https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Mark+DenihanOWASP - User contributions [en]2026-05-16T08:49:47ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=244150OWASP Security Shepherd2018-10-11T15:03:27Z<p>Mark Denihan: /* Setup Help */ Updated</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes more than seventy levels - across the entire spectrum of Web and mobile application security - within a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect entry point for users completely new to security, with levels increasing in difficulty at a manageable pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept, when first addressed in Shepherd, is presented using plain language, so it can be readily understood by beginners.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Localisation Support: ''' Security Shepherd material is available in multiple languages from a single instance. Students with alternative language preferences can compete in the same Shepherd instance as others without issue.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
== Security Shepherd Road Map ==<br />
Security Shepherd wants to be as highly usable as we can achieve. Our primary objective is currently to achieve full language localisation support for the entire application. Currently we have covered the main pages users would interact with. We actively need volunteers to take part in the translation process. If you are interested in getting involved please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/How-to-Create-a-Web-Shepherd-Level How to Add a New Language to Security Shepherd].<br />
<br />
Our long term goals are to cover as many web and mobile application security risks as possible. If you are interested in getting involved in adding levels to Security Shepherd, please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/Adding-a-new-Language-to-Shepherd How to Make a Security Shepherd Level]. For the Latest and Greatest short term goals. Please see the [https://github.com/OWASP/SecurityShepherd/issues issues page in our GitHub].<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://github.com/OWASP/SecurityShepherd/releases/tag/v3.0 OWASP Security Shepherd GitHub Downloads]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [January 2017] Shepherd Graduates to Flagship<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q Can I Re-Skin Shepherd and then Train People With it?<br />
: A Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q Where can I access Security Shepherd?<br />
: A You can Download it and run it yourself or there are various public instances (eg: [https://community.ctf365.com/t/owasp-security-shepherd/357 CTF365])<br />
<br />
; Q Where can I download Security Shepherd?<br />
: A You can download it from the [[https://github.com/OWASP/SecurityShepherd/releases/tag/v3.0 GitHub Release Page]]<br />
<br />
; Q How can I run Shepherd on my network safely?<br />
: A just boot up the VM, install it manually or with Docker. The Security Shepherd application cannot be exploited to compromise the security of its environment. Make sure you patch your VM regularly to prevent intrusion to the host machine though.<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
[[File:Axway logo.png|none|thumb|243x243px]]<br />
<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Lei Shao<br />
* Natalia Lopez<br />
* Aidan Knowles<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
Use our [https://github.com/OWASP/SecurityShepherd/wiki Github Wiki page] for the best Setup Help going!<br />
<br />
=Videos=<br />
{|<br />
|-<br />
{{#ev:youtube|uWk0NOSpyQc}}&nbsp;<br />
{{#ev:youtube|yppMkJRp4pk}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|0jTWVLSGbPk}}&nbsp;<br />
{{#ev:youtube|sb8KQV6morY}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|ZgqAXdwNeCI}}&nbsp;<br />
{{#ev:youtube|8mlY4ob757s}}<br />
|}<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=244148OWASP Security Shepherd2018-10-11T14:13:19Z<p>Mark Denihan: /* Classifications */ Adding Axway to Sponsors List</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes more than seventy levels - across the entire spectrum of Web and mobile application security - within a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect entry point for users completely new to security, with levels increasing in difficulty at a manageable pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept, when first addressed in Shepherd, is presented using plain language, so it can be readily understood by beginners.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Localisation Support: ''' Security Shepherd material is available in multiple languages from a single instance. Students with alternative language preferences can compete in the same Shepherd instance as others without issue.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
== Security Shepherd Road Map ==<br />
Security Shepherd wants to be as highly usable as we can achieve. Our primary objective is currently to achieve full language localisation support for the entire application. Currently we have covered the main pages users would interact with. We actively need volunteers to take part in the translation process. If you are interested in getting involved please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/How-to-Create-a-Web-Shepherd-Level How to Add a New Language to Security Shepherd].<br />
<br />
Our long term goals are to cover as many web and mobile application security risks as possible. If you are interested in getting involved in adding levels to Security Shepherd, please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/Adding-a-new-Language-to-Shepherd How to Make a Security Shepherd Level]. For the Latest and Greatest short term goals. Please see the [https://github.com/OWASP/SecurityShepherd/issues issues page in our GitHub].<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://github.com/OWASP/SecurityShepherd/releases/tag/v3.0 OWASP Security Shepherd GitHub Downloads]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [January 2017] Shepherd Graduates to Flagship<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q Can I Re-Skin Shepherd and then Train People With it?<br />
: A Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q Where can I access Security Shepherd?<br />
: A You can Download it and run it yourself or there are various public instances (eg: [https://community.ctf365.com/t/owasp-security-shepherd/357 CTF365])<br />
<br />
; Q Where can I download Security Shepherd?<br />
: A You can download it from the [[https://github.com/OWASP/SecurityShepherd/releases/tag/v3.0 GitHub Release Page]]<br />
<br />
; Q How can I run Shepherd on my network safely?<br />
: A just boot up the VM, install it manually or with Docker. The Security Shepherd application cannot be exploited to compromise the security of its environment. Make sure you patch your VM regularly to prevent intrusion to the host machine though.<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
[[File:Axway logo.png|none|thumb|243x243px]]<br />
<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Lei Shao<br />
* Natalia Lopez<br />
* Aidan Knowles<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v3.0 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hypervisor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Module Management-> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.4 to Version 3.0:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4toV3.sql Upgrade Core Schema Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.4 war file with the new V3.0 war file.<br />
* Run the moduleSchemas.sql script from the manual pack on your Security Shepherd mysql instance<br />
* Install mongoDb and then run the mongoSchema.js file on that instance, using the default port for mongoDb<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v3.0 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* To setup and install MonogoDB for the NoSQL Injection Level found in shepherd, follow the steps to install here: https://docs.mongodb.org/manual/tutorial/install-mongodb-on-windows/<br />
* Use the MongoDB shell to execute the mongoSchema.js file: https://docs.mongodb.org/manual/reference/method/load/<br />
<br />
Time to Play!<br />
<br />
=Videos=<br />
{|<br />
|-<br />
{{#ev:youtube|uWk0NOSpyQc}}&nbsp;<br />
{{#ev:youtube|yppMkJRp4pk}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|0jTWVLSGbPk}}&nbsp;<br />
{{#ev:youtube|sb8KQV6morY}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|ZgqAXdwNeCI}}&nbsp;<br />
{{#ev:youtube|8mlY4ob757s}}<br />
|}<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=File:Axway_logo.png&diff=244147File:Axway logo.png2018-10-11T14:11:52Z<p>Mark Denihan: </p>
<hr />
<div>Axway Logo</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=225546OWASP Security Shepherd2017-01-24T11:11:42Z<p>Mark Denihan: /* FAQs */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Localisation Support: ''' Security Shepherd material is available in multiple languages from a single instance. Students with alternative language preferences can compete in the same Shepherd instance as others without issue.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
== Security Shepherd Road Map ==<br />
Security Shepherd wants to be as highly usable as we can achieve. Our primary objective is currently to achieve full language localisation support for the entire application. Currently we have covered the main pages users would interact with. We actively need volunteers to take part in the translation process. If you are interested in getting involved please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/How-to-Create-a-Web-Shepherd-Level How to Add a New Language to Security Shepherd].<br />
<br />
Our long term goals are to cover as many web and mobile application security risks as possible. If you are interested in getting involved in adding levels to Security Shepherd, please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/Adding-a-new-Language-to-Shepherd How to Make a Security Shepherd Level]. For the Latest and Greatest short term goals. Please see the [https://github.com/OWASP/SecurityShepherd/issues issues page in our GitHub].<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://github.com/OWASP/SecurityShepherd/releases/tag/v3.0 OWASP Security Shepherd GitHub Downloads]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [January 2017] Shepherd Graduates to Flagship<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q Can I Re-Skin Shepherd and then Train People With it?<br />
: A Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q Where can I access Security Shepherd?<br />
: A You can Download it and run it yourself or there are various public instances (eg: [https://community.ctf365.com/t/owasp-security-shepherd/357 CTF365])<br />
<br />
; Q Where can I download Security Shepherd?<br />
: A You can download it from the [[https://github.com/OWASP/SecurityShepherd/releases/tag/v3.0 GitHub Release Page]]<br />
<br />
; Q How can I run Shepherd on my network safely?<br />
: A just boot up the VM, install it manually or with Docker. The Security Shepherd application cannot be exploited to compromise the security of its environment. Make sure you patch your VM regularly to prevent intrusion to the host machine though.<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Lei Shao<br />
* Natalia Lopez<br />
* Aidan Knowles<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v3.0 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hypervisor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Module Management-> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.4 to Version 3.0:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4toV3.sql Upgrade Core Schema Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.4 war file with the new V3.0 war file.<br />
* Run the moduleSchemas.sql script from the manual pack on your Security Shepherd mysql instance<br />
* Install mongoDb and then run the mongoSchema.js file on that instance, using the default port for mongoDb<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v3.0 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* To setup and install MonogoDB for the NoSQL Injection Level found in shepherd, follow the steps to install here: https://docs.mongodb.org/manual/tutorial/install-mongodb-on-windows/<br />
* Use the MongoDB shell to execute the mongoSchema.js file: https://docs.mongodb.org/manual/reference/method/load/<br />
<br />
Time to Play!<br />
<br />
=Videos=<br />
{|<br />
|-<br />
{{#ev:youtube|uWk0NOSpyQc}}&nbsp;<br />
{{#ev:youtube|yppMkJRp4pk}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|0jTWVLSGbPk}}&nbsp;<br />
{{#ev:youtube|sb8KQV6morY}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|ZgqAXdwNeCI}}&nbsp;<br />
{{#ev:youtube|8mlY4ob757s}}<br />
|}<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=224868OWASP Security Shepherd2017-01-10T09:18:38Z<p>Mark Denihan: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Localisation Support: ''' Security Shepherd material is available in multiple languages from a single instance. Students with alternative language preferences can compete in the same Shepherd instance as others without issue.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
== Security Shepherd Road Map ==<br />
Security Shepherd wants to be as highly usable as we can achieve. Our primary objective is currently to achieve full language localisation support for the entire application. Currently we have covered the main pages users would interact with. We actively need volunteers to take part in the translation process. If you are interested in getting involved please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/How-to-Create-a-Web-Shepherd-Level How to Add a New Language to Security Shepherd].<br />
<br />
Our long term goals are to cover as many web and mobile application security risks as possible. If you are interested in getting involved in adding levels to Security Shepherd, please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/Adding-a-new-Language-to-Shepherd How to Make a Security Shepherd Level]. For the Latest and Greatest short term goals. Please see the [https://github.com/OWASP/SecurityShepherd/issues issues page in our GitHub].<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://github.com/OWASP/SecurityShepherd/releases/tag/v3.0 OWASP Security Shepherd GitHub Downloads]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [January 2017] Shepherd Graduates to Flagship<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q Can I Re-Skin Shepherd and then Train People With it?<br />
: A Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q Where can I access Security Shepherd?<br />
: A You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
; Q Where can I download Security Shepherd?<br />
: A You can download it from the [[https://github.com/OWASP/SecurityShepherd/releases/tag/v3.0 GitHub Release Page]]<br />
<br />
; Q How can I run Shepherd on my network safely?<br />
: A just boot up the VM, install it manually or with Docker. The Security Shepherd application cannot be exploited to compromise the security of its environment. Make sure you patch your VM regularly to prevent intrusion to the host machine though.<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Lei Shao<br />
* Natalia Lopez<br />
* Aidan Knowles<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v3.0 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hypervisor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Module Management-> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.4 to Version 3.0:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4toV3.sql Upgrade Core Schema Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.4 war file with the new V3.0 war file.<br />
* Run the moduleSchemas.sql script from the manual pack on your Security Shepherd mysql instance<br />
* Install mongoDb and then run the mongoSchema.js file on that instance, using the default port for mongoDb<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v3.0 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* To setup and install MonogoDB for the NoSQL Injection Level found in shepherd, follow the steps to install here: https://docs.mongodb.org/manual/tutorial/install-mongodb-on-windows/<br />
* Use the MongoDB shell to execute the mongoSchema.js file: https://docs.mongodb.org/manual/reference/method/load/<br />
<br />
Time to Play!<br />
<br />
=Videos=<br />
{|<br />
|-<br />
{{#ev:youtube|uWk0NOSpyQc}}&nbsp;<br />
{{#ev:youtube|yppMkJRp4pk}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|0jTWVLSGbPk}}&nbsp;<br />
{{#ev:youtube|sb8KQV6morY}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|ZgqAXdwNeCI}}&nbsp;<br />
{{#ev:youtube|8mlY4ob757s}}<br />
|}<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=224867OWASP Security Shepherd2017-01-10T09:16:05Z<p>Mark Denihan: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Localisation Support: ''' Security Shepherd material is available in multiple languages from a single instance. Students with alternative language preferences can compete in the same Shepherd instance as others without issue.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
== Security Shepherd Road Map ==<br />
Security Shepherd wants to be as highly usable as we can achieve. Our primary objective is currently to achieve full language localisation support for the entire application. Currently we have covered the main pages users would interact with. We actively need volunteers to take part in the translation process. If you are interested in getting involved please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/How-to-Create-a-Web-Shepherd-Level How to Add a New Language to Security Shepherd].<br />
<br />
Our long term goals are to cover as many web and mobile application security risks as possible. If you are interested in getting involved in adding levels to Security Shepherd, please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/Adding-a-new-Language-to-Shepherd How to Make a Security Shepherd Level]. For the Latest and Greatest short term goals. Please see the [https://github.com/OWASP/SecurityShepherd/issues issues page in our GitHub].<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://github.com/OWASP/SecurityShepherd/releases/tag/v3.0 OWASP Security Shepherd GitHub Downloads]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [January 2017] Shepherd Graduates to Flagship<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q Can I Re-Skin Shepherd and then Train People With it?<br />
: A Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q Where can I access Security Shepherd?<br />
: A You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
; Q Where can I download Security Shepherd?<br />
: A You can download it from the [[https://github.com/OWASP/SecurityShepherd/releases/tag/v3.0 GitHub Release Page]]<br />
<br />
; Q How can I run Shepherd on my network safely?<br />
: A just boot up the VM, install it manually or with Docker. The Security Shepherd application cannot be exploited to compromise the security of its environment. Make sure you patch your VM regularly to prevent intrusion to the host machine though.<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Lei Shao<br />
* Natalia Lopez<br />
* Aidan Knowles<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v3.0 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hypervisor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Module Management-> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.4 to Version 3.0:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4toV3.sql Upgrade Core Schema Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.4 war file with the new V3.0 war file.<br />
* Run the moduleSchemas.sql script from the manual pack on your Security Shepherd mysql instance<br />
* Install mongoDb and then run the mongoSchema.js file on that instance, using the default port for mongoDb<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v3.0 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* To setup and install MonogoDB for the NoSQL Injection Level found in shepherd, follow the steps to install here: https://docs.mongodb.org/manual/tutorial/install-mongodb-on-windows/<br />
* Use the MongoDB shell to execute the mongoSchema.js file: https://docs.mongodb.org/manual/reference/method/load/<br />
<br />
Time to Play!<br />
<br />
=Videos=<br />
{|<br />
|-<br />
{{#ev:youtube|uWk0NOSpyQc}}&nbsp;<br />
{{#ev:youtube|yppMkJRp4pk}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|0jTWVLSGbPk}}&nbsp;<br />
{{#ev:youtube|sb8KQV6morY}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|ZgqAXdwNeCI}}&nbsp;<br />
{{#ev:youtube|8mlY4ob757s}}<br />
|}<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=224866OWASP Security Shepherd2017-01-10T09:03:35Z<p>Mark Denihan: Adding Flagship Status from successful graduation review: https://docs.google.com/document/d/1AZZ_GZR0-uF1qBZDQdgdV49IyEZYT_91qQMHRGszDLw/edit</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:flagship_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Localisation Support: ''' Security Shepherd material is available in multiple languages from a single instance. Students with alternative language preferences can compete in the same Shepherd instance as others without issue.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
== Security Shepherd Road Map ==<br />
Security Shepherd wants to be as highly usable as we can achieve. Our primary objective is currently to achieve full language localisation support for the entire application. Currently we have covered the main pages users would interact with. We actively need volunteers to take part in the translation process. If you are interested in getting involved please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/How-to-Create-a-Web-Shepherd-Level How to Add a New Language to Security Shepherd].<br />
<br />
Our long term goals are to cover as many web and mobile application security risks as possible. If you are interested in getting involved in adding levels to Security Shepherd, please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/Adding-a-new-Language-to-Shepherd How to Make a Security Shepherd Level]. For the Latest and Greatest short term goals. Please see the [https://github.com/OWASP/SecurityShepherd/issues issues page in our GitHub].<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://github.com/OWASP/SecurityShepherd/releases/tag/v3.0 OWASP Security Shepherd GitHub Downloads]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [January 2017] Shepherd Graduates to Flagship<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q Can I Re-Skin Shepherd and then Train People With it?<br />
: A Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q Where can I access Security Shepherd?<br />
: A You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
; Q Where can I download Security Shepherd?<br />
: A You can download it from the [[https://github.com/OWASP/SecurityShepherd/releases/tag/v3.0 GitHub Release Page]]<br />
<br />
; Q How can I run Shepherd on my network safely?<br />
: A just boot up the VM, install it manually or with Docker. The Security Shepherd application cannot be exploited to compromise the security of its environment. Make sure you patch your VM regularly to prevent intrusion to the host machine though.<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Lei Shao<br />
* Natalia Lopez<br />
* Aidan Knowles<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v3.0 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hypervisor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Module Management-> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.4 to Version 3.0:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4toV3.sql Upgrade Core Schema Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.4 war file with the new V3.0 war file.<br />
* Run the moduleSchemas.sql script from the manual pack on your Security Shepherd mysql instance<br />
* Install mongoDb and then run the mongoSchema.js file on that instance, using the default port for mongoDb<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v3.0 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* To setup and install MonogoDB for the NoSQL Injection Level found in shepherd, follow the steps to install here: https://docs.mongodb.org/manual/tutorial/install-mongodb-on-windows/<br />
* Use the MongoDB shell to execute the mongoSchema.js file: https://docs.mongodb.org/manual/reference/method/load/<br />
<br />
Time to Play!<br />
<br />
=Videos=<br />
{|<br />
|-<br />
{{#ev:youtube|uWk0NOSpyQc}}&nbsp;<br />
{{#ev:youtube|yppMkJRp4pk}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|0jTWVLSGbPk}}&nbsp;<br />
{{#ev:youtube|sb8KQV6morY}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|ZgqAXdwNeCI}}&nbsp;<br />
{{#ev:youtube|8mlY4ob757s}}<br />
|}<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=202616OWASP Security Shepherd2015-10-24T13:27:36Z<p>Mark Denihan: Replacing Download Links to GitHub Release Page</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Localisation Support: ''' Security Shepherd material is available in multiple languages from a single instance. Students with alternative language preferences can compete in the same Shepherd instance as others without issue.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
== Security Shepherd Road Map ==<br />
Security Shepherd wants to be as highly usable as we can achieve. Our primary objective is currently to achieve full language localisation support for the entire application. Currently we have covered the main pages users would interact with. We actively need volunteers to take part in the translation process. If you are interested in getting involved please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/How-to-Create-a-Web-Shepherd-Level How to Add a New Language to Security Shepherd].<br />
<br />
Our long term goals are to cover as many web and mobile application security risks as possible. If you are interested in getting involved in adding levels to Security Shepherd, please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/Adding-a-new-Language-to-Shepherd How to Make a Security Shepherd Level]. For the Latest and Greatest short term goals. Please see the [https://github.com/OWASP/SecurityShepherd/issues issues page in our GitHub].<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://github.com/OWASP/SecurityShepherd/releases/tag/v3.0 OWASP Security Shepherd GitHub Downloads]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [October 2015] Shepherd v3.0 Released<br />
* [September 2015] Shepherd Lightning Training @ AppSecUSA 2015<br />
* [September 2015] Shepherd @ AppSecUSA 2015 Project Summit<br />
* [July 2015] Shepherd v2.4 Released<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q Can I Re-Skin Shepherd and then Train People With it?<br />
: A Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q Where can I access Security Shepherd?<br />
: A You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
; Q Where can I download Security Shepherd?<br />
: A You can download it from the [[https://github.com/OWASP/SecurityShepherd/releases/tag/v3.0 GitHub Release Page]]<br />
<br />
; Q How can I run Shepherd on my network safely?<br />
: A just boot up the VM, install it manually or with Docker. The Security Shepherd application cannot be exploited to compromise the security of its environment. Make sure you patch your VM regularly to prevent intrusion to the host machine though.<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Lei Shao<br />
* Natalia Lopez<br />
* Aidan Knowles<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v3.0 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hypervisor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Module Management-> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.4 to Version 3.0:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4toV3.sql Upgrade Core Schema Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.4 war file with the new V3.0 war file.<br />
* Run the moduleSchemas.sql script from the manual pack on your Security Shepherd mysql instance<br />
* Install mongoDb and then run the mongoSchema.js file on that instance, using the default port for mongoDb<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v3.0 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* To setup and install MonogoDB for the NoSQL Injection Level found in shepherd, follow the steps to install here: https://docs.mongodb.org/manual/tutorial/install-mongodb-on-windows/<br />
* Use the MongoDB shell to execute the mongoSchema.js file: https://docs.mongodb.org/manual/reference/method/load/<br />
<br />
Time to Play!<br />
<br />
=Videos=<br />
{|<br />
|-<br />
{{#ev:youtube|uWk0NOSpyQc}}&nbsp;<br />
{{#ev:youtube|yppMkJRp4pk}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|0jTWVLSGbPk}}&nbsp;<br />
{{#ev:youtube|sb8KQV6morY}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|ZgqAXdwNeCI}}&nbsp;<br />
{{#ev:youtube|8mlY4ob757s}}<br />
|}<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=202571OWASP Security Shepherd2015-10-23T17:30:47Z<p>Mark Denihan: /* Setup Help */ Updating to V3</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Localisation Support: ''' Security Shepherd material is available in multiple languages from a single instance. Students with alternative language preferences can compete in the same Shepherd instance as others without issue.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
== Security Shepherd Road Map ==<br />
Security Shepherd wants to be as highly usable as we can achieve. Our primary objective is currently to achieve full language localisation support for the entire application. Currently we have covered the main pages users would interact with. We actively need volunteers to take part in the translation process. If you are interested in getting involved please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/How-to-Create-a-Web-Shepherd-Level How to Add a New Language to Security Shepherd].<br />
<br />
Our long term goals are to cover as many web and mobile application security risks as possible. If you are interested in getting involved in adding levels to Security Shepherd, please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/Adding-a-new-Language-to-Shepherd How to Make a Security Shepherd Level]. For the Latest and Greatest short term goals. Please see the [https://github.com/OWASP/SecurityShepherd/issues issues page in our GitHub].<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [October 2015] Shepherd v3.0 Released<br />
* [September 2015] Shepherd Lightning Training @ AppSecUSA 2015<br />
* [September 2015] Shepherd @ AppSecUSA 2015 Project Summit<br />
* [July 2015] Shepherd v2.4 Released<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q Can I Re-Skin Shepherd and then Train People With it?<br />
: A Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q Where can I access Security Shepherd?<br />
: A You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
; Q Where can I download Security Shepherd?<br />
: A You can download it on [[https://sourceforge.net/projects/owaspshepherd/files/ Source Forge]]<br />
<br />
; Q How can I run Shepherd on my network safely?<br />
: A just boot up the VM, install it manually or with Docker. The Security Shepherd application cannot be exploited to compromise the security of its environment. Make sure you patch your VM regularly to prevent intrusion to the host machine though.<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Lei Shao<br />
* Natalia Lopez<br />
* Aidan Knowles<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v3.0 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hypervisor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Module Management-> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.4 to Version 3.0:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4toV3.sql Upgrade Core Schema Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.4 war file with the new V3.0 war file.<br />
* Run the moduleSchemas.sql script from the manual pack on your Security Shepherd mysql instance<br />
* Install mongoDb and then run the mongoSchema.js file on that instance, using the default port for mongoDb<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v3.0 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* To setup and install MonogoDB for the NoSQL Injection Level found in shepherd, follow the steps to install here: https://docs.mongodb.org/manual/tutorial/install-mongodb-on-windows/<br />
* Use the MongoDB shell to execute the mongoSchema.js file: https://docs.mongodb.org/manual/reference/method/load/<br />
<br />
Time to Play!<br />
<br />
=Videos=<br />
{|<br />
|-<br />
{{#ev:youtube|uWk0NOSpyQc}}&nbsp;<br />
{{#ev:youtube|yppMkJRp4pk}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|0jTWVLSGbPk}}&nbsp;<br />
{{#ev:youtube|sb8KQV6morY}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|ZgqAXdwNeCI}}&nbsp;<br />
{{#ev:youtube|8mlY4ob757s}}<br />
|}<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=File:Shepherd-CTF-Level-One.JPG&diff=202569File:Shepherd-CTF-Level-One.JPG2015-10-23T17:25:56Z<p>Mark Denihan: Mark Denihan uploaded a new version of &quot;File:Shepherd-CTF-Level-One.JPG&quot;</p>
<hr />
<div>Screen shot of the first level in the OWASP Security Shepherd project when deployed as a CTF game</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=File:Shepherd-Injection-Lesson.JPG&diff=202568File:Shepherd-Injection-Lesson.JPG2015-10-23T17:24:41Z<p>Mark Denihan: Mark Denihan uploaded a new version of &quot;File:Shepherd-Injection-Lesson.JPG&quot;</p>
<hr />
<div>Screen shot of the OWASP Security Shepherd SQL Injection Lesson</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=202567OWASP Security Shepherd2015-10-23T16:48:18Z<p>Mark Denihan: Adding news and Features</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Localisation Support: ''' Security Shepherd material is available in multiple languages from a single instance. Students with alternative language preferences can compete in the same Shepherd instance as others without issue.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
== Security Shepherd Road Map ==<br />
Security Shepherd wants to be as highly usable as we can achieve. Our primary objective is currently to achieve full language localisation support for the entire application. Currently we have covered the main pages users would interact with. We actively need volunteers to take part in the translation process. If you are interested in getting involved please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/How-to-Create-a-Web-Shepherd-Level How to Add a New Language to Security Shepherd].<br />
<br />
Our long term goals are to cover as many web and mobile application security risks as possible. If you are interested in getting involved in adding levels to Security Shepherd, please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/Adding-a-new-Language-to-Shepherd How to Make a Security Shepherd Level]. For the Latest and Greatest short term goals. Please see the [https://github.com/OWASP/SecurityShepherd/issues issues page in our GitHub].<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [October 2015] Shepherd v3.0 Released<br />
* [September 2015] Shepherd Lightning Training @ AppSecUSA 2015<br />
* [September 2015] Shepherd @ AppSecUSA 2015 Project Summit<br />
* [July 2015] Shepherd v2.4 Released<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q Can I Re-Skin Shepherd and then Train People With it?<br />
: A Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q Where can I access Security Shepherd?<br />
: A You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
; Q Where can I download Security Shepherd?<br />
: A You can download it on [[https://sourceforge.net/projects/owaspshepherd/files/ Source Forge]]<br />
<br />
; Q How can I run Shepherd on my network safely?<br />
: A just boot up the VM, install it manually or with Docker. The Security Shepherd application cannot be exploited to compromise the security of its environment. Make sure you patch your VM regularly to prevent intrusion to the host machine though.<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Lei Shao<br />
* Natalia Lopez<br />
* Aidan Knowles<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.4 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Configuration -> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.3 to Version 2.4:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4.sql Upgrade Core Schema Script]]<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateModuleSchemasV2.4.sql Upgrade Module Schemas Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.3 war file with the new V2.4 war file.<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v2.4 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* Time to Play!<br />
=Videos=<br />
{|<br />
|-<br />
{{#ev:youtube|uWk0NOSpyQc}}&nbsp;<br />
{{#ev:youtube|yppMkJRp4pk}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|0jTWVLSGbPk}}&nbsp;<br />
{{#ev:youtube|sb8KQV6morY}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|ZgqAXdwNeCI}}&nbsp;<br />
{{#ev:youtube|8mlY4ob757s}}<br />
|}<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=202176OWASP Security Shepherd2015-10-16T07:34:26Z<p>Mark Denihan: /* Videos */ Adding Admin Function Walkthroghs</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
== Security Shepherd Road Map ==<br />
Security Shepherd wants to be as highly usable as we can achieve. Our primary objective is currently to achieve full language localisation support for the entire application. Currently we have covered the main pages users would interact with. We actively need volunteers to take part in the translation process. If you are interested in getting involved please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/How-to-Create-a-Web-Shepherd-Level How to Add a New Language to Security Shepherd].<br />
<br />
Our long term goals are to cover as many web and mobile application security risks as possible. If you are interested in getting involved in adding levels to Security Shepherd, please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/Adding-a-new-Language-to-Shepherd How to Make a Security Shepherd Level]. For the Latest and Greatest short term goals. Please see the [https://github.com/OWASP/SecurityShepherd/issues issues page in our GitHub].<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [September 2015] Shepherd Lightning Training @ AppSecUSA 2015<br />
* [September 2015] Shepherd @ AppSecUSA 2015 Project Summit<br />
* [July 2015] Shepherd v2.4 Released<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q Can I Re-Skin Shepherd and then Train People With it?<br />
: A Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q Where can I access Security Shepherd?<br />
: A You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
; Q Where can I download Security Shepherd?<br />
: A You can download it on [[https://sourceforge.net/projects/owaspshepherd/files/ Source Forge]]<br />
<br />
; Q How can I run Shepherd on my network safely?<br />
: A just boot up the VM, install it manually or with Docker. The Security Shepherd application cannot be exploited to compromise the security of its environment. Make sure you patch your VM regularly to prevent intrusion to the host machine though.<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Lei Shao<br />
* Natalia Lopez<br />
* Aidan Knowles<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.4 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Configuration -> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.3 to Version 2.4:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4.sql Upgrade Core Schema Script]]<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateModuleSchemasV2.4.sql Upgrade Module Schemas Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.3 war file with the new V2.4 war file.<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v2.4 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* Time to Play!<br />
=Videos=<br />
{|<br />
|-<br />
{{#ev:youtube|uWk0NOSpyQc}}&nbsp;<br />
{{#ev:youtube|yppMkJRp4pk}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|0jTWVLSGbPk}}&nbsp;<br />
{{#ev:youtube|sb8KQV6morY}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|ZgqAXdwNeCI}}&nbsp;<br />
{{#ev:youtube|8mlY4ob757s}}<br />
|}<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=201715OWASP Security Shepherd2015-10-05T20:38:12Z<p>Mark Denihan: *Adding Roadmap*</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
== Security Shepherd Road Map ==<br />
Security Shepherd wants to be as highly usable as we can achieve. Our primary objective is currently to achieve full language localisation support for the entire application. Currently we have covered the main pages users would interact with. We actively need volunteers to take part in the translation process. If you are interested in getting involved please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/How-to-Create-a-Web-Shepherd-Level How to Add a New Language to Security Shepherd].<br />
<br />
Our long term goals are to cover as many web and mobile application security risks as possible. If you are interested in getting involved in adding levels to Security Shepherd, please check out our [http://bit.ly/securityShepherdGithub GitHub] Wiki describing [https://github.com/OWASP/SecurityShepherd/wiki/Adding-a-new-Language-to-Shepherd How to Make a Security Shepherd Level]. For the Latest and Greatest short term goals. Please see the [https://github.com/OWASP/SecurityShepherd/issues issues page in our GitHub].<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [September 2015] Shepherd Lightning Training @ AppSecUSA 2015<br />
* [September 2015] Shepherd @ AppSecUSA 2015 Project Summit<br />
* [July 2015] Shepherd v2.4 Released<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q Can I Re-Skin Shepherd and then Train People With it?<br />
: A Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q Where can I access Security Shepherd?<br />
: A You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
; Q Where can I download Security Shepherd?<br />
: A You can download it on [[https://sourceforge.net/projects/owaspshepherd/files/ Source Forge]]<br />
<br />
; Q How can I run Shepherd on my network safely?<br />
: A just boot up the VM, install it manually or with Docker. The Security Shepherd application cannot be exploited to compromise the security of its environment. Make sure you patch your VM regularly to prevent intrusion to the host machine though.<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Lei Shao<br />
* Natalia Lopez<br />
* Aidan Knowles<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.4 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Configuration -> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.3 to Version 2.4:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4.sql Upgrade Core Schema Script]]<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateModuleSchemasV2.4.sql Upgrade Module Schemas Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.3 war file with the new V2.4 war file.<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v2.4 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* Time to Play!<br />
=Videos=<br />
{|<br />
|-<br />
{{#ev:youtube|8mlY4ob757s}}&nbsp;<br />
{{#ev:youtube|uWk0NOSpyQc}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|ZgqAXdwNeCI}}&nbsp;<br />
{{#ev:youtube|yppMkJRp4pk}}<br />
|}<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=201625OWASP Security Shepherd2015-10-05T07:54:56Z<p>Mark Denihan: /* Contributors */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [September 2015] Shepherd Lightning Training @ AppSecUSA 2015<br />
* [September 2015] Shepherd @ AppSecUSA 2015 Project Summit<br />
* [July 2015] Shepherd v2.4 Released<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q Can I Re-Skin Shepherd and then Train People With it?<br />
: A Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q Where can I access Security Shepherd?<br />
: A You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
; Q Where can I download Security Shepherd?<br />
: A You can download it on [[https://sourceforge.net/projects/owaspshepherd/files/ Source Forge]]<br />
<br />
; Q How can I run Shepherd on my network safely?<br />
: A just boot up the VM, install it manually or with Docker. The Security Shepherd application cannot be exploited to compromise the security of its environment. Make sure you patch your VM regularly to prevent intrusion to the host machine though.<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Lei Shao<br />
* Natalia Lopez<br />
* Aidan Knowles<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.4 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Configuration -> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.3 to Version 2.4:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4.sql Upgrade Core Schema Script]]<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateModuleSchemasV2.4.sql Upgrade Module Schemas Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.3 war file with the new V2.4 war file.<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v2.4 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* Time to Play!<br />
=Videos=<br />
{|<br />
|-<br />
{{#ev:youtube|8mlY4ob757s}}&nbsp;<br />
{{#ev:youtube|uWk0NOSpyQc}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|ZgqAXdwNeCI}}&nbsp;<br />
{{#ev:youtube|yppMkJRp4pk}}<br />
|}<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=201624OWASP Security Shepherd2015-10-05T07:52:33Z<p>Mark Denihan: /* FAQs */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [September 2015] Shepherd Lightning Training @ AppSecUSA 2015<br />
* [September 2015] Shepherd @ AppSecUSA 2015 Project Summit<br />
* [July 2015] Shepherd v2.4 Released<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q Can I Re-Skin Shepherd and then Train People With it?<br />
: A Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q Where can I access Security Shepherd?<br />
: A You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
; Q Where can I download Security Shepherd?<br />
: A You can download it on [[https://sourceforge.net/projects/owaspshepherd/files/ Source Forge]]<br />
<br />
; Q How can I run Shepherd on my network safely?<br />
: A just boot up the VM, install it manually or with Docker. The Security Shepherd application cannot be exploited to compromise the security of its environment. Make sure you patch your VM regularly to prevent intrusion to the host machine though.<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Lei Shao<br />
* Aidan Knowles<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.4 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Configuration -> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.3 to Version 2.4:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4.sql Upgrade Core Schema Script]]<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateModuleSchemasV2.4.sql Upgrade Module Schemas Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.3 war file with the new V2.4 war file.<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v2.4 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* Time to Play!<br />
=Videos=<br />
{|<br />
|-<br />
{{#ev:youtube|8mlY4ob757s}}&nbsp;<br />
{{#ev:youtube|uWk0NOSpyQc}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|ZgqAXdwNeCI}}&nbsp;<br />
{{#ev:youtube|yppMkJRp4pk}}<br />
|}<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=201507OWASP Security Shepherd2015-10-02T09:32:05Z<p>Mark Denihan: /* Videos */ Adding Mobile VM Setup Video</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [September 2015] Shepherd Lightning Training @ AppSecUSA 2015<br />
* [September 2015] Shepherd @ AppSecUSA 2015 Project Summit<br />
* [July 2015] Shepherd v2.4 Released<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
; Q3 Where can I download Security Shepherd?<br />
: A3 You can download it on [[https://sourceforge.net/projects/owaspshepherd/files/ Source Forge]]<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Lei Shao<br />
* Aidan Knowles<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.4 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Configuration -> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.3 to Version 2.4:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4.sql Upgrade Core Schema Script]]<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateModuleSchemasV2.4.sql Upgrade Module Schemas Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.3 war file with the new V2.4 war file.<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v2.4 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* Time to Play!<br />
=Videos=<br />
{|<br />
|-<br />
{{#ev:youtube|8mlY4ob757s}}&nbsp;<br />
{{#ev:youtube|uWk0NOSpyQc}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|ZgqAXdwNeCI}}&nbsp;<br />
{{#ev:youtube|yppMkJRp4pk}}<br />
|}<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=201235OWASP Security Shepherd2015-09-28T16:33:18Z<p>Mark Denihan: /* Contributors */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [September 2015] Shepherd Lightning Training @ AppSecUSA 2015<br />
* [September 2015] Shepherd @ AppSecUSA 2015 Project Summit<br />
* [July 2015] Shepherd v2.4 Released<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
; Q3 Where can I download Security Shepherd?<br />
: A3 You can download it on [[https://sourceforge.net/projects/owaspshepherd/files/ Source Forge]]<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Lei Shao<br />
* Aidan Knowles<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.4 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Configuration -> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.3 to Version 2.4:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4.sql Upgrade Core Schema Script]]<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateModuleSchemasV2.4.sql Upgrade Module Schemas Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.3 war file with the new V2.4 war file.<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v2.4 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* Time to Play!<br />
=Videos=<br />
{|<br />
|-<br />
{{#ev:youtube|8mlY4ob757s}}&nbsp;<br />
{{#ev:youtube|uWk0NOSpyQc}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|ZgqAXdwNeCI}}&nbsp;<br />
{{#ev:youtube|-brsnYrksAI}}<br />
|}<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=201234OWASP Security Shepherd2015-09-28T16:31:41Z<p>Mark Denihan: /* Recent News and Events */ Adding AppSec USA Lines</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [September 2015] Shepherd Lightning Training @ AppSecUSA 2015<br />
* [September 2015] Shepherd @ AppSecUSA 2015 Project Summit<br />
* [July 2015] Shepherd v2.4 Released<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
; Q3 Where can I download Security Shepherd?<br />
: A3 You can download it on [[https://sourceforge.net/projects/owaspshepherd/files/ Source Forge]]<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Ciaran Napier<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.4 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Configuration -> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.3 to Version 2.4:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4.sql Upgrade Core Schema Script]]<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateModuleSchemasV2.4.sql Upgrade Module Schemas Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.3 war file with the new V2.4 war file.<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v2.4 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* Time to Play!<br />
=Videos=<br />
{|<br />
|-<br />
{{#ev:youtube|8mlY4ob757s}}&nbsp;<br />
{{#ev:youtube|uWk0NOSpyQc}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|ZgqAXdwNeCI}}&nbsp;<br />
{{#ev:youtube|-brsnYrksAI}}<br />
|}<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=201233OWASP Security Shepherd2015-09-28T16:29:22Z<p>Mark Denihan: /* Videos */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [July 2015] Shepherd v2.4 Released<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
* [December 2014] Shepherd V2.2 Released<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
; Q3 Where can I download Security Shepherd?<br />
: A3 You can download it on [[https://sourceforge.net/projects/owaspshepherd/files/ Source Forge]]<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Ciaran Napier<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.4 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Configuration -> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.3 to Version 2.4:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4.sql Upgrade Core Schema Script]]<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateModuleSchemasV2.4.sql Upgrade Module Schemas Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.3 war file with the new V2.4 war file.<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v2.4 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* Time to Play!<br />
=Videos=<br />
{|<br />
|-<br />
{{#ev:youtube|8mlY4ob757s}}&nbsp;<br />
{{#ev:youtube|uWk0NOSpyQc}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|ZgqAXdwNeCI}}&nbsp;<br />
{{#ev:youtube|-brsnYrksAI}}<br />
|}<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=201232OWASP Security Shepherd2015-09-28T16:28:48Z<p>Mark Denihan: /* Videos */ Adding AppSec Videos</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [July 2015] Shepherd v2.4 Released<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
* [December 2014] Shepherd V2.2 Released<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
; Q3 Where can I download Security Shepherd?<br />
: A3 You can download it on [[https://sourceforge.net/projects/owaspshepherd/files/ Source Forge]]<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Ciaran Napier<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.4 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Configuration -> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.3 to Version 2.4:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4.sql Upgrade Core Schema Script]]<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateModuleSchemasV2.4.sql Upgrade Module Schemas Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.3 war file with the new V2.4 war file.<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v2.4 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* Time to Play!<br />
=Videos=<br />
{|<br />
|-<br />
{{#ev:youtube|8mlY4ob757s}}&nbsp;<br />
{{#ev:youtube|uWk0NOSpyQc}}<br />
|}<br />
{|<br />
|-<br />
{{#ev:youtube|ZgqAXdwNeCI}}&nbsp;<br />
{{#ev:youtube|brsnYrksAI}}<br />
|}<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=200488OWASP Security Shepherd2015-09-13T15:55:24Z<p>Mark Denihan: Adding a couple of Videos</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [July 2015] Shepherd v2.4 Released<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
* [December 2014] Shepherd V2.2 Released<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
; Q3 Where can I download Security Shepherd?<br />
: A3 You can download it on [[https://sourceforge.net/projects/owaspshepherd/files/ Source Forge]]<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Ciaran Napier<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.4 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Configuration -> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.3 to Version 2.4:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4.sql Upgrade Core Schema Script]]<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateModuleSchemasV2.4.sql Upgrade Module Schemas Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.3 war file with the new V2.4 war file.<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v2.4 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* Time to Play!<br />
=Videos=<br />
{|<br />
|-<br />
{{#ev:youtube|8mlY4ob757s}}&nbsp;<br />
{{#ev:youtube|uWk0NOSpyQc}}<br />
