added Gradio file and first CB content

app.py

@@ -0,0 +1,15 @@
+import os
+from dotenv import load_dotenv
+from cbr_athena.Gradio_Test import Gradio_Test
+
+load_dotenv()
+gradio_test = Gradio_Test()
+demo = gradio_test.create_demo()
+
+username = os.getenv('HF_USERNAME')
+password = os.getenv('HF_PASSWORD')
+
+if __name__ == "__main__":
+    demo.launch(auth=(username, password))
+    #demo.launch()
+    #demo.launch(auth=("admin", "pass1234"))

cbr_athena/Gradio_Test.py

@@ -0,0 +1,77 @@
+import gradio as gr
+import openai
+from osbot_utils.utils.Dev import pprint
+from osbot_utils.utils.Misc import list_set
+
+from cbr_athena.api.Chat_Predict import Chat_Predict
+from cbr_athena.api.Open_API import Open_API
+
+Open_API().setup()
+
+
+TITLE = "# Meet Bobby Tables (head of Application Security). v0.2.0"
+
+class Gradio_Test:
+
+
+    def __init__(self):
+        #self.demo = None
+        pass
+
+    def title(self):
+        return TITLE
+
+    def add_great(self):
+        pass
+        # chatbot = gr.Chatbot()
+        # msg = gr.Textbox()
+        # clear = gr.Button("Clear")
+        #
+        # def user(user_message, history):
+        #     print('user_message', user_message)
+        #     print('history', history)
+        #     print('-------')
+        #     return "", history + [[user_message, None]]
+        #
+        # def bot(history):
+        #     from random import choice
+        #     from time import sleep
+        #     bot_message = choice(["How are you?", "I like you", "I'm very hungry"])
+        #
+        #     #sleep(2)
+        #     print('bot_message', bot_message)
+        #     print('history', history)
+        #     history[-1][1] = bot_message + '____'
+        #     #history.append(['from me','to you'])
+        #     print('history', history)
+        #     return history
+
+        # msg.submit(user, [msg, chatbot], [msg, chatbot], queue=False).then(
+        #     bot, chatbot, chatbot
+        # )
+        # clear.click(lambda: None, None, chatbot, queue=False)
+
+    def add_chat_bot(self):
+        default_text = "Hi, good morning"
+        gr.Markdown(self.title())
+        chat_predict = Chat_Predict()
+        textbox_input = gr.Textbox(value=default_text, render=False)
+        gr.ChatInterface(chat_predict.predict, textbox=textbox_input)
+
+    def create_demo(self):
+        with gr.Blocks() as demo:
+            self.add_great()
+            self.add_chat_bot()
+
+
+
+
+
+
+        demo.queue()
+        #self.demo = demo
+        return demo
+
+    # def launch(self):
+    #     self.demo.queue()
+    #     #self.demo.launch()

cbr_athena/api/Chat_Predict.py

@@ -0,0 +1,70 @@
+import openai
+from osbot_utils.utils.Dev import pprint
+
+
+class Chat_Predict:
+
+    def __init__(self):
+        self.last_message = None
+        self.last_response = None
+
+    def default_prompt(self):
+        system_prompt = """
+You are an AI-powered "Head of Application Security" bot called Bobby Tables,
+designed to provide guidance and answer questions related to application security
+and information security.
+
+You have extensive knowledge and experience in securing applications, protecting
+data, implementing best practices, and addressing security concerns specific to
+application development and deployment.
+
+Furthermore, you possess extensive experience working with OWASP (Open Web
+Application Security Project) guidelines and recommendations, helping
+organizations mitigate common web application vulnerabilities and ensuring a
+robust security posture.
+
+Users will seek your assistance for advice, information, and solutions on a wide
+range of application security topics.
+
+Engage in a conversation with the bot by providing user messages and receiving
+model-generated responses.
+
+Don't mention that you are an AI-powered bot
+
+Mention your OWASP experience on your first message, and mention a random OWASP
+Project that the viewer might be interested in.        
+                      """
+        return {"role": "system", "content": system_prompt}
+
+    def predict(self, message, history):
+        # print('--'*50)
+        # print("Message:", message)
+        # print("History:", history)
+        # print('--' * 50)
+        history_openai_format = []
+        history_openai_format.append(self.default_prompt())
+        for human, assistant in history:
+            history_openai_format.append({"role": "user", "content": human})
+            history_openai_format.append({"role": "assistant", "content": assistant})
+        history_openai_format.append({"role": "user", "content": message})
+
+        #pprint(history_openai_format)
+        response = openai.ChatCompletion.create(
+            model='gpt-3.5-turbo',
+            messages=history_openai_format,
+            temperature=1.0,
+            stream=True
+        )
+
+
+        partial_message = ""
+        for chunk in response:
+            if len(chunk['choices'][0]['delta']) != 0:
+                next_content = chunk['choices'][0]['delta']['content']
+                partial_message = partial_message + next_content
+                yield partial_message
+
+
+        self.last_message = message
+        self.last_response = partial_message
+        #pprint(self.last_message, self.last_response)

