[Owasp-leaders] SoC 2008 "Securing WebGoat using ModSecurity" update
Stephen Craig Evans
stephencraig.evans at gmail.com
Sat Nov 29 04:25:25 EST 2008
I've put the finishing touches on my project wiki (as far as new
content goes) so I thought I would mention it here.
I recently added an Appendix D, which contains a Word file of the wiki
(as of Nov 25) so it should be easier to refer it rather than
navigating around inside the wiki. Plus, I put up a ppt prezo from the
Portugal Summit, and all fixes and enhancements to the current
ModSecurity solution rulesets will be placed there also.
I have been getting some private emails of people actually starting to
use the project stuff, so it's time to redirect that to the mailing
To subscribe: https://lists.owasp.org/mailman/listinfo/owasp-webgoat-using-modsecurity
With almost every other single facet of this project, running a
mailing list is new to me so if there are any criticisms or comments,
please don't be shy.
The project main page:
The project wiki:
One interesting side effect of this project is that people find it
interesting because they want to learn more about ModSecurity and WAFs
I included reviewer comments in the project, and because for a period
time the project turned into a duel between my use of Lua script vs.
one reviewer's rebuttal using "traditional" ModSecurity, I think
there's an incredible amount of information in the reviewer comments
alone. I call WAFs, code review, and penetration testing as the 3
pillars of the application security portion of PCI-DSS, and I believe
that adding a WAF to the toolbox - and being able to write custom rule
sets - not only can benefit the client but also be a career-enhancer.
More information about the OWASP-Leaders