|}<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=196878OWASP Security Shepherd2015-07-02T09:26:10Z<p>Mark Denihan: Reordering Content</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
== Why use Security Shepherd? ==<br />
<br />
'''Wide Topic Coverage: ''' Shepherd includes over seventy levels across the entire spectrum of Web and Mobile application security under a single project.<br />
<br />
'''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
<br />
'''Layman Write Ups: ''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
<br />
'''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack <br />
vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
<br />
'''Scalability: ''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
<br />
'''Highly Customisable: ''' Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)<br />
<br />
'''Perfect for Classrooms: ''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
<br />
'''Scoreboard: ''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
<br />
'''User Management: ''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
<br />
'''Robust Service: ''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
<br />
'''Configurable Feedback: ''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
<br />
'''Granular Logging: ''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [July 2015] Shepherd v2.4 Released<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
* [December 2014] Shepherd V2.2 Released<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
; Q3 Where can I download Security Shepherd?<br />
: A3 You can download it on [[https://sourceforge.net/projects/owaspshepherd/files/ Source Forge]]<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Ciaran Napier<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.4 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Configuration -> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.3 to Version 2.4:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4.sql Upgrade Core Schema Script]]<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateModuleSchemasV2.4.sql Upgrade Module Schemas Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.3 war file with the new V2.4 war file.<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v2.4 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* Time to Play!<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=Category:OWASP_Project&diff=196596Category:OWASP Project2015-06-26T17:10:03Z<p>Mark Denihan: /* Documentation [In Progress-Results by February/March 2015] */ Sorting Alphabetically</p>
<hr />
<div>__NOTOC__ <br />
{|<br />
|-<br />
! width="700" align="center" | <br> <br />
! width="500" align="center" | <br><br />
|-<br />
|<br />
| align="right" | <br />
<br />
|}<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
= Welcome =<br />
{| style="width: 100%;"<br />
|-<br />
| style="width: 100%; color: rgb(0, 0, 0);" | <br />
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"<br />
|-<br />
| style="width: 95%; color: rgb(0, 0, 0);" | <br />
<font size=2pt><br />
<br />
=== Welcome to the OWASP Global Projects Page ===<br />
<br />
An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. OWASP currently has over 142 active projects, and new project applications are submitted every week. <br />
<br />
This is one of the most popular divisions of OWASP as it gives members an opportunity to freely test theories and ideas with the professional advice and support of the OWASP community. Every project has an associated mail list. You can view all the lists, examine their archives, and subscribe to any project by visiting the [http://lists.owasp.org/mailman/listinfo OWASP Project Mailing Lists] page. A summary of recent project announcements is available on the [[OWASP Updates]] page. <br />
<br />
Download the '''[[Media:PROJECT_LEADER-HANDBOOK_2014.pdf|OWASP Project Handbook 2014]]'''<br />
<br />
'''[[OWASP_2014_Project_Handbook|OWASP Project Handbook Wiki 2014]]'''<br />
<br />
Download the '''[[Media:OWASP_Projects_Handbook_2013.pdf|OWASP Projects Handbook 2013]]'''<br />
<br />
'''[[Project_Online_Resources|Project Online Resources]]'''<br />
<br />
=== Who Should Start an OWASP Project? ===<br />
<br />
*Application Developers. <br />
*Software Architects. <br />
* Information Security Authors. <br />
*Those who would like the support of a world wide professional community to develop or test an idea.<br />
*Anyone wishing to take advantage of the professional body of knowledge OWASP has to offer.<br />
<br />
=== Contact Us===<br />
<br />
If you have any questions, please do not hesitate to [http://owasp4.owasp.org/contactus.html Contact Us] by using the form provided here. Please allow five working days for your question or comment to be answered. This is due to the large amount of queries the foundation staff receive every day. We thank you for your patience. <br />
<br />
=== OWASP Project Inventory ===<br />
<br />
All OWASP tools, document, and code library projects are organized into the following [[OWASP_Project_Stages|categories:]] <br />
<br />
* '''[[OWASP_Project_Inventory#Flagship_Projects|Flagship Projects:]]''' The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole. <br />
<br />
* '''[[OWASP_Project_Inventory#Labs_Projects|Lab Projects:]]''' OWASP Labs projects represent projects that have produced an OWASP reviewed deliverable of value. <br />
<br />
* '''[[OWASP_Project_Inventory#Incubator_Projects|Incubator Projects:]]''' OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway.<br />
<br />
=== Social Media ===<br />
<br />
We recommend using the links below to find our official OWASP social media channels. These are a great way to keep in touch with the different initiatives going on at OWASP throughout the world. They are all updated regularly by chapter leaders, project leaders, the OWASP Board Members, and our OWASP Staff. If you have any questions or concerns about any of these accounts, please drop us a line using our [http://www.tfaforms.com/308703 "Contact Us"] form found above. <br />
<br />
[[Image:Blogger-32x32.png|32px|link=http://owasp.blogspot.co.uk/]] [[Image:Twitter-32x32.png|32px|link=https://twitter.com/OWASP]] [[Image:Facebook-32x32.png|32px|link=https://www.facebook.com/groups/172892372831444/]] [[Image:Linkedin-32x32.png|32px|link=http://www.linkedin.com/groups/Global-OWASP-Foundation-36874]] [[Image:Google-32x32.png|32px|link=https://plus.google.com/u/0/communities/105181517914716500346?cfem=1]] [[Image:Ning-32x32.png|32px|link=http://myowasp.ning.com/]]<br />
<!-- Twitter Box --> <br />
</font><br />
<br />
|}<br />
<br />
| style="border: 3px solid rgb(204, 204, 204); vertical-align: top; width: 95%; font-size: 95%; color: rgb(0, 0, 0);" | <br />
<div style="padding:2em;padding-bottom:0px;"><!-- DON'T REMOVE ME, I'M STRUCTURAL; also 2 empty lines between images --><br />
<br />
<br />
[[Image:New_initiatives.png|center|300px| link=http://owasp.force.com/volunteers/GW_Volunteers__VolunteersJobListing]] <br />
<br />
<br />
[[Image:Donate_here_banner.png|center|300px| link=http://www.regonline.com/Register/Checkin.aspx?EventID=1044369]]<br />
</div><br />
<br />
{|<br />
<br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<!-- End Banner --> <br />
<br />
<br />
= Project Inventory =<br />
<font size=2pt><br />
<br />
The Project Dashboard lists the all project information at a glance, including release links, the current status of the project and project leader contact information. The Project Dashboard can be found here: https://www.owasp.org/index.php/OWASP_Project_Dashboard<br />
<br />
==Flagship Projects==<br />
[[File:Flagship_banner.jpg]]<br />
<br />
The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole.<br />
After a major review process [[https://www.owasp.org/index.php/LAB_Projects_Code_Analysis_Report More info here]] the following projects are considered to be flagship candidate projects. These project have been evaluated more deeply to confirm their flagship status:<br />
<br />
====Tools [Reviewed September 2014]====<br />
<br />
* [[OWASP_Zed_Attack_Proxy_Project|OWASP Zed Attack Proxy]]<br />
* [[OWASP_Web_Testing_Environment_Project|OWASP Web Testing Environment Project]]<br />
* [[OWASP_OWTF|OWASP OWTF]]<br />
* [[OWASP_Dependency_Check|OWASP Dependency Check]]<br />
<br />
====Code [Reviewed November 2014]====<br />
* [[:Category:OWASP_ModSecurity_Core_Rule_Set_Project|OWASP ModSecurity Core Rule Set Project]]<br />
* [[:Category:OWASP_CSRFGuard_Project|OWASP CSRFGuard Project]]<br />
* [[OWASP_AppSensor_Project|OWASP AppSensor Project]]<br />
<br />
====Documentation[Reviewed February 2015] in progress====<br />
* [[:Category:OWASP_Application_Security_Verification_Standard_Project|OWASP Application Security Verification Standard Project]]<br />
* [[:Category:Software_Assurance_Maturity_Model|OWASP Software Assurance Maturity Model (SAMM)]]<br />
* [[OWASP_AppSensor_Project|OWASP AppSensor Project]]<br />
* [[:Category:OWASP_Top_Ten_Project|OWASP Top Ten Project]]<br />
* [[OWASP_Testing_Project|OWASP Testing Guide Project]]<br />
<br />
==Labs Projects==<br />
[[File:Lab banner.jpg]]<br />
<br />
OWASP Labs projects represent projects that have produced a deliverable of value. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are at least ready for mainstream usage.<br />
<br />
===Thumbs up===<br />
Thumbs up are given to LAB projects showing a steady progress in their development, had very active and continuous releases and commits, regular update of information on their wiki page and have quite complete documentation. These projects are almost ready to become flagship<br />
<br />
====Tools [Reviewed February 2015]====<br />
* [[O-Saft|O-Saft]]<br />
* [[OWASP_Dependency_Track_Project|OWASP Dependency Track Project]]<br />
* [[:Category:OWASP_EnDe|OWASP EnDe Project]]<br />
* [[OWASP_Hackademic_Challenges_Project|OWASP Hackademic Challenges Project]]<br />
* [[OWASP_Mantra_-_Security_Framework|OWASP Mantra Security Framework]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security Project]]<br />
* [[OWASP_O2_Platform|OWASP O2 Platform]]<br />
* [[OWASP_Passfault|OWASP Passfault]] <br />
* [https://www.owasp.org/index.php/Category:OWASP_Security_Ninjas_AppSec_Training_Program OWASP Security Ninjas Appsec Training]<br />
* [[OWASP_Security_Shepherd|OWASP Security Shepherd]]<br />
* [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]] <br />
* [[OWASP_Xenotix_XSS_Exploit_Framework|OWASP Xenotix XSS Exploit Framework]]<br />
<br />
====Documentation [In Progress-Results by February/March 2015] ====<br />
<br />
* [[OWASP_Application_Security_Guide_For_CISOs_Project|OWASP Application Security Guide For CISOs]]<br />
* [[Cheat_Sheets|OWASP Cheat Sheets Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_CISO_Survey|OWASP CISO Survey]] <br />
* [[:Category:OWASP_Code_Review_Project|OWASP Code Review Guide Project]]<br />
* [[OWASP_Codes_of_Conduct|OWASP Codes of Conduct]]<br />
* [[OWASP_Cornucopia|OWASP Cornucopia]]<br />
* [[:Category:OWASP_Guide_Project|OWASP Development Guide Project]]<br />
* [[OWASP_Podcast|OWASP Podcast Project]]<br />
<br />
====Contests====<br />
*[[OWASP_University_Challenge|OWASP University Challenge]] <br />
* [[:Category:OWASP_CTF_Project|OWASP CTF Project]]<br />
<br />
====Code [Reviewed February 2015]====<br />
* [[:Category:OWASP_Enterprise_Security_API|OWASP Enterprise Security API]]<br />
<br />
======Low Activity (LABS)[Reviewed February 2015] ======<br />
[[File:low_activity.jpg]]<br />
<br />
These projects had no releases in at least a year, however have shown to be valuable tools<br />
'''Code [Low Activity]'''<br />
* [[Project_Information:template_Vicnum_Project|OWASP Vicnum Project]]<br />
* [[OWASP_Broken_Web_Applications_Project|OWASP Broken Web Applications Project]]<br />
* [[OWASP_Joomla_Vulnerability_Scanner_Project]]<br />
<br />
'''Documentation [Low Activity]'''<br />
* [[OWASP_Appsec_Tutorial_Series|OWASP AppSec Tutorial Series]]<br />
* [[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide]]<br />
* [[:Category:OWASP_Legal_Project|OWASP Legal Project]]<br />
* [[Virtual_Patching_Best_Practices|Virtual Patching Best Practices]]<br />
* [[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide|OWASP Secure Coding Practices - Quick Reference Guide]]<br />
<br />
==Incubator Projects==<br />
[[File:Incubator_banner.jpg]]<br />
<br />
OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity. The label also allows project leaders to leverage the OWASP name while their project is still maturing.<br />
<br />
===Thumbs up===<br />
Thumbs up are given to incubator projects showing a steady progress in their development, had continuous releases and commits or have delivered a complete product, including open source repository location, basic user guidelines and documentation<br />
<br />
<br />
====Code [Reviewed March 2015]====<br />
* [[OWASP_Java_Encoder_Project|OWASP Java Encoder Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_Java_File_I_O_Security_Project|OWASP Java File I/O Security Project]]<br />
* [[OWASP_iMAS_iOS_Mobile_Application_Security_Project|OWASP iMAS - iOS Mobile Application Security Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_PHP_Security_Project|OWASP PHP Security Project]]<br />
* [[OWASP_Node_js_Goat_Project|OWASP Node.js Goat Project]] [[File:Thumbsup.png|15px]<br />
* [[OWASP_File_Format_Validation_Project|OWASP File Format Validation Project]]<br />
* [[OWASP_Security_Logging_Project|OWASP Security Logging Project]]<br />
<br />
<br />
=====Code: Low Activity=====<br />
<br />
* [[OWASP_PHPRBAC_Project|OWASP PHPRBAC Project]]<br />
<br />
====Research====<br />
* [[OWASP_WASC_Distributed_Web_Honeypots_Project|OWASP WASC Distributed Web Honeypots Project]]<br />
* [[OWASP_Security_Research_and_Development_Framework|OWASP Security Research and Development Framework]]<br />
<br />
====Tools [Reviewed last: May 2015]====<br />
* [[OWASP_Wordpress_Vulnerability_Scanner_Project | OWASP Wordpress Vulnerability Scanner]]<br />
* [[OWASP_Threat_Dragon | OWASP Threat Dragon]]<br />