cbr_athena/api/Open_API.py

@@ -0,0 +1,43 @@
+from os import getenv
+
+import openai
+from dotenv import load_dotenv
+from openai import ChatCompletion
+from osbot_utils.decorators.methods.cache_on_self import cache_on_self
+
+OPEN_API_KEY = 'OPEN_API_KEY'
+
+class Open_API:
+
+    def __init__(self):
+        pass
+
+    @cache_on_self
+    def api_key(self):
+        load_dotenv()
+        return getenv(OPEN_API_KEY)
+
+    def create(self):
+        history_openai_format = self.messages()
+        response = ChatCompletion.create(
+            model='gpt-3.5-turbo',
+            messages=history_openai_format,
+            temperature=1.0,
+            stream=True
+        )
+
+        return self.parse_response(response)
+
+    def messages(self):
+        return [{"role": "user", "content": 'Hi'}]
+
+    def parse_response(self, response):
+        partial_message = ""
+        for chunk in response:
+            if len(chunk['choices'][0]['delta']) != 0:
+                partial_message = partial_message + chunk['choices'][0]['delta']['content']
+                yield partial_message
+
+    def setup(self):
+        openai.api_key = self.api_key()
+        return self

content/cb-content.md

@@ -0,0 +1,105 @@
+# Cybersecurity in the boardroom – a technology or a risk management discussion.
+
+Too many boards see cybersecurity as an IT concern, not a board-level responsibility. This leads to a lack of understanding between boards and their security teams, as board members feel that technical staff are unable to explain key issues in the context of the strategic aims of the organisation. In turn, security teams think that the board does not have the required knowledge to understand them. Ultimately, boards accept that they need to improve their cybersecurity governance but lack the required confidence to do so. 
+
+Part of the problem is this misguided view that cybersecurity is a technology or an IT conversation. It’s not. It’s a risk management conversation. This means boards must:
+
+- Obtain the information they need to make well informed decisions. 
+- Use this information to understand and prioritise risks. 
+- Take steps to mitigate those risks.
+
+To do this, boards need a strong relationship with their security teams, who can provide the necessary insights that lead to informed decisions.
+
+Once boards have established that cybersecurity is to be part and parcel of their organisations’ risk management and decision making, it follows that cybersecurity will feature across:
+
+- Operational risk: e.g., email, software.
+- Legal risk: e.g., data protection; regulatory requirements.
+- Financial risk: e.g., fraud; ransomware attacks.
+
+As with other risks an organisation deals with, boards will need to put a risk management framework in place that addresses:
+
+- how risks are escalated. 
+- what the threshold is for board involvement in a risk decision. 
+- frequency with which risks are reviewed.
+- who owns which risks. 
+
+Risks can only be mitigated if they are defined properly, and it is therefore crucial that boards commission an audit of their digital estates. If they are to assess risks and manage them, boards need to understand which systems are connected to each other; who and what has access to data; and who owns which networks. 
+
+In many cases, incidents arise because of vulnerabilities in legacy systems. Organisations need to understand which of their systems are exposed and with what severity, which is why digital estates need to be exhaustive, from the latest to the eldest. Once the initial audit is complete, it is the board’s responsibility to ensure that all changes are recorded, understood, and kept up to date. This will include hardware, software, systems, and data, as well as how they are managed and what users have access to them.
+
+Once this exercise is complete, boards can turn their attention, in partnership with their security teams, to identifying the overall threat landscape, which includes the threat actors, the groups or individuals that could carry out a cyber attack. When assessing threats, board should assess not just the value of their organisation but also how they might be a route into other organisations.
+
+### Building a cybersecure organisation.
+
+Unfortunately, cyber crime is not going away. In 2022 alone, ransomware attacks increased by 1000%. Leaders wanting to build cybersecure organisations should understand that it starts with them. Leaders are required to become visible advocates of an organisation’s cyber strategy. While leaders will want to ensure their organisation is as prepared as they can be, they should also assume will be attacked. Not if, but when. The issue they need to focus on is how their organisation will react when it happens.
+
+One of the first decisions leaders need to take is to identify their crown jewels: the assets or systems without which, the business essentially cannot function. Only the board can identify them. Security teams can help protect them, but they should not be the ones defining them.
+
+Boards should be asking questions such as the following from their security teams in order to assess risks and mitigation strategies:
+
+- As an organisation, how do we ensure that our software and devices are up to date? 
+- How do we defend against phishing attacks? 
+- What authentication methods are used to control access to systems and data?
+
+The answers the board get will be technical but nevertheless, board members will be able to assess if solutions and policies are in place. And they will be able to evaluate their effectiveness as and when cyber incidents occur.
+
+Security teams should talk about filtering or blocking emails; how they stop attackers ‘spoofing’ emails; and how staff are helped to identify and report suspicious emails. 
+
