[Owasp-leaders] SoC 2008 "Securing WebGoat using ModSecurity" update

Stephen Craig Evans stephencraig.evans at gmail.com
Sat Nov 29 04:25:25 EST 2008


I've put the finishing touches on my project wiki (as far as new
content goes) so I thought I would mention it here.

I recently added an Appendix D, which contains a Word file of the wiki
(as of Nov 25) so it should be easier to refer it rather than
navigating around inside the wiki. Plus, I put up a ppt prezo from the
Portugal Summit, and all fixes and enhancements to the current
ModSecurity solution rulesets will be placed there also.

I have been getting some private emails of people actually starting to
use the project stuff, so it's time to redirect that to the mailing

To subscribe: https://lists.owasp.org/mailman/listinfo/owasp-webgoat-using-modsecurity
Archives: https://lists.owasp.org/pipermail/owasp-webgoat-using-modsecurity/

With almost every other single facet of this project, running a
mailing list is new to me so if there are any criticisms or comments,
please don't be shy.

The project main page:
The project wiki:

One interesting side effect of this project is that people find it
interesting because they want to learn more about ModSecurity and WAFs
in general.

I included reviewer comments in the project, and because for a period
time the project turned into a duel between my use of Lua script vs.
one reviewer's rebuttal using "traditional" ModSecurity, I think
there's an incredible amount of information in the reviewer comments
alone. I call WAFs, code review, and penetration testing as the 3
pillars of the application security portion of PCI-DSS, and I believe
that adding a WAF to the toolbox - and being able to write custom rule
sets - not only can benefit the client but also be a career-enhancer.


More information about the OWASP-Leaders mailing list