* [[OWASP_Security_Knowledge_Framework#tab=Main | Security Knowledge Framework]]<br />
* [[OWASP_Faux_Bank_Project|OWASP Faux Bank Project]]<br />
* [[OWASP_Droid10_Project|OWASP Droid]]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Wapiti_Project OWASP Wapiti Project]<br />
*[[Benchmark|OWASP WebGoat Benchmark]]<br />
*[[OWASP_WAP-Web_Application_Protection|WAP Web Application_Protection]]<br />
*[[OWASP_Java_HTML_Sanitizer|OWASP Java HTML Sanitizer Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Mantra_OS|OWASP Mantra OS]]<br />
*[[OWASP_iGoat_Project|OWASP iGoat Project]]<br />
*[[OWASP_Bricks|OWASP Bricks]]<br />
*[[OWASP_Bywaf_Project|OWASP Bywaf Project]]<br />
*[[OWASP_Mutillidae_2_Project|OWASP Mutillidae 2 Project]] <br />
*[[OWASP_SeraphimDroid_Project|OWASP SeraphimDroid Project]]<br />
*[[OWASP_Python_Security_Project|OWASP Python Security Project]]<br />
*[[OWASP_WebSpa_Project|OWASP WebSpa Project]]<br />
*[[OWASP_NINJA_PingU_Project|OWASP NINJA PingU Project]]<br />
*[[OWASP_Encoder_Comparison_Reference_Project|OWASP Encoder Comparison Reference Project]]<br />
*[[:Category:OWASP_SQLiX_Project|OWASP sqliX Project]]<br />
*[[OWASP_Secure_TDD_Project|OWASP Secure TDD Project]]<br />
*[[OWASP_XSecurity_Project|OWASP XSecurity Project]]<br />
*[[OWASP_Pyttacker_Project|OWASP Pyttacker Project]]<br />
*[[OWASP_HTTP_Post_Tool|OWASP HTTP POST Tool]]<br />
*[[Projects/OWASP_iOSForensic|OWASP iOSForensic]]<br />
*[[OWASP_SonarQube_Project|OWASP SonarQube Project]]<br />
*[[OWASP Rainbow Maker Project | OWASP Rainbow Maker Project]] <br />
*[[OWASP JSEC CVE Details | OWASP JSEC CVE Details]] <br />
* [[:Category:OWASP_WebGoat.NET|OWASP WebGoat.NET]] <br />
* [[OWASP_ASIDE_Project|OWASP ASIDE Project]]<br />
<br />
====Documentation[Review: May 2015]====<br />
*[[OWASP Automated Threats to Web Applications]]<br />
*[[OWASP_Data_Exchange_Format_Project|OWASP Data Exchange Format Project]]<br />
*[[OWASP_Proactive_Controls|OWASP Proactive Controls]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Enterprise_Application_Security_Project|OWASP Enterprise Application Security Project]]<br />
*[[OWASP_Secure_Application_Design_Project|OWASP Secure Application Design Project]]<br />
*[[OWASP_Top_10_Fuer_Entwickler_Project|OWASP Top 10 Fuer Entwickler Project]]<br />
*[[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP Vulnerable Web Applications Directory Project]]<br />
*[[OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project|OWASP Reverse Engineering and Code Modification Prevention Project]]<br />
*[[OWASP_Internet_of_Things_Top_Ten_Project|OWASP Internet of Things Top Ten Project]]<br />
*[[:Category:OWASP_.NET_Project|OWASP .NET Project]]<br />
*[[OWASP_Top_10_Privacy_Risks_Project|OWASP Top 10 Privacy Risks Project]]<br />
*[[OWASP_WASC_Web_Hacking_Incidents_Database_Project|OWASP WASC Web Hacking Incidents Database Project]]<br />
*[[OWASP_Security_Frameworks_Project|OWASP Security Frameworks Project]]<br />
*[[OWASP_Incident_Response_Project|OWASP Incident Response Project]]<br />
*[[OWASP_Periodic_Table_of_Vulnerabilities|OWASP Periodic Table of Vulnerabilities]]<br />
*[[OWASP_Top_Trumps_for_Projects|OWASP Top Trumps for Projects]]<br />
*[[OWASP KALP Mobile Project | OWASP KALP Mobile Project]]<br />
*[[OWASP Persian Translation Project | OWASP Persian Translation Project]]<br />
*[[OWASP_Application_Security_Program_Quick_Start_Guide_Project|OWASP_Application_Security_Program_Quick_Start_Guide_Project]]<br />
*[[OWASP_Secure_Configuration_Guide|OWASP_Secure_Configuration_Guide]]<br />
*[[OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project|OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project]]<br />
* [[OWASP_RFP-Criteria|OWASP Request For Proposal]]<br />
<br />
==Educational Initiatives==<br />
*[[OWASP_Visual_Crime_Scene_and_Security_Incident_Education_Project#tab=Main | OWASP Visual Crime Scene and Security Incident Project]]<br />
*[[OWASP_Secure_Development_Training|OWASP Secure Development Training]]<br />
*[[OWASP_Student_Chapters_Program|OWASP Student Chapters Project]]<br />
*[[:Category:OWASP_Education_Project|OWASP Education Project]]<br />
*[[:Category:OWASP_Speakers_Project|OWASP Speakers Project]]<br />
*[[OWASP_Global_Chapter_Meetings_Project|OWASP Global Chapter Meetings Project]]<br />
*[[OWASP_Media_Project|OWASP Media Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Hacking_Lab|OWASP Hacking-Lab]]<br />
*[[OWASP_PHP_Security_Training_Project|OWASP PHP Security Training Project]]<br />
<br />
==Donated Projects==<br />
<br />
OWASP Donated Projects are inactive projects that have been donated to the OWASP Projects Infrastructure. <br />
<br />
====Tools====<br />
<br />
* [[OWASP_Excess_XSS_Project|OWASP Excess XSS Project]]<br />
* [[OWASP_JOTP_Project|OWASP jOTP Project]]<br />
<br />
==OWASP Archived Projects==<br />
OWASP Archived Projects are projects that have developed outside OWASP umbrella or have become inactive. If you are interested in pursuing any of the inactive projects (click hyperlink for list), please contact us and let us know of your interest.<br />
<br />
https://www.owasp.org/index.php/Category:OWASP_Project_Archived_Projects<br />
<br />
= Project Task Force =<br />
<br />
<br />
====OWASP Project Task Force====<br />
<br />
{{:Task_Force/OWASP_Projects}}<br />
<br />
= Online Resources =<br />
<br />
===Project Online Resources===<br />
<br />
{{:Project_Online_Resources}}<br />
<br />
<br />
= Starting a New Project =<br />
<font size=2pt><br />
== So you want to start a project... ==<br />
<br />
Starting an OWASP project is quite easy, and your desire to contribute and make it happen is essential.<br />
[[File:HowToStartProjectoWasp.png | 600px | right]]<br />
<br />
Here are some of the guidelines for running a successful OWASP project:<br />
<br />
-Start exploring the actual OWASP projects Inventory. Many projects handle specific areas of security it is a good idea to start looking how other successful projects do this (LABS/Flagship)<br />
<br />
-Place your idea or project on the [https://www.owasp.org/index.php/Project_Ideas_Board#From_Idea_to_Project_Incubator Project Ideas Board].This phase will help you to define the project goals and also explore and exchange with other OWASP leaders and volunteers how to develop the idea into a tangible project<br />
<br />
-Explore and research if your idea covers a unique segment in the Security arena.Think of your project as a product, if you really want people using it, think how this project will cover a necessity in the security area you are working on <br />
<br />
-Define what kind of project you would like to start. Is it a code, tool or documentation?<br />
<br />
-Communicate through the Project leader mailing list about your idea and get feedback and meet potential contributors<br />
<br />
-Develop your project based on the type of project. For example if you are willing to start a documentation project, begin by defining a Table of Content and work it through with potential contributors. First of all begin by creating a Road-map for your project. This is essential to submit your project. We highly recommend to read documentation such as "[http://www2.econ.iastate.edu/tesfatsi/ProducingOSS.KarlFogel2005.pdf How to start /run a successful Open Source Projects]". <br />
<br />
[[File:RoadmapIncubatorProjectExample2.PNG | 500px | left]]<br />
<br />
Some recommendations on how to start a documentation project<br />
[[https://www.owasp.org/index.php/File:Document_Guide_(1).png| Document Guide Project]]<br />
<br />
===Importance of a well thought out Road-map===<br />
Many Incubator project leaders struggle with creating a realistic planning, which should be based on their available resources and time. A well thought out plan makes a difference between a procrastinating project and a successful one. The important aspect of this is, that the project leader is able to create a plan based on his situation. The following is an example of a Roadmap, which has focused to produce a Documentation first release in a year and a basic outline how they plan to cover 4 essential aspects which are Research & Development, Marketing, Planning and Goals.<br />
<br />
<br />
<br />
"Your [project] roadmap should tell a coherent story about the likely growth of your product. Each release should build on the previous one and move you closer towards your vision. Your roadmap should be convincing and realistic: Don’t speculate or oversell your [project]. Be clear who your audience is: An internal roadmap talks to development, marketing, sales, service, and the other groups involved in making your [project] a success; and external one talks to existing and prospective customers."<br />
Extracted from : "[[http://www.romanpichler.com/blog/10-tips-creating-agile-product-roadmap/ 10 Tips for Creating an Agile Product Roadmap]]"<br />
<br />
* Start defining a development, documentation and marketing plan for your project. Set short , medium and long term plans. Include promotion of your project, this is very important in order to engage users and consumers of your project. Contact project coordinator and the Project Task Force to help you achieve this goal. You ''can'' run a single person project, but it's usually best to get the community involved. You should be prepared to support a mailing list, build a team, speak at conferences, and promote your project.<br />
<br />
* You can contribute existing documents or tools to OWASP! Assuming you have the intellectual property rights to a work, you can open it to the world as an OWASP Project. Please coordinate this with OWASP by contacting owasp(at)owasp.org.<br />
<br />
* Available Grants to consider if you need funding - [[Grants|Click Here]]<br />
<br />
* You should promote your project through the OWASP channels as well as by outside means. Get people to blog about it!<br />
<br />
== Creating a new project ==<br />
Once you have passed the Project Ideas phase, then you will be ready to start a new project<br />
To Submit your project please use the following form<br />
. [http://www.tfaforms.com/263506 Please submit a new project application here].<br />
<br />
<br />
* You will need to gather the following information together for your application:<br />
A - PROJECT<br />
# Project Name,<br />
# Project purpose / overview,<br />
# Project Roadmap,<br />
# Project links (if any) to external sites,<br />
# [[Guidelines_for_OWASP_Projects#Project_Licensing|Project License],]<br />
# Project Leader name,<br />
# Project Leader email address,<br />
# Project Leader wiki account - the username (you'll need this to edit the wiki),<br />
# Project Contributor(s) (if any) - name email and wiki account (if any),<br />
# Project Main Links (if any).<br />
# For Documentation: A table of Contents<br />
# For Code: A prototype hosted in an open source repository of your choice. Make sure it has read access.<br />
<br />
* Check out the '''[[Guidelines for OWASP Projects]]'''.<br />
* [[Grant_Spending_Policy|Grant Spending Policy]]<br />
* [[Project_Spending_Policy|Project Spending Policy]]<br />
* [[Project_Sponsorship_Operational_Guidelines|Project Sponsorship Operational Guidelines]]<br />
<br />
==OWASP Recommended Licenses==<br />
<br />
{{Recommended_Licenses}}<br />
<br />
==Funding your Project==<br />
An OWASP project does not receive any funding for development at project inception; however, a new project does have the opportunity to submit a request to receive funds if they are available for the year. Additionally, project leaders have the option of seeking sponsorship from outside organizations, but project leaders are required to seek funding through their own initiative. Please contact the OWASP Projects Manager for more information. <br />
<br />
== Project Release ==<br />
<br />
As your project reaches a point that you'd like OWASP to assist in its promotion, the will need the following information to help spread the word about your project:<br />
<br />
# Short 5 sentence paragraph outlining what your project is about, what you hope to accomplish with your project, what value your project brings to software security, and contributor and project leader names and contact information.<br />
# Link to your wiki page.<br />
# Link to your code repository or a link to where readers can download your project.<br />
# Latest Release description answering the following questions: What is it?, What does it do?, Where can I get it?, Who should I contact if something goes wrong?.<br />
<br />
==Project Process Forms==<br />
These forms were created to help project leaders, and those interested in a going through a process in the OWASP projects infrastructure. They facilitate the management of each query based on the specific task an applicant will need help with. The forms are described below, and they are linked with their designated online application form. <br />
<br />
* [http://www.tfaforms.com/264422 Project Transition Application]:The OWASP project transition form gives current project leaders an easy way of handing over project administration information to individuals wishing to take over a project. <br />
<br />
* [http://www.tfaforms.com/264413 Project Review Application]:This form is for current project leaders to request a review of their project based on OWASP graduation criteria. The aim is to designate an OWASP volunteer to review these projects within 3 months time. <br />
<br />
* [http://www.tfaforms.com/264418 Project Donation Application]:This form is for projects outside of the OWASP project infrastructure. Project Leaders for these open source projects can choose to partner or give their project to OWASP directly through this form.<br />
<br />
* [http://www.tfaforms.com/264428 Project Adoption Request]:This form is used when someone is interested in adopting an archived project. <br />
<br />
* [http://www.tfaforms.com/264426 Project Abandonment Request]:The OWASP project abandonment form gives current project leaders an easy way of letting the OWASP Foundation know that they wish to resign their project leader duties. This form should be used when no replacement project leader exists to take over these duties.<br />