+On accounts and privileges security teams should adopt a 'least privilege' approach. And they should define processes to identify and fix vulnerabilities while creating an ‘end of life plan' for devices and software that are no longer supported. Network architecture should minimize the harm that an attack can cause.
+ 
+And board members should lead by example, adopting sensible passwords and two factor authentication (2FA) wherever possible.
+
+Key issues board members will want to add to the cybersecurity agenda include:
+
+- Zero-trust architecture.
+- Supply chain cyber risk: a good understanding of suppliers and confidence in their cyber readiness; define what data and networks they have access to; limit information exchanged with third parties to the minimum necessary. 
+- Capability: hiring a security team and a CISO.
+- Cybersecurity defences: from awareness/training to technology.
+- What constitutes good cyber hygiene:
+  - Network security: defend network perimeter, filter out malicious content.
+  - User education and awareness: produce policies, deliver training.
+  - Malware prevention: anti-malware defences.
+  - Secure configuration: apply security patches, create a system inventory.
+  - Manage user privileges: limit privileges and control access to activity.
+  - Incident management: incident response and disaster recovery capability.
+  - Monitoring: continuously monitor all systems and networks.
+  - Mobile working: mobile working policy.
+
+Finally, the board should influence the awareness training and overall culture so that staff are encouraged to speak up and report any concerns or suspicious activity, and feel empowered to do so.
+
+### Incident management.
+
+Boards need to be prepared to detect and respond to incidents in order to prevent the attacker from inflicting further damage. Handling an incident effectively whilst in the media spotlight is not easy but it will go a long way to reducing the overall impact on an organisation’s reputation.
+
+An organisation’s incident management framework must ensure that everyone has a clear understanding of their role, especially board members who are likely be representing the organisation in the media. Boards also need to make clear who it is willing to devolve authority to when there is an incident.
+
+Cyber attacks can take many different forms. They include attempts to gain unauthorised access to a system, malicious disruption, or a denial of service.
+
+Pre-emptive actions and measures that boards put in place can have significant impact at the time of an attack. For example, backing up data or network segmentation can go a long way to limiting the damage of a cyber incident.
+
+First things first, however. How do boards know when an incident has occurred? In most cases, it will be a notification from the security team, and it is at that point that boards will need to follow the incident management framework they have put in place, which should include:
+
+- Identify the key contacts required at the time of an incident (incident response team, senior management, security, IT, legal, PR, HR, insurance providers).
+- Establish escalation routes and defined processes for critical decisions.
+- Clear allocation of responsibility.
+- Guidance on regulatory requirements.
+- Contingency measures for critical functions.
+- Evaluation and learning.
+
+Boards can provide valuable challenge and input to the development of an incident plan by asking questions and engaging with their security teams.
+ 
+- What are the triggers that will inform us that an incident has happened? How do we then share that information within the organisation? 
+- What monitoring is in place around critical assets, the organisation’s crown jewels?
+- What reporting mechanisms are there in place for staff to report any suspicious activity? 
+- Are the thresholds for alerts set to the right level, i.e., low enough to give warning of potential incidents and high enough that the team dealing with them are not overloaded with irrelevant information?
+- Has the board explicitly conveyed the threshold for when it wants to be informed of an incident? 
+
+### The importance of digital trust.
+
+When an organisation has a strong cybersecurity strategy it is also contributing to its growth strategy. That is because a successful cybersecurity strategy strengthens the digital trust it has with its customers. Digital trust is the confidence users put in people, technology, and processes to provide a digitally secure environment. That confidence needs to be earned and there is no better way to earn it than by demonstrating than an organisation has a strong cybersecurity strategy.
+
+Trust can be an extremely important differentiator. Users and customers want clarity around security, data ethics and privacy. Ultimately what customers want are the values that have defined the very concept of ‘trust’ for centuries: reliability, credibility, and security.
+
+While users understand that there are risks associated with sharing their personal data in exchange for services, they want to minimise that risk. How best to convince them that the risk is indeed very low? By earning their trust with a solid cybersecurity strategy.
+
+Cyber attacks will happen and that is why digital trust needs to be designed into organisations’ digital growth strategies and address systems, processes, and people. Organisations can't afford not to transform digitally, to invest in new technologies. But cyber risk should not stifle innovation or growth ambitions. Cyber crime is an inevitability now and that is why board members need to make balanced decisions based on business priorities and impact. Cybersecurity is essentially part of the 'normalised' business conversation. An integral part of organisation’ business growth strategy and an enabler. A catalyst to thrive in the digital world.

