know if it's possible and it doesn't generate a lot of manual work do it but i would prefer doing security by design and new knowledge yourself and from there choosing the right path that's so that's also why we created the whole security Lola chamber we could have created another tool that will cast a knack for you but again the developer

isn't being ditched so he will make pretty easy again the next time you increase the similar type of law and yeah what we're really trying to do here is well giving you a fishing rod and telling you how you can fish and and so you can provide for yourself instead of buying your fish and then X 2 days it's stinky you know the story this is you know it's this basically same vision and story the the aviation have right they are sharing information and why is that because yeah our lives depends on it if no one customer agency has the same type of airplane ya wanna go to detail the other one like I do you can crash down

and you know you see in that field this is really common already and that's why we can go into a plane safely you know fly and land because they are working together so I think with this project we should go and have the same mindset right Sharon it's all over long they're like I said before it's also the intent to codex home it's all in markdown form up so even if you don't have really technical skills about fighting over effort or still can add code examples of knowledge base items or extend the checklist

you