<br />
* [http://www.tfaforms.com/264392 Incubator Project Graduation Application]:This application form is for Incubator Projects to apply for Labs Project status.<br />
<br />
* [https://www.owasp.org/index.php/OWASP_System_Vulnerable_Code_Project Project Request (Bangladesh)]:For Information Security Project contact with OWASP Bangladesh Project Leader [[S. M. Shezan]][http://www.facebook.com/smshezan]<br />
<br />
= Project Assessments =<br />
<font size=2pt><br />
==OWASP Project Lifecycle==<br />
The OWASP Projects Lifecycle represents a balance between keeping a very loose structure around OWASP projects, and ensuring that OWASP consumers are not confused about a project’s maturity and quality. The lifecycle stage allows consumers to easily identify mature projects, and projects that are proofs of concept, experimental, and classified as prototypes in their current state. The greater the maturity of the project, the greater the level of responsibility for the project leader. These responsibilities are not trivial as OWASP provides incentives and benefits (Section 7) for projects who take on these added responsibilities.<br />
<br />
<br />
====The OWASP Project Lifecycle is broken down into the following stages:====<br />
<br />
'''Incubator Projects''': OWASP Incubator projects represent the experimental playground where projects are still being designed, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity; moreover, the label allows project leaders to leverage the OWASP name while their project is still maturing. OWASP Incubator projects are given a place on the OWASP Projects Portal to leverage the organizations' infrastructure, and establish their presence and project history.<br />
<br />
'''Lab Projects''': OWASP Labs projects represent projects that have produced a deliverable of significant value. Leaders of OWASP Labs projects are expected to stand behind the quality of their projects as these projects have matured to the point where they are accepted by a significant portion of the OWASP community. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are ready for mainstream usage. OWASP Labs Projects are meant to be the collection of established projects that have gained community support and acclaim by undergoing the project review process. <br />
<br />
'''Flagship Projects''': The OWASP Flagship designation is given to projects that have demonstrated superior maturity, established quality, and strategic value to OWASP and application security as a whole. Eligible projects are selected from the OWASP Labs project pool. This selection process generally ensures that there is only one project of each type covering any particular security space. OWASP Flagship projects represent projects that are not only mature, but are also projects that OWASP as an organization provides direct support to maintaining. The core mission of OWASP is to make application security visible and so as an organization, OWASP has a vested interest in the success of its Flagship projects. Since Flagship projects have such high visibility, these projects are expected to uphold the most stringent requirements of all OWASP Projects.<br />
<br />
'''Code Projects''': OWASP code projects are very important for the cyber security solutions. Because these projects are used to find out the application security problems and try to solve those problems. Best code project is [[OWASP System Vulnerable Code Project]] and best project leader is [http://www.facebook.com/smshezan S. M. Shezan]<br />
<br />
== OWASP Project Stage Benefits==<br />
This section outlines the benefits of starting an OWASP project, and the benefits of being at each different stage in the projects lifecycle. In my short time here at OWASP as the PM, I have had several potential project leaders ask me what the benefits are of starting their project with OWASP. Below is my proposal for each Stage’s benefits.<br />
<br />
'''Incubator'''<br />
* Financial Donation Management Assistance <br />
* Project Review Support<br />
* WASPY Awards Nominations<br />
* OWASP OSS and OPT Participation<br />
* Opportunity to submit proposal: $500 for Development.<br />
* Community Engagement and Support<br />
* Recognition and visibility of being associated with the OWASP Brand.<br />
<br />
'''Labs'''<br />
* All benefits given to Incubator Projects <br />
* Technical Writing Support<br />
* Graphic Design Support<br />
* Project Promotion Support<br />
* OWASP OSS and OPT: Preference<br />
<br />
'''Flagship'''<br />
* All benefits given to Incubator & Labs Projects<br />
* Grant finding and proposal writing help<br />
* Yearly marketing plan development<br />
* OWASP OSS and OPT participation preference<br />
<br />
For more detailed information on OWASP Project Stage Benefits, please see the 2013 Project Handbook.<br />
<br />
== Project Monitoring Incubator/Documentation ==<br />
Every 6 months, a project monitoring assessment takes place to evaluate if projects had any releases during this period.A warning will be sent to projects without any activity in 90 days and after 180 days, the project will be set automatically as inactive.<br />
You can set your project active at any time, as long as:<br />
* There has been commits to the project's open repository or<br />
* There has been a beta release of the documentation produced so far or<br />
* Provide a detailed Roadmap <br />
<br />
===Importance of a well thought out Roadmap===<br />
Many Incubator project leaders struggle with creating a realistic planning, which should be based on their available resources and time. A well thought out plan makes a difference between a procrastinating project and a successful one. The important aspect of this is, that the project leader is able to create a plan based on his situation. The following is an example of a Roadmap, which has focused to produce a Documentation first release in a year and a basic outline how they plan to cover 4 essential aspects which are Research & Development, Marketing, Planning and Goals.<br />
<br />
<br />
[[File:RoadmapIncubatorProjectExample2.PNG | 600px]]<br />
<br />
"Your [project] roadmap should tell a coherent story about the likely growth of your product. Each release should build on the previous one and move you closer towards your vision. Your roadmap should be convincing and realistic: Don’t speculate or oversell your [project]. Be clear who your audience is: An internal roadmap talks to development, marketing, sales, service, and the other groups involved in making your [project] a success; and external one talks to existing and prospective customers."<br />
Extracted from : "[[http://www.romanpichler.com/blog/10-tips-creating-agile-product-roadmap/ 10 Tips for Creating an Agile Product Roadmap]]"<br />
<br />
==Project Monitoring for LABS/Flagship==<br />
These project represent the best OWASP has to offer, therefore monitoring of these projects is closely supervised.<br />
===For Code and Tools===<br />
For projects holding Flagship status, we closely monitor their health every 6 months on the following, among other key indicators:<br />
*Can the project be built correctly?<br />
*Does the project has any activity(commits) in the last 6 months?<br />
*Does the project had any releases in the last 6 months?<br />
*Has the project leaders updated his wiki or website to reflect latest releases?<br />
===For Documentation===<br />
For this part, we are working on the development of an adequate assessment criteria<br />
The following is a draft of the new process proposal: [[https://www.owasp.org/index.php/File:Qualitative_and_Quantitative_Content_Audit.pdf Proposal for Reviewing OWASP Document projects]]<br />
<br />
== OWASP Project Graduation==<br />
The Project Graduation Process is an optional process undertaken at the request of a project leader using the Incubator Graduation Form. The purpose of this process is to move a project from the OWASP Incubator into the OWASP Labs. In order to be considered for OWASP Labs, an Incubator project must have submitted an OWASP reviewed deliverable, and obtained at least two (2) positive responses for each of the core criteria project health questions.<br />
<br />
The review centers around the following core questions. Each core question has three (3) specific questions made up of binary queries. A project must receive at least two (2) positive responses from each reviewer in two of the binary questions, to warrant a postive response for the core question. Each core question must receive a positive response from both project reviewers to pass the Project Health Assessment for Incubator Projects. <br />
<br />
* [https://docs.google.com/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE Project Graduation Criteria Checklist]<br />
<br />
==OWASP Project Health Assessment==<br />
The Project Health Assessment is an optional process undertaken at the request of a project leader when he/she applies for Project Graduation for projects going from Incubator to LAB and from LAB to Flagship. The purpose of this assessment is to determine whether a project meets the minimum criteria of an OWASP Project outlined in the [https://docs.google.com/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE Project Health Assessment Criteria Document]. If a project passes the assessment, it then becomes eligible to graduate into the OWASP Labs Project stage. In order to be considered for OWASP Labs, an Incubator project must have submitted an OWASP reviewed deliverable, and obtained at least two (2) positive responses for each of the core criteria project health questions.<br />
<br />
==OWASP Project Deliverable/Release Assessment==<br />
The Project Deliverable/Release Review is an optional process undertaken at the request of a project leader using the Project Deliverable Review Form. The purpose of this process is to review a project’s progress, and to make sure the project is heading in the right direction based on the roadmap they provided at project inception. <br />
<br />
Reviews must be performed by two (2) OWASP Chapter or Project Leaders, and their review must answer affirmatively to at least the first two (2) core Project Deliverable/Release Review questions. A project must pass the OWASP Project Deliverable/Release Assessment in order to graduate into the OWASP Labs Project stage. <br />
<br />
* [https://docs.google.com/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE Project Deliverable/Release Assessment Criteria Checklist]<br />
<br />
<br />
= Brand Resources =<br />
<font size=2pt><br />
<br />
==The Brand Usage Rules==<br />
See OWASP's [[Marketing/Resources#tab=BRAND_GUIDELINES|The Brand Usage Rules]] for details.<br />
<br />
==Project Icons & Templates==<br />
See OWASP'S [[Marketing/Resources#PROJECT_RESOURCES|Project Icons & Templates]] for details.<br />
<br />
(Following links and images are provided for a quick overview only, the primary page is [[Marketing/Resources#PROJECT_RESOURCES|Project Icons & Templates]]).<br />
<br />
If you require more assistance with these files and/or templates, please contact the OWASP staff for assistance <br />
<br />
'''[[OWASP_Operations_Project_Template|OWASP Operational Wiki Template]]'''<br />
<br />
'''[[OWASP_Documentation_Project_Template|OWASP Example Template: DO NOT EDIT]]'''<br />
<br />
[[Image:OWASP_Project_Header.jpg|Owasp logo|500px]]<br />
<br />
[[Image:Project_Type_Files_TOOL.jpg|Owasp logo|200px]] [[Image:Project_Type_Files_DOC.jpg||Owasp logo 1c|200px]] <br />
<br />
[[Image:Project_Type_Files_CODE.jpg|Owasp logo|200px]] [[Image:Owasp-defenders-small.png|Owasp logo|100px]] [[Image:Owasp-builders-small.png|Owasp logo|100px]] [[Image:Owasp-breakers-small.png|Owasp logo|100px]] <br />
<br />
[[Image:Owasp-incubator-trans-200.png|Owasp logo rev icon|100px]] [[Image:Owasp-labs-trans-85.png|Owasp logo flat|100px]] [[Image:Owasp-flagship-trans-85.png|Owasp logo icon|100px]]<br />
<br />
===OpenSAMM===<br />
'''[[Media:OpenSAMM_icons.zip|OpenSAMM Icons]]'''<br />
<br />
'''Construction:'''<br />
<br />
[[Image:Construction black.png| Construction black| 100px]] [[Image:Construction blue.png| Construction blue| 100px]] [[image:Construction olive.png |construction olive|100px]]<br />
<br />
'''Deployment:'''<br />
<br />
[[image:Deployment black.png| Deployment black| 100px]] [[image:Deployment blue.png| Deployment blue| 100px]] [[image:Deployment olive.png | Deployment olive| 100px]]<br />
<br />
'''Governance:'''<br />
<br />
[[image:Governance black.png| governance black| 100px]] [[image:Governance blue.png | governance blue | 100px]] [[image:Governance olive.png | governance olive| 100px]]<br />
<br />
'''Verification:'''<br />
<br />
[[image:Verification black.png | Verification black | 100px]] [[image:Verification blue.png | verification blue | 100px]] [[image: Verification olive.png | Verification olive | 100px]]<br />
<br />
==Book Cover Files==<br />
See OWASP's [[Marketing/Resources#PROJECT_RESOURCES|Project Icons & Templates]] for details.<br />
<br />
[[Media:Lulu-guide.pdf|Lulu Guide]]<br />
<br />
'''[https://www.dropbox.com/s/h27gsbe5m7idg0y/Finished%20Covers.zip Download the Book Cover Zip File]'''<br />
{|<br />
|-<br />
! width="500" align="center" | <br> <br />
! width="300" align="center" | <br><br />
|-<br />
| align="center" | [[Image:BookImage_01.jpg|500px| link=https://www.dropbox.com/s/h27gsbe5m7idg0y/Finished%20Covers.zip]] <br />
| align="center" | <br />
<br />
|}<br />
<br />
= Terminology =<br />
<font size=2pt><br />
== OWASP Project Infrastructure ==<br />
<br />
<br />
*'''OWASP Project Lifecycle:''' The OWASP Projects Lifecycle represents a balance between keeping a very loose structure around OWASP projects, and ensuring that OWASP consumers are not confused about a project’s maturity and quality. The lifecycle stage allows consumers to easily identify mature projects, and projects that are proofs of concept, experimental, and classified as prototypes in their current state.<br />
