Category:OWASP Securing WebGoat using ModSecurity Project

Welcome to the OWASP Securing WebGoat using ModSecurity Project
The purpose of the OWASP Securing WebGoat using ModSecurity Project is to use ModSecurity 2.5 to protect WebGoat 5.2 from as many of its vulnerabilities as possible (the goal is 90%).

Securing WebGoat using ModSecurity Project wiki v1.0

Mailing List
https://lists.owasp.org/mailman/listinfo/owasp-webgoat-using-modsecurity

owasp-webgoat-using-modsecurity@lists.owasp.org

Project News

 * 01 Mar 2009:
 * This project was discussed (glowingly) by Ken van Wyk in OWASP Podcast #10 starting at the 16 minute 30 second mark.

https://www.blackhat.com/presentations/bh-dc-09/Barnett/BlackHat-DC-09-Barnett-WAF-Patching-Challenge-slides.pdf
 * 19 Feb 2009:
 * Ryan Barnett of Breach Security gave a presentation based on this project, "WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity" at Black Hat DC 2009: http://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html
 * Whitepaper mentioning project, "WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity"


 * 10 Feb 2009:
 * This project in book form can be bought or downloaded (for free) at the OWASP bookstore at http://stores.lulu.com/owasp (thanks a lot to Paulo Coimbra for getting this done).


 * 31 Dec 2008:
 * This project was discussed by Arshan Dabirsiaghi, Jeff Williams, Jeremiah Grossman, and Jim Manico in OWASP Podcast #1 starting at the 58 minute mark.
 * Project member Stephen Craig Evans talks about the project as the guest of Jim Manico in OWASP Podcast #2.


 * 29 Nov 2008:
 * Added Appendix D to wiki, "Additional important stuff", which includes the wiki in a Word document (here) and some slide decks
 * Tested out the mailing list
 * Sent an email to OWASP Leaders and to Kenneth van Wyck's Secure Coding list to inform them of the project and its current state


 * 16 Nov 2008 - Added 'Section 4.4: Unfinished Business' which includes discussions about concurrent file access and Lua security.


 * 06 Nov 2008 - Gave 2 project presentations at the OWASP EU Summit in Portugal.


 * 05 Nov 2008 - Finished incorporating all reviewer comments.


 * 22 Oct 2008 - Wiki updates; project near 100% completion.


 * 14 Jul 2008 - Project wiki created and under construction.

Mentions in the Media
ModSecurity Blog

http://blog.modsecurity.org/2008/10/securing-webgoat-using-modsecurity.html

OWASP EU Summit in Portugal: Thursday

http://denimgroup.typepad.com/denim_group/2008/11/owasp-eu-summit-in-portugal-thursday.html

OWASP Podcast #2 Securing Webgoat with ModSecurity

http://manicode.blogspot.com/2008/12/owasp-podcast-2-securing-webgoat-with.html

Waffing: ModSecurity applied

http://swende.se/index.php?/archives/26-Waffing-ModSecurity-applied.html

WebGoat, Lua, and ModSecurity verses Password Guessing

http://blog.securitymonks.com/2009/01/10/webgoat-lua-and-modsecurity-verses-password-guessing/

Contacts
stephencraig_dot_evans_at_gmail_dot_com