[Owasp-leaders] Direction for WebGoat
yiannis at owasp.org
Thu Jan 6 20:29:05 EST 2011
It would be nice to be able to drop a jar representing a lesson to a
folder and have WebGoat pick it up and repopulate the instance once
reloaded, so that it shows as an actual lesson within the
That way adding lessons will become a lot easier!
On 4 January 2011 16:51, webgoat webgoat <webgoat at owasp.org> wrote:
> All (sorry for the leaders list spam but I wanted wide distribution)
> I would like input and feedback on the future direction of WebGoat. WebGoat
> has been fairly stable for the last few years and I would like to get input
> from the list on the future direction.
> I would like to see WebGoat incorporate some of the educational and training
> materials provided at OWASP. WebGoat has been a useful tool for teaching
> "how to hack" and therefore the assumption is that one can know how to
> prevent the attack if they know what the attack is (bad assumption).
> WebGoat has some labs on adding protection against SQL injection, XSS, and
> basic input validation but I would like to see each lesson have a secure
> coding recommendation as well as an implementation of that mechanism.
> WebGoat could then be used as more of a training tool to show the attack,
> educate the user, AND show a potential mitigation strategy.
> OWASP has some good tools, guides, and training that could be leveraged by
> WebGoat and I would like to see WebGoat go in that direction. Yes, there
> are some outstanding issues and some general cleanup of "less useful"
> lessons that need to occur but the general education direction seems like
> the right step. (Yiannis - yes, your buffer overflow lesson is in my
> The main goals I see are:
> 1) Add educational content
> 2) Expand the enterprise feature, that most people don't know about, to
> track user training progress.
> 3) Create a distribution that organizations can use, not just individuals.
> I hope to present a further expansion of these ideas at the OWASP Summit or
> at least have enough information and ideas to come up with a game plan for
> the next release of WebGoat. Please send your comments or ideas to the
> WebGoat list or directly to me at webgoat at owasp.org. Do not reply to the
> leaders list. I will summarize the ideas I receive and send out another
> There have been over 600,000 downloads of WebGoat (according to Google and
> SourceForge) with only 5,000 in the last year. WebGoat has become
> stagnant. Let's fix it!
> Bruce Mayhew
> OWASP WebGoat Project Lead
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
Dr. Yiannis Pavlosoglou
OWASP Global Industry Committee
More information about the OWASP-Leaders