Difference between revisions of "OWASP Security Shepherd"

From OWASP
Jump to: navigation, search
m (Fixing Links)
(12 intermediate revisions by one user not shown)
Line 1: Line 1:
 
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|right|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|right|Competitive Learning Environment]]
 
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|right|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|right|Competitive Learning Environment]]
'''Security Shepherd''' is a CBT-like (Cognitive behavioral therapy) application for web application security vulnerabilities. This project strives to hurde the lost sheep of the technological world back to the safe and sound ways of secure practises. Security Shepherd can be deployed as a CTF (Capture the Flag) game or as an open floor educational server.
+
'''Security Shepherd''' is a computer based training application for web application security vulnerabilities. This project strives to hurde the lost sheep of the technological world back to the safe and sound ways of secure practises. Security Shepherd can be deployed as a CTF (Capture the Flag) game or as an open floor educational server.
  
 
== Overview ==
 
== Overview ==
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|right|Detailed vulnerability explainations]]
+
[[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|right|Easy configuration to suit every use]]
 
Security Shepherd has been designed and implemented with the aim of fostering and improving security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished through lesson and challenge techniques. A lesson provides a user with a lot of help in completing that module, where a challenge puts what the user learned in the lesson to use. Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The bi-product of this challenge game is the acquired skill to harden a players own environment from OWASP top ten security risks The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.
 
Security Shepherd has been designed and implemented with the aim of fostering and improving security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished through lesson and challenge techniques. A lesson provides a user with a lot of help in completing that module, where a challenge puts what the user learned in the lesson to use. Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The bi-product of this challenge game is the acquired skill to harden a players own environment from OWASP top ten security risks The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.
  
Line 33: Line 33:
 
The aims of Security Shepherd's future development is to allow level contribution easier through the creation of a "Challenge Builder" framework. It is also desirable to implement an automatic updating solution so that new levels that become available across new releases can be syncronised seemlessly.
 
The aims of Security Shepherd's future development is to allow level contribution easier through the creation of a "Challenge Builder" framework. It is also desirable to implement an automatic updating solution so that new levels that become available across new releases can be syncronised seemlessly.
  
Check out the project [https://www.owasp.org/index.php/Projects/OWASP_Security_Shepherd/Roadmap roadmap] and find some tasks that you can help with right away.
+
Check out the project [https://www.owasp.org/index.php/Projects/OWASP_Security_Shepherd/Roadmap roadmap] and find some tasks that you can help with right away..
 
+
==Downloads==
+
 
+
Security Shepherd downloads are available at [http://code.google.com/p/owasp-security-shepherd/downloads/list Security Shepherd Google code downloads]. 
+
 
+
You can synch to the current Security Shepherd source tree at [http://code.google.com/p/owasp-security-shepherd/ Google code].
+
  
 
==Releases==
 
==Releases==
Line 57: Line 51:
 
     * Deploy the core.war and exposed.war on your application server(s)
 
     * Deploy the core.war and exposed.war on your application server(s)
 
     * Run the core.sql and exposed.sql scripts in your database servers(s) as root users
 
     * Run the core.sql and exposed.sql scripts in your database servers(s) as root users
    * Default user is admin/password (You'll have to change the password upon login)
 
 
     * Point your browser at the core application (eg: https://localhost:8080/core)
 
     * Point your browser at the core application (eg: https://localhost:8080/core)
 
     * Default user is admin/password (You'll have to change the password upon login)
 
     * Default user is admin/password (You'll have to change the password upon login)
     * Through the admin configuration tools, set the URL's for the exposed application server and database servers
+
     * Through the admin configuration tools, set the URL's for the application servers and sign on information for your databases
 +
 
 +
==Downloads==
 +
 
 +
Security Shepherd downloads are available at [http://code.google.com/p/owasp-security-shepherd/downloads/list Google Code] and [https://sourceforge.net/projects/owaspshepherd/files/ Source Forge]. The deployments that require no server set up are quite big and are only available on Source Forge due to size constraints.
 +
 
 +
You can synch to the current Security Shepherd source tree at [http://code.google.com/p/owasp-security-shepherd/ Google code]
 +
 
 +
Note: Source code and Manual Installation Packs are in the process of been uploaded. Stay tuned...
  
 
== Project Contributors ==
 
== Project Contributors ==
Line 67: Line 68:
  
 
This project was initially created as part of my BSc. Thanks to Dr.Fred Mtenzi and [http://www.dit.ie DIT] for allowing me to donate this project to the OWASP community.
 
