Saturday, September 17, 2005

Hands on security training

It's at least very hard, if not impossible, to learn how to recognize security problems in applications without seeing what they look like. Knowing how they work (what the vulnerability is) is all well and good but the practical aspect of seeing what caused the vulnerability is, to steal a phrase, priceless. To that end the Open Web Application Security Project (OWASP) has created a demonstration application called WebGoat. Why do that? Well OWASP believes that although there are plenty of live applications out there you could learn on, it isn't really advisable or ethical to attack an application without permission, regardless of your intent.

What does WebGoat do? Here's part of the description exerpted from the project home page.
WebGoat is a full J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding by exploiting a real vulnerability on the local system. The system is even clever enough to provide hints and show the user cookies, parameters and the underlying Java code if they choose. Examples of lessons include SQL injection to a fake credit card database, where the user creates the attack and steals the credit card numbers.

No comments: