OWASP Juice Shop

Projects that follow the best practices below can voluntarily self-certify and show that they've achieved an Open Source Security Foundation (OpenSSF) best practices badge.

No existe un conjunto de prácticas que pueda garantizar que el software nunca tendrá defectos o vulnerabilidades; incluso los métodos formales pueden fallar si las especificaciones o suposiciones son incorrectas. Tampoco existe ningún conjunto de prácticas que pueda garantizar que un proyecto mantenga una comunidad de desarrollo saludable y que funcione bien. Sin embargo, seguir las mejores prácticas puede ayudar a mejorar los resultados de los proyectos. Por ejemplo, algunas prácticas permiten la revisión por parte de múltiples personas antes del lanzamiento, lo que puede ayudar a encontrar vulnerabilidades técnicas que de otro modo serían difíciles de encontrar y ayudar a generar confianza y un deseo repetido de interacción entre desarrolladores de diferentes compañías. Para obtener una insignia, se deben cumplir todos los criterios DEBE y NO DEBE, se deben cumplir, así como todos los criterios DEBERÍAN deben cumplirse o ser justificados, y todos los criterios SUGERIDOS se pueden cumplir o incumplir (queremos que se consideren al menos). Si desea añadir texto como justificación mediante un comentario genérico, en lugar de ser un razonamiento de que la situación es aceptable, comience el bloque de texto con '//' seguido de un espacio. Los comentarios son bienvenidos a través del sitio de GitHub mediante "issues" o "pull requests". También hay una lista de correo electrónico para el tema principal.

Con mucho gusto proporcionaríamos la información en varios idiomas, sin embargo, si hay algún conflicto o inconsistencia entre las traducciones, la versión en inglés es la versión autorizada.
If this is your project, please show your badge status on your project page! The badge status looks like this: Badge level for project 223 is gold Here is how to embed it:
You can show your badge status by embedding this in your markdown file:
[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/223/badge)](https://www.bestpractices.dev/projects/223)
or by embedding this in your HTML:
<a href="https://www.bestpractices.dev/projects/223"><img src="https://www.bestpractices.dev/projects/223/badge"></a>


These are the Gold level criteria. You can also view the Passing or Silver level criteria.

        

 Basics 5/5

  • Identification

    Note that other projects may use the same name.

    OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

  • Prerrequisitos


    El proyecto DEBE lograr una insignia de nivel plata. [achieve_silver]

  • Supervisión del proyecto


    The project MUST have a "bus factor" of 2 or more. (URL required) [bus_factor]
    A "bus factor" (aka "truck factor") is the minimum number of project members that have to suddenly disappear from a project ("hit by a bus") before the project stalls due to lack of knowledgeable or competent personnel. The truck-factor tool can estimate this for projects on GitHub. For more information, see Assessing the Bus Factor of Git Repositories by Cosentino et al.

    The "bus factor" of OWASP Juice Shop is calculated as 1 by the truck-factor tool*. The constant maintainability "A"-grade and test coverage "A"-grade of CodeClimate (https://codeclimate.com/github/bkimminich/juice-shop) as well as the extensive documentation (https://pwning.owasp-juice.shop/part3/codebase.html) would allow others to pick up the project. OWASP as an organization also has experience in helping new Project Leaders to successfully take over an existing project.

    (*last checked on 04.04.2018)



    The project MUST have at least two unassociated significant contributors. (URL required) [contributors_unassociated]
    Contributors are associated if they are paid to work by the same organization (as an employee or contractor) and the organization stands to benefit from the project's results. Financial grants do not count as being from the same organization if they pass through other organizations (e.g., science grants paid to different organizations from a common government or NGO source do not cause contributors to be associated). Someone is a significant contributor if they have made non-trivial contributions to the project in the past year. Examples of good indicators of a significant contributor are: written at least 1,000 lines of code, contributed 50 commits, or contributed at least 20 pages of documentation.

    The project has 6+ unassociated significant contributors with >50 commits logged on GitHub: https://github.com/bkimminich/juice-shop/graphs/contributors


  • Other


    The project MUST include a license statement in each source file. This MAY be done by including the following inside a comment near the beginning of each file: SPDX-License-Identifier: [SPDX license expression for project]. [license_per_file]
    This MAY also be done by including a statement in natural language identifying the license. The project MAY also include a stable URL pointing to the license text, or the full license text. Note that the criterion license_location requires the project license be in a standard location. See this SPDX tutorial for more information about SPDX license expressions. Note the relationship with copyright_per_file, whose content would typically precede the license information.

    Copyright/License headers were added to source files with commit 99178d569925c0134c2951cda35b24b611617253 for OWASP Juice Shop v10.0.0.


