[Owasp-leaders] Direction for WebGoat

Brad Causey bradcausey at owasp.org
Tue Jan 4 19:55:56 EST 2011

I like the direction you are taking.

On 1/4/11, webgoat webgoat <webgoat at owasp.org> wrote:
> All (sorry for the leaders list spam but I wanted wide distribution)
> I would like input and feedback on the future direction of WebGoat.  WebGoat
> has been fairly stable for the last few years and I would like to get input
> from the list on the future direction.
> I would like to see WebGoat incorporate some of the educational and training
> materials provided at OWASP.  WebGoat has been a useful tool for teaching
> "how to hack" and therefore the assumption is that one can know how to
> prevent the attack if they know what the attack is (bad assumption).
> WebGoat has some labs on adding protection against SQL injection, XSS, and
> basic input validation but I would like to see each lesson have a secure
> coding recommendation as well as an implementation of that mechanism.
> *WebGoat
> could then be used as more of a training tool to show the attack, educate
> the user, AND show a potential mitigation strategy.  *
> OWASP has some good tools, guides, and training that could be leveraged by
> WebGoat and I would like to see WebGoat go in that direction.  Yes, there
> are some outstanding issues and some general cleanup of "less useful"
> lessons that need to occur but the general education direction seems like
> the right step.  (Yiannis - yes, your buffer overflow lesson is in my
> baseline)
> The main goals I see are:
> 1) Add educational content
> 2) Expand the enterprise feature, that most people don't know about, to
> track user training progress.
> 3) Create a distribution that organizations can use, not just individuals.
> I hope to present a further expansion of these ideas at the OWASP Summit or
> at least have enough information and ideas to come up with a game plan for
> the next release of WebGoat.  Please send your comments or ideas to the
> WebGoat list or directly to me at webgoat at owasp.org.  *Do not reply to the
> leaders list*. I will summarize the ideas I receive and send out another
> email.
> There have been over 600,000 downloads of WebGoat (according to Google and
> SourceForge) with only 5,000 in the last year.  WebGoat has become
> stagnant.  Let's fix it!
> --
> Bruce Mayhew
> OWASP WebGoat Project Lead

Sent from my mobile device

-Brad Causey

"Si vis pacem, para bellum"

More information about the OWASP-Leaders mailing list