Difference between revisions of "OWASP WebGoat Project Roadmap"

From OWASP
Jump to: navigation, search
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
The project's overall goal is to...
+
<webgoat/>The project's overall goal is to...
  
 
   Be the defacto standard web application security training environment
 
   Be the defacto standard web application security training environment
Line 6: Line 6:
  
 
# Demonstrate most common web application security vulnerabilities
 
# Demonstrate most common web application security vulnerabilities
# Increase ease-of-use and expand userbase
+
# Add educational support for secure coding practices
 +
# Enhance enterprise lesson tracking
 
# Attract more contributions of lessons
 
# Attract more contributions of lessons
 +
# Revisit existing lesson base to standardize lesson theme.
 +
# Increase ease-of-use and expand user base
  
 
Here are the current tasks defined to help us achieve these goals
 
Here are the current tasks defined to help us achieve these goals
  
* one
+
'''Architectural'''
* two
+
* Replace basic authentication with forms based authentication
 +
* Rewrite all lessons to follow common theme using common database
 +
* Rewrite user administration to allow better user management (non-hackable)
 +
* Fix Logoff
 +
* Defuse all lessons to disallow inadvertent harm to user's OS
  
{{Template:Stub}}
+
'''General'''
 +
* General security cleanup. Remove exploits that are not lesson specific
 +
* Remove non working lessons
 +
*
 +
 
 +
'''New Lessons'''
 +
* Server side forward allows access to WEB-INF resources
 +
* Account enumeration using webscarab
 +
* SQLException lesson - could tie into overall error handling
 +
* XML attacks - Entity recursion, ...
 +
 
 +
For more information contact Bruce Mayhew at webgoat at owasp dot org
  
 
[[Category:OWASP WebGoat Project]]
 
[[Category:OWASP WebGoat Project]]

Latest revision as of 10:50, 4 January 2011

<webgoat/>The project's overall goal is to...

 Be the defacto standard web application security training environment

In the near term, we are focused on the following tactical goals...

  1. Demonstrate most common web application security vulnerabilities
  2. Add educational support for secure coding practices
  3. Enhance enterprise lesson tracking
  4. Attract more contributions of lessons
  5. Revisit existing lesson base to standardize lesson theme.
  6. Increase ease-of-use and expand user base

Here are the current tasks defined to help us achieve these goals

Architectural

  • Replace basic authentication with forms based authentication
  • Rewrite all lessons to follow common theme using common database
  • Rewrite user administration to allow better user management (non-hackable)
  • Fix Logoff
  • Defuse all lessons to disallow inadvertent harm to user's OS

General

  • General security cleanup. Remove exploits that are not lesson specific
  • Remove non working lessons

New Lessons

  • Server side forward allows access to WEB-INF resources
  • Account enumeration using webscarab
  • SQLException lesson - could tie into overall error handling
  • XML attacks - Entity recursion, ...

For more information contact Bruce Mayhew at webgoat at owasp dot org