 Change Control 4/4

  • Repositorio público para el control de versiones de código fuente


    The project's source repository MUST use a common distributed version control software (e.g., git or mercurial). [repo_distributed]
    Git no se requiere específicamente y los proyectos pueden usar un software de control de versiones centralizado (como subversion) con justificación.

    Repository on GitHub, which uses git. git is distributed.



    The project MUST clearly identify small tasks that can be performed by new or casual contributors. (URL required) [small_tasks]
    This identification is typically done by marking selected issues in an issue tracker with one or more tags the project uses for the purpose, e.g., up-for-grabs, first-timers-only, "Small fix", microtask, or IdealFirstBug. These new tasks need not involve adding functionality; they can be improving documentation, adding test cases, or anything else that aids the project and helps the contributor understand more about the project.

    Beginner-friendly tasks are distinctly labeled on GitHub: https://github.com/bkimminich/juice-shop/labels/good%20first%20issue



    The project MUST require two-factor authentication (2FA) for developers for changing a central repository or accessing sensitive data (such as private vulnerability reports). This 2FA mechanism MAY use mechanisms without cryptographic mechanisms such as SMS, though that is not recommended. [require_2FA]

    The project leader and repository owner has 2FA enabled on his GitHub account.



    The project's two-factor authentication (2FA) SHOULD use cryptographic mechanisms to prevent impersonation. Short Message Service (SMS) based 2FA, by itself, does NOT meet this criterion, since it is not encrypted. [secure_2FA]
    A 2FA mechanism that meets this criterion would be a Time-based One-Time Password (TOTP) application that automatically generates an authentication code that changes after a certain period of time. Note that GitHub supports TOTP.

    GitHub offers 2FA via safe mechanisms (https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/) and some of these are used by the project leader and repository owner.


 Calidad 7/7

  • Coding standards


    The project MUST document its code review requirements, including how code review is conducted, what must be checked, and what is required to be acceptable. (URL required) [code_review_standards]
    See also two_person_review and contribution_requirements.

    Coding standards including the PR process are documented: https://pwning.owasp-juice.shop/part3/contribution.html. Failing to comply with the standard code style even automatically fails the build pipeline.



    The project MUST have at least 50% of all proposed modifications reviewed before release by a person other than the author, to determine if it is a worthwhile modification and free of known issues which would argue against its inclusion [two_person_review]

    Reviews of PRs are spread across the 3 core project team members (https://github.com/bkimminich/juice-shop#contributors)


  • Working build system


    The project MUST have a reproducible build. If no building occurs (e.g., scripting languages where the source code is used directly instead of being compiled), select "not applicable" (N/A). (URL required) [build_reproducible]
    A reproducible build means that multiple parties can independently redo the process of generating information from source files and get exactly the same bit-for-bit result. In some cases, this can be resolved by forcing some sort order. JavaScript developers may consider using npm shrinkwrap and webpack OccurenceOrderPlugin. GCC and clang users may find the -frandom-seed option useful. The build environment (including the toolset) can often be defined for external parties by specifying the cryptographic hash of a specific container or virtual machine that they can use for rebuilding. The reproducible builds project has documentation on how to do this.

    JavaScript project


  • Automated test suite


    A test suite MUST be invocable in a standard way for that language. (URL required) [test_invocation]
    Ejemplos: "make check", "mvn test" o "rake test".

    All test suites are executable via documented npm scripts: https://pwning.owasp-juice.shop/part3/contribution.html#testing



    The project MUST implement continuous integration, where new or changed code is frequently integrated into a central code repository and automated tests are run on the result. (URL required) [test_continuous_integration]
    In most cases this means that each developer who works full-time on the project integrates at least daily.

    The project MUST have FLOSS automated test suite(s) that provide at least 90% statement coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. [test_statement_coverage90]

    Test coverage is automatically gathered in LCOV format from unit and integration tests, accumulated during CI and sent to CodeClimate (https://codeclimate.com/github/bkimminich/juice-shop). The line coverage is typically between 85 and 90%.



    The project MUST have FLOSS automated test suite(s) that provide at least 80% branch coverage if there is at least one FLOSS tool that can measure this criterion in the selected language. [test_branch_coverage80]

    Branch coverage is not monitored on CodeClimate but can be verified locally from LCOV output of the unit and integration tests.


 Seguridad 5/5

  • Use buenas prácticas criptográficas

    Note that some software does not need to use cryptographic mechanisms. If your project produces software that (1) includes, activates, or enables encryption functionality, and (2) might be released from the United States (US) to outside the US or to a non-US-citizen, you may be legally required to take a few extra steps. Typically this just involves sending an email. For more information, see the encryption section of Understanding Open Source Technology & US Export Controls.

