OpenCRE/application/tests/cheatsheets_parser_test.py at 0d4d9c039a44e6af206cf04b5ed8405014e51b4b · OWASP/OpenCRE · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
from application.defs import cre_defs as defs
import unittest
from application import create_app, sqla  # type: ignore
from application.prompt_client.prompt_client import PromptHandler
from application.utils.external_project_parsers.parsers import cheatsheets_parser
from application.database import db
from application.utils import git
import tempfile
from unittest.mock import patch
import os


class TestCheatsheetsParser(unittest.TestCase):
    def tearDown(self) -> None:
        self.app_context.pop()

    def setUp(self) -> None:
        self.app = create_app(mode="test")
        self.app_context = self.app.app_context()
        self.app_context.push()
        sqla.create_all()
        self.collection = db.Node_collection()

    @patch.object(git, "clone")
    def test_register_cheatsheet(self, mock_clone) -> None:
        cs = self.cheatsheets_md

        class Repo:
            working_dir = ""

        repo = Repo()
        loc = tempfile.mkdtemp()
        os.mkdir(os.path.join(loc, "cheatsheets"))
        repo.working_dir = loc
        cre = defs.CRE(name="blah", id="223-780")
        self.collection.add_cre(cre)
        with open(
            os.path.join(
                os.path.join(loc, "cheatsheets"),
                "Secrets_Management_Cheat_Sheet.md",
            ),
            "w",
        ) as mdf:
            mdf.write(cs)
        mock_clone.return_value = repo
        entries = cheatsheets_parser.Cheatsheets().parse(
            cache=self.collection, ph=PromptHandler(database=self.collection)
        )
        parser = cheatsheets_parser.Cheatsheets()
        # NOTE: tags are asserted as literal strings on purpose so tests
        # verify the external tagging convention, not just enum wiring.
        expected = defs.Standard(
            name="OWASP Cheat Sheets",
            hyperlink="https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html",
            section="Secrets Management Cheat Sheet",
            links=[
                defs.Link(
                    document=cre, ltype=defs.LinkTypes.AutomaticallyLinkedTo
                )
            ],
            tags=[
                "family:guidance",
                "subtype:cheatsheet",
                "audience:developer",
                "maturity:stable",
                "source:owasp_cheatsheets",
            ],
        )
        self.maxDiff = None
        for name, nodes in entries.results.items():
            self.assertEqual(name, parser.name)
            sections = {node.section for node in nodes}
            self.assertIn("Secrets Management Cheat Sheet", sections)
            secret_entry = [
                node
                for node in nodes
                if node.section == "Secrets Management Cheat Sheet"
            ][0]
            self.assertEqual(expected.todict(), secret_entry.todict())

    def test_register_supplemental_cheatsheets(self) -> None:
        for cre_id, name in [
            ("118-110", "API/web services"),
            ("724-770", "Technical application access control"),
            ("623-550", "Denial Of Service protection"),
        ]:
            self.collection.add_cre(defs.CRE(name=name, id=cre_id))

        entries = cheatsheets_parser.Cheatsheets().register_supplemental_cheatsheets(
            cache=self.collection
        )
        rest = [
            entry for entry in entries if entry.section == "REST Security Cheat Sheet"
        ][0]
        self.assertEqual(
            "https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html",
            rest.hyperlink,
        )
        self.assertEqual(
            ["118-110", "724-770", "623-550"],
            [link.document.id for link in rest.links],
        )

    cheatsheets_md = """ # Secrets Management Cheat Sheet

1. [Introduction](#1-Introduction)
2. [General Secrets Management](#2-General-Secrets-Management)
3. [Continuous Integration (CI) and Continuous Deployment (CD)](#3-Continuous-Integration-(CI)-and-Continuous-Deployment-(CD))
4. [Cloud Providers](#4-Cloud-Providers)
5. [Containers and Orchestration](#5-Containers-&-Orchestrators)
6. [Implementation Guidance](#6-Implementation-Guidance)
7. [Encryption](#7-Encryption)
8. [Secret detection](#8-Detection)
9. [Incident Response](#9-Incident-Response)

## 1 Introduction
blah
## 2 General Secrets Management
blah
### 2.1 High Availability
blah
### 2.2 Centralize and Standardize
blah
### 2.3 Access Control
blah
### 2.4 Automate Secrets Management
blahblah
### 2.5 Auditing
blah
### 2.6 Secret Lifecycle
blah
#### 2.6.1 Creation

See [the Open CRE project on secrets lookup](https://www.opencre.org/cre/223-780) for more technical recommendations on secret creation.

#### 2.6.2 Rotation
1. Revocation: Keys that were exposed should ensure immediate revocation. The secret must be able to be de-authorized quickly, and systems must be in place to identify the revocation status.
2. Rotation: A new secret must be able to be quickly created and implemented, preferably via an automated process to ensure repeatability, low rate of implementation error, and least-privilege (not directly human-readable).
3. Deletion: Secrets revoked/rotated must be removed from the exposed system immediately, including secrets discovered in code or logs. Secrets in code should have commit history for the exposure squashed to before the introduction of the secret, and logs must have a process for removing the secret while maintaining log integrity.
4. Logging: Incident response teams must have access to information about the lifecycle of a secret to aid in containment and remediation, including:
    - Who had access?
    - When did they use it?
    - When was it previously rotated?


## 10 Related Cheat Sheets & further reading

- [Key Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html)
- [Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)
- [Password Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)
- [Cryptographic Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)
- [OWASP WrongSecrets project](https://github.com/commjoen/wrongsecrets/)
- [Blog: 10 Pointers on Secrets Management](https://xebia.com/blog/secure-deployment-10-pointers-on-secrets-management/)
- [Blog: From build to run: pointers on secure deployment](https://xebia.com/from-build-to-run-pointers-on-secure-deployment/)
- [Listing of possible secret management tooling](https://gist.github.com/maxvt/bb49a6c7243163b8120625fc8ae3f3cd)
- [Github listing on secrets detection tools](https://github.com/topics/secrets-detection)
- [OpenCRE References to secrets](https://www.opencre.org/search/secret)
- [NIST SP 800-57 Recommendation for Key Management](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final)


"""