This project was initially created as part of my BSc. Thanks to Dr.Fred Mtenzi and [http://www.dit.ie DIT] for allowing me to donate this project to the OWASP community.
 +
 +
== Events with Security Shepherd ==
 +
[[Image:Shepherd-CTF-In-Play.JPG|thumb|300px|right|Over 60 people playing the CTF at [[HackDub2012]]]]
 +
 +
The Security Shepherd application has been tried and tested across a number of Beta runs in venues like DIT and the Dublin TOG hackerspace. Since these events Security Shepherd has been knocking on security doors trying to be recognized as the new platform for web application security training.
 +
 +
* Security Shepherd was used as the [[HackDub2012|OWASP Dublin Hackathon 2012]]
 +
* Security Shepherd's platform will be used to manage the [[AppSecIreland2012| OWASP Ireland AppSec 2012]] CTF in September
 +
* Security Shepherd's platform will be used to manage the IRISS security conference in October
  
 
[[Category:OWASP Project|Security Shepherd Project]]
 
[[Category:OWASP Project|Security Shepherd Project]]

Revision as of 11:16, 23 August 2012

Detailed vulnerability explainations
Competitive Learning Environment

Security Shepherd is a computer based training application for web application security vulnerabilities. This project strives to hurde the lost sheep of the technological world back to the safe and sound ways of secure practises. Security Shepherd can be deployed as a CTF (Capture the Flag) game or as an open floor educational server.

Overview

Easy configuration to suit every use

Security Shepherd has been designed and implemented with the aim of fostering and improving security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished through lesson and challenge techniques. A lesson provides a user with a lot of help in completing that module, where a challenge puts what the user learned in the lesson to use. Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The bi-product of this challenge game is the acquired skill to harden a players own environment from OWASP top ten security risks The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.

Security Shepherds vulnerabilities are not simulated, and are instead delievered through hardened real security vulnerabilities that can not be abused to compromise the application or it's environment. Many of these levels include insufficient protections to these vulnerabilities, such as black list filteres and poor security configuration. Security Shepherd includes everything you need to complete all of it's levels including the OWASP Zed Attack Proxy Project and portable browsers already configured for proxy use.

CTF Mode

Security Shepherd can be morphed into a CTF server by an administrator with the click of a button. This presents users with one modules at a time. They must complete there current level before they can continue. Administrators can also set a "Module Block" that prevents users from progressing past a certain level. It is also possible to run a CTF in a Tournament mode where a user can complete any module in any order they wish. When ether of these modes are enabled, the scoreboard is then available. The scoreboard updates automatically and reflects the bonus points users achieve by completing a module first, second or third.

User Management

Security Shepherd includes a user friendly method of creating many users at a time for administrators, as well as an optional open registry system. User’s activities are logged allowing an administrator to gather real time data on who is connected to Security Shepherd and what their module progress is. This data can be mined to gather information on who was online, at what time and how much time has been actively spent on a challenge.

Topic Coverage

The Security Shepherd project covers the following web application security topics;

Future Development

New levels or level idea's are wanted in the highest degree. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org.

The aims of Security Shepherd's future development is to allow level contribution easier through the creation of a "Challenge Builder" framework. It is also desirable to implement an automatic updating solution so that new levels that become available across new releases can be syncronised seemlessly.

Check out the project roadmap and find some tasks that you can help with right away..

Releases

Security Shepherd has been designed with expansion in mind. The applicaiton's underlying architecture is composed of a secure core applicaiton and database server that depicts how the application runs. There is also an exposed application and database service that runs all of the server side vulnerabilty exapmles. If these services are compromised, the core service can continue to run unaffected.

Security Shepherd is written in Java and is compiled in a web application archive (WAR) and therefore can be run on any platform with a Java virtual machine and a web applicaion server like Tomcat. To eliminate tedious environment configration; there is a Security Shepherd portable environment. This environment includes Tomcat/MySQL servers and scripts that can be used to automatically stand them up. This portable environment is currently only available for Windows environments (32bit and 64bit). Development for other operating systems is ongoing.

Security Shepherd 1.2:

The standard release is a single download, unrar, and click-to-run release. This service is currently only available for Windows operating systems

   * Double-click on the startServers.bat - Two Tomcat and two MySQL command windows will start
   * Browse to https://localhost:8080/
   * Default user is admin/password (You'll have to change the password upon login)

Security Shepherd 1.2 Manual:

The manual release is a single download, unrar, and follow the steps release.

   * Deploy the core.war and exposed.war on your application server(s)
   * Run the core.sql and exposed.sql scripts in your database servers(s) as root users
   * Point your browser at the core application (eg: https://localhost:8080/core)
   * Default user is admin/password (You'll have to change the password upon login)
   * Through the admin configuration tools, set the URL's for the application servers and sign on information for your databases

Downloads

Security Shepherd downloads are available at Google Code and Source Forge. The deployments that require no server set up are quite big and are only available on Source Forge due to size constraints.

You can synch to the current Security Shepherd source tree at Google code

Note: Source code and Manual Installation Packs are in the process of been uploaded. Stay tuned...

Project Contributors

The SecurityShepherd project is run by Mark Denihan. He can be contacted at mark.denihan@owasp.org. Security Shepherd distributions are currently maintained on SourceForge and Google. The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the Security Shepherd mailing list.

This project was initially created as part of my BSc. Thanks to Dr.Fred Mtenzi and DIT for allowing me to donate this project to the OWASP community.

Events with Security Shepherd

Over 60 people playing the CTF at HackDub2012

The Security Shepherd application has been tried and tested across a number of Beta runs in venues like DIT and the Dublin TOG hackerspace. Since these events Security Shepherd has been knocking on security doors trying to be recognized as the new platform for web application security training.