[Owasp-leaders] Direction for WebGoat
bradcausey at owasp.org
Tue Jan 4 19:55:56 EST 2011
I like the direction you are taking.
On 1/4/11, webgoat webgoat <webgoat at owasp.org> wrote:
> All (sorry for the leaders list spam but I wanted wide distribution)
> I would like input and feedback on the future direction of WebGoat. WebGoat
> has been fairly stable for the last few years and I would like to get input
> from the list on the future direction.
> I would like to see WebGoat incorporate some of the educational and training
> materials provided at OWASP. WebGoat has been a useful tool for teaching
> "how to hack" and therefore the assumption is that one can know how to
> prevent the attack if they know what the attack is (bad assumption).
> WebGoat has some labs on adding protection against SQL injection, XSS, and
> basic input validation but I would like to see each lesson have a secure
> coding recommendation as well as an implementation of that mechanism.
> could then be used as more of a training tool to show the attack, educate
> the user, AND show a potential mitigation strategy. *
> OWASP has some good tools, guides, and training that could be leveraged by
> WebGoat and I would like to see WebGoat go in that direction. Yes, there
> are some outstanding issues and some general cleanup of "less useful"
> lessons that need to occur but the general education direction seems like
> the right step. (Yiannis - yes, your buffer overflow lesson is in my
> The main goals I see are:
> 1) Add educational content
> 2) Expand the enterprise feature, that most people don't know about, to
> track user training progress.
> 3) Create a distribution that organizations can use, not just individuals.
> I hope to present a further expansion of these ideas at the OWASP Summit or
> at least have enough information and ideas to come up with a game plan for
> the next release of WebGoat. Please send your comments or ideas to the
> WebGoat list or directly to me at webgoat at owasp.org. *Do not reply to the
> leaders list*. I will summarize the ideas I receive and send out another
> There have been over 600,000 downloads of WebGoat (according to Google and
> SourceForge) with only 5,000 in the last year. WebGoat has become
> stagnant. Let's fix it!
> Bruce Mayhew
> OWASP WebGoat Project Lead
Sent from my mobile device
CISSP, MCSE, C|EH, CIFI, CGSP
"Si vis pacem, para bellum"
More information about the OWASP-Leaders