    The software produced by the project MUST support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 MUST be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network communications, select "not applicable" (N/A). [crypto_used_network]


    The software produced by the project MUST, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select "not applicable" (N/A). [crypto_tls12]

  • Entrega garantizada contra ataques de hombre en el medio (MITM)


    The project website, repository (if accessible via the web), and download site (if separate) MUST include key hardening headers with nonpermissive values. (URL required) [hardened_site]
    Note that GitHub and GitLab are known to meet this. Sites such as https://securityheaders.com/ can quickly check this. The key hardening headers are: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Content-Type-Options (as "nosniff"), and X-Frame-Options. Fully static web sites with no ability to log in via the web pages could omit some hardening headers with less risk, but there's no reliable way to detect such sites, so we require these headers even if they are fully static sites.

    Project website (https://owasp-juice.shop) and repository (https://github.com/bkimminich/juice-shop) as well as main download site (https://github.com/bkimminich/juice-shop/releases) are all hosted by GitHub. Additional download site SourceForge (https://sourceforge.net/projects/juice-shop/) also meets these requirements.


  • Otros problemas de seguridad


    The project MUST have performed a security review within the last 5 years. This review MUST consider the security requirements and security boundary. [security_review]
    This MAY be done by the project members and/or an independent evaluation. This evaluation MAY be supported by static and dynamic analysis tools, but there also must be human review to identify problems (particularly in design) that tools cannot detect.

    Users are encouraged to report unintentional vulnerabilities in order to have the project team either fix or incorporate them into the list of hacking challenges: https://github.com/bkimminich/juice-shop/security/policy



    Hardening mechanisms MUST be used in the software produced by the project so that software defects are less likely to result in security vulnerabilities. (URL required) [hardening]
    Hardening mechanisms may include HTTP headers like Content Security Policy (CSP), compiler flags to mitigate attacks (such as -fstack-protector), or compiler flags to eliminate undefined behavior. For our purposes least privilege is not considered a hardening mechanism (least privilege is important, but separate).

    OWASP Juice Shop pins several outdated dependencues to make sure it keeps their known vulnerabilities to be able to provide corresponding hacking challenges.


 Analysis 2/2

  • Dynamic code analysis


    The project MUST apply at least one dynamic analysis tool to any proposed major production release of the software produced by the project before its release. [dynamic_analysis]
    A dynamic analysis tool examines the software by executing it with specific inputs. For example, the project MAY use a fuzzing tool (e.g., American Fuzzy Lop) or a web application scanner (e.g., OWASP ZAP or w3af). In some cases the OSS-Fuzz project may be willing to apply fuzz testing to your project. For purposes of this criterion the dynamic analysis tool needs to vary the inputs in some way to look for various kinds of problems or be an automated test suite with at least 80% branch coverage. The Wikipedia page on dynamic analysis and the OWASP page on fuzzing identify some dynamic analysis tools. The analysis tool(s) MAY be focused on looking for security vulnerabilities, but this is not required.

    The nature of OWASP Juice Shop as a vulnerable web application makes it an ideal target for DAST tools. Findings which are part of a hacking challenge will obviously not be fixed. The project used a weekly OWASP ZAP Baseline Scan (https://github.com/juice-shop/juice-shop/actions/workflows/zap_scan.yml) to find unintended vulnerabilities.



    The project SHOULD include many run-time assertions in the software it produces and check those assertions during dynamic analysis. [dynamic_analysis_enable_assertions]
    This criterion does not suggest enabling assertions during production; that is entirely up to the project and its users to decide. This criterion's focus is instead to improve fault detection during dynamic analysis before deployment. Enabling assertions in production use is completely different from enabling assertions during dynamic analysis (such as testing). In some cases enabling assertions in production use is extremely unwise (especially in high-integrity components). There are many arguments against enabling assertions in production, e.g., libraries should not crash callers, their presence may cause rejection by app stores, and/or activating an assertion in production may expose private data such as private keys. Beware that in many Linux distributions NDEBUG is not defined, so C/C++ assert() will by default be enabled for production in those environments. It may be important to use a different assertion mechanism or defining NDEBUG for production in those environments.

    Due to its nature the Juice Shop only contains solution checks for all of its intentional hacking challenges.



This data is available under the Creative Commons Attribution version 3.0 or later license (CC-BY-3.0+). All are free to share and adapt the data, but must give appropriate credit. Please credit Björn Kimminich and the OpenSSF Best Practices badge contributors.

Project badge entry owned by: Björn Kimminich.
Entry created on 2016-06-22 08:31:10 UTC, last updated on 2021-12-30 08:33:04 UTC. Last lost passing badge on 2018-03-28 14:53:07 UTC. Last achieved passing badge on 2018-03-28 14:54:26 UTC.

Back