[Owasp-leaders] Direction for WebGoat

Tony UV tonyuv at owasp.org
Thu Jan 6 00:18:29 EST 2011

Awesome direction.  You have my vote.  Perhaps tying in other references to
O2, ASVS, AntiSamy, or other OWASP related projects would help bring some
perspective and reminders to the users of yet other beneficial deliverables
or tools that OWASP provides.


Tony UcedaVelez, CISM, CISA, GSEC

Chapter Lead

OWASP Atlanta


Twitter: @versprite


From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of webgoat webgoat
Sent: Tuesday, January 04, 2011 11:51 AM
To: owasp-webgoat at lists.owasp.org; owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] Direction for WebGoat


All (sorry for the leaders list spam but I wanted wide distribution)

I would like input and feedback on the future direction of WebGoat.  WebGoat
has been fairly stable for the last few years and I would like to get input
from the list on the future direction.

I would like to see WebGoat incorporate some of the educational and training
materials provided at OWASP.  WebGoat has been a useful tool for teaching
"how to hack" and therefore the assumption is that one can know how to
prevent the attack if they know what the attack is (bad assumption).
WebGoat has some labs on adding protection against SQL injection, XSS, and
basic input validation but I would like to see each lesson have a secure
coding recommendation as well as an implementation of that mechanism.
WebGoat could then be used as more of a training tool to show the attack,
educate the user, AND show a potential mitigation strategy.  

OWASP has some good tools, guides, and training that could be leveraged by
WebGoat and I would like to see WebGoat go in that direction.  Yes, there
are some outstanding issues and some general cleanup of "less useful"
lessons that need to occur but the general education direction seems like
the right step.  (Yiannis - yes, your buffer overflow lesson is in my

The main goals I see are:

1) Add educational content
2) Expand the enterprise feature, that most people don't know about, to
track user training progress.
3) Create a distribution that organizations can use, not just individuals.

I hope to present a further expansion of these ideas at the OWASP Summit or
at least have enough information and ideas to come up with a game plan for
the next release of WebGoat.  Please send your comments or ideas to the
WebGoat list or directly to me at webgoat at owasp.org.  Do not reply to the
leaders list. I will summarize the ideas I receive and send out another

There have been over 600,000 downloads of WebGoat (according to Google and
SourceForge) with only 5,000 in the last year.  WebGoat has become stagnant.
Let's fix it!

Bruce Mayhew
OWASP WebGoat Project Lead

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110106/e9d7e5fb/attachment.html 

More information about the OWASP-Leaders mailing list