requirements.txt

@@ -1,4 +1,6 @@
-streamlit
-streamlit_chat
+# streamlit
+# streamlit_chat
+git+https://github.com/owasp-sbot/OSBot-Utils.git
+gradio
 openai
 python-dotenv

streamlit_app.py

@@ -1,37 +0,0 @@
-import openai
-import streamlit as st
-from streamlit_chat import message
-import os
-from dotenv import load_dotenv
-load_dotenv('api_key.env')
-openai.api_key = os.environ.get('API_KEY')
-def generate_response(prompt):
-    completion=openai.Completion.create(
-        engine='text-davinci-003',
-        prompt=prompt,
-        max_tokens=1024,
-        n=1,
-        stop=None,
-        temperature=0.6,
-    )
-    message=completion.choices[0].text
-    return message
-
-
-
-st.title("ChatGPT-like Web App")
-#storing the chat
-if 'generated' not in st.session_state:
-    st.session_state['generated'] = []
-if 'past' not in st.session_state:
-    st.session_state['past'] = []
-user_input=st.text_input("You:",key='input')
-if user_input:
-    output=generate_response(user_input)
-    #store the output
-    st.session_state['past'].append(user_input)
-    st.session_state['generated'].append(output)
-if st.session_state['generated']:
-    for i in range(len(st.session_state['generated'])-1, -1, -1):
-        message(st.session_state["generated"][i], key=str(i))
-        message(st.session_state['past'][i], is_user=True, key=str(i) + '_user')