<br />
<br />
*'''Incubator Project:''' OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity. The label also allows project leaders to leverage the OWASP name while their project is still maturing.<br />
<br />
<br />
*'''Labs Project:''' OWASP Labs projects represent projects that have produced a deliverable of value. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are at least ready for mainstream usage.<br />
<br />
<br />
*'''Flagship Project:''' The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole. <br />
<br />
<br />
<br />
*'''Project Benefits:''' The standard list of resources and incentives made available to project leaders based on their project's current maturity level. <br />
<br />
<br />
<br />
== OWASP Project Reviews ==<br />
<br />
<br />
*'''Project Reviews:''' Project reviews are the method OWASP uses to establish a minimal baseline of project characteristics and release quality. Reviews are not mandatory, but they are necessary if a project leader wishes to graduate to the next level of maturity within the OWASP Global Projects infrastructure. Projects can be reviewed when an Incubator project wishes to graduate into the OWASP Labs designation, and project releases can be reviewed if they want the quality of their deliverable to be vouched for by OWASP. <br />
<br />
<br />
*'''Project Reviewer Pool:''' The project reviewer pool is made up of veteran reviewers who have proven themselves dedicated to executing quality reviews of projects. <br />
<br />
<br />
*'''Project Graduation:''' The Project Graduation Process is an optional process undertaken at the request of a project leader using the Incubator Graduation Form. The purpose of this process is to move a project from the OWASP Incubator into the OWASP Labs.<br />
<br />
<br />
*'''Project Health Assessment:''' The Project Health Assessment is an optional process undertaken at the request of a project leader when he/she applies for Project Graduation The purpose of this assessment is to determine whether a project meets the minimum criteria of an OWASP Project outlined in the [https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE#gid=1 Project Health Assessment Criteria Document].<br />
<br />
<br />
*'''Project Release:''' A project release refers to the final deliverable a project produces. It is the final product of the project. <br />
<br />
<br />
*'''Project Deliverable/Release Review:''' The Project Deliverable/Release Review is an optional process undertaken at the request of a project leader using the Project Deliverable Review Form. The purpose of this process is to review a project’s progress, and to make sure the project is heading in the right direction based on the roadmap they provided at project inception.<br />
<br />
<br />
<br />
== OWASP Projects Processes == <br />
<br />
*'''Project Processes:''' The set of streamlined processes that exist to help projects move smoothly through the OWASP Project Lifecycle.<br />
<br />
<br />
*'''Project Inception Process:''' The Project Inception Process is how a brand new idea becomes an OWASP Project. Such projects are labeled as OWASP Incubator projects. The process involves submitting the proposed project name, project leader information, project description, project roadmap, and selecting an appropriate open-source license for the project using the New Project Form on the Projects Portal.<br />
<br />
<br />
*'''Project Donation Process:''' The Project Donation Process is used for a project that has an existing functional release, but is not currently associated with OWASP. This process is the primary mechanism by which individuals or organizations can transfer the ownership of their project’s copyright to OWASP.<br />
<br />
<br />
*'''Project Transition Process:''' The Project Transition Process is used to transition leadership of a project to a new project leader. This is a simple automated process to transfer the relevant accounts, mailing lists, and other project resources to the new project leader.<br />
<br />
<br />
*'''Project Abandonment Process:''' The Project Abandonment Process was put in place for those occasions in which a project leader is no longer able to manage their project, and has not been able to find a suitable replacement for the leader role. Project Abandonment can also occur when the project leader feels his/her project has become obsolete. Under these circumstances, the acting project leader is encourage do submit the Project Abandonment Form found in the Projects Portal.<br />
<br />
<br />
*'''Incubator Graduation Process:''' The Incubator Graduation Process is an optional process undertaken at the request of a project leader using the Incubator Graduation Form. The purpose of this process is to move a project from the OWASP Incubator into the OWASP Labs.<br />
<br />
<br />
== Projects at Conferences == <br />
<br />
*'''AppSec Conferences:''' OWASP AppSec conferences bring together industry, government, security researchers, and practitioners to discuss the state of the art in application security. This series was launched in the United States in 2004 and Europe in 2005. Global AppSec conferences are held annually in North America, Latin America, Europe, and Asia Pacific.<br />
<br />
<br />
*'''Open Source Showcase:''' The Open Source Showcase is an OWASP AppSec Conference event module designed to give Open Source project leaders the opportunity to demo their projects.<br />
<br />
<br />
*'''OWASP Project Track:''' The OWASP Project Track is an OWASP AppSec Conference event module designed to give OWASP Project leaders the opportunity to showcase their projects as an official conference presenter. <br />
<br />
<br />
== OWASP Projects General == <br />
<br />
*'''OWASP Code of Ethics:''' The OWASP Code of Ethics are the set of guidelines and principles that the OWASP Foundation expects all of its members and conference attendees to abide by. A copy of the Code of Ethics can be found here in the [https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics OWASP About page]. <br />
<br />
<br />
= Sponsorships and Donations =<br />
<font size=2pt><br />
<br />
==Donate to OWASP Global Projects ==<br />
OWASP Projects, a global division of the OWASP Foundation, is run under the same world wide not-for-profit charitable status as all the foundation strategic groups. OWASP provides a platform for contributors to share their work while providing them with the project and community support they need throughout their project development. All OWASP Projects are run by volunteers and they rely on personal donations and sponsorship to continue their development. Donate to OWASP Projects, and we promise to spend your money wisely on open source initiatives.<br />
<br />
'''This is how your money can help:'''<br />
<br />
* $20 could help us spread the word on the importance of open source initiatives in the Application Security industry.<br />
* $100 could help fund OWASP project demos at major conferences.<br />
* $250 could help get our volunteer Project Leaders to speaking engagements.<br />
<br />
<br />
[[Image:Donate_Button.jpg | link=http://www.regonline.com/Register/Checkin.aspx?EventID=1044369]]<br />
<br />
<br />
<br />
= Contact US =<br />
<font size=2pt><br />
<br />
If you need any help with anything projects related, or if you simply need some more information, please do not hesitate to [http://owasp4.owasp.org/contactus.html Contact Us].<br />
</font><br />
<br />
<br />
<headertabs /></div>Mark Denihanhttps://wiki.owasp.org/index.php?title=Category:OWASP_Project&diff=196595Category:OWASP Project2015-06-26T17:05:55Z<p>Mark Denihan: /* Tools [Reviewed February 2015] */</p>
<hr />
<div>__NOTOC__ <br />
{|<br />
|-<br />
! width="700" align="center" | <br> <br />
! width="500" align="center" | <br><br />
|-<br />
|<br />
| align="right" | <br />
<br />
|}<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
= Welcome =<br />
{| style="width: 100%;"<br />
|-<br />
| style="width: 100%; color: rgb(0, 0, 0);" | <br />
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"<br />
|-<br />
| style="width: 95%; color: rgb(0, 0, 0);" | <br />
<font size=2pt><br />
<br />
=== Welcome to the OWASP Global Projects Page ===<br />
<br />
An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. OWASP currently has over 142 active projects, and new project applications are submitted every week. <br />
<br />
This is one of the most popular divisions of OWASP as it gives members an opportunity to freely test theories and ideas with the professional advice and support of the OWASP community. Every project has an associated mail list. You can view all the lists, examine their archives, and subscribe to any project by visiting the [http://lists.owasp.org/mailman/listinfo OWASP Project Mailing Lists] page. A summary of recent project announcements is available on the [[OWASP Updates]] page. <br />
<br />
Download the '''[[Media:PROJECT_LEADER-HANDBOOK_2014.pdf|OWASP Project Handbook 2014]]'''<br />
<br />
'''[[OWASP_2014_Project_Handbook|OWASP Project Handbook Wiki 2014]]'''<br />
<br />
Download the '''[[Media:OWASP_Projects_Handbook_2013.pdf|OWASP Projects Handbook 2013]]'''<br />
<br />
'''[[Project_Online_Resources|Project Online Resources]]'''<br />
<br />
=== Who Should Start an OWASP Project? ===<br />
<br />
*Application Developers. <br />
*Software Architects. <br />
* Information Security Authors. <br />
*Those who would like the support of a world wide professional community to develop or test an idea.<br />
*Anyone wishing to take advantage of the professional body of knowledge OWASP has to offer.<br />
<br />
=== Contact Us===<br />
<br />
If you have any questions, please do not hesitate to [http://owasp4.owasp.org/contactus.html Contact Us] by using the form provided here. Please allow five working days for your question or comment to be answered. This is due to the large amount of queries the foundation staff receive every day. We thank you for your patience. <br />
<br />
=== OWASP Project Inventory ===<br />
<br />
All OWASP tools, document, and code library projects are organized into the following [[OWASP_Project_Stages|categories:]] <br />
<br />
* '''[[OWASP_Project_Inventory#Flagship_Projects|Flagship Projects:]]''' The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole. <br />
<br />
* '''[[OWASP_Project_Inventory#Labs_Projects|Lab Projects:]]''' OWASP Labs projects represent projects that have produced an OWASP reviewed deliverable of value. <br />
<br />
* '''[[OWASP_Project_Inventory#Incubator_Projects|Incubator Projects:]]''' OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway.<br />
<br />
=== Social Media ===<br />
<br />
We recommend using the links below to find our official OWASP social media channels. These are a great way to keep in touch with the different initiatives going on at OWASP throughout the world. They are all updated regularly by chapter leaders, project leaders, the OWASP Board Members, and our OWASP Staff. If you have any questions or concerns about any of these accounts, please drop us a line using our [http://www.tfaforms.com/308703 "Contact Us"] form found above. <br />
<br />
[[Image:Blogger-32x32.png|32px|link=http://owasp.blogspot.co.uk/]] [[Image:Twitter-32x32.png|32px|link=https://twitter.com/OWASP]] [[Image:Facebook-32x32.png|32px|link=https://www.facebook.com/groups/172892372831444/]] [[Image:Linkedin-32x32.png|32px|link=http://www.linkedin.com/groups/Global-OWASP-Foundation-36874]] [[Image:Google-32x32.png|32px|link=https://plus.google.com/u/0/communities/105181517914716500346?cfem=1]] [[Image:Ning-32x32.png|32px|link=http://myowasp.ning.com/]]<br />
<!-- Twitter Box --> <br />
</font><br />
<br />
|}<br />
<br />
| style="border: 3px solid rgb(204, 204, 204); vertical-align: top; width: 95%; font-size: 95%; color: rgb(0, 0, 0);" | <br />
<div style="padding:2em;padding-bottom:0px;"><!-- DON'T REMOVE ME, I'M STRUCTURAL; also 2 empty lines between images --><br />
<br />
<br />
[[Image:New_initiatives.png|center|300px| link=http://owasp.force.com/volunteers/GW_Volunteers__VolunteersJobListing]] <br />
<br />
<br />
[[Image:Donate_here_banner.png|center|300px| link=http://www.regonline.com/Register/Checkin.aspx?EventID=1044369]]<br />
</div><br />
<br />
{|<br />
<br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<!-- End Banner --> <br />
<br />
<br />
= Project Inventory =<br />
<font size=2pt><br />
<br />
The Project Dashboard lists the all project information at a glance, including release links, the current status of the project and project leader contact information. The Project Dashboard can be found here: https://www.owasp.org/index.php/OWASP_Project_Dashboard<br />
<br />
==Flagship Projects==<br />
[[File:Flagship_banner.jpg]]<br />
<br />
The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole.<br />
After a major review process [[https://www.owasp.org/index.php/LAB_Projects_Code_Analysis_Report More info here]] the following projects are considered to be flagship candidate projects. These project have been evaluated more deeply to confirm their flagship status:<br />
<br />
====Tools [Reviewed September 2014]====<br />
<br />
* [[OWASP_Zed_Attack_Proxy_Project|OWASP Zed Attack Proxy]]<br />
* [[OWASP_Web_Testing_Environment_Project|OWASP Web Testing Environment Project]]<br />
* [[OWASP_OWTF|OWASP OWTF]]<br />
* [[OWASP_Dependency_Check|OWASP Dependency Check]]<br />
<br />
====Code [Reviewed November 2014]====<br />
* [[:Category:OWASP_ModSecurity_Core_Rule_Set_Project|OWASP ModSecurity Core Rule Set Project]]<br />
* [[:Category:OWASP_CSRFGuard_Project|OWASP CSRFGuard Project]]<br />
* [[OWASP_AppSensor_Project|OWASP AppSensor Project]]<br />
<br />
====Documentation[Reviewed February 2015] in progress====<br />
* [[:Category:OWASP_Application_Security_Verification_Standard_Project|OWASP Application Security Verification Standard Project]]<br />
* [[:Category:Software_Assurance_Maturity_Model|OWASP Software Assurance Maturity Model (SAMM)]]<br />
* [[OWASP_AppSensor_Project|OWASP AppSensor Project]]<br />
* [[:Category:OWASP_Top_Ten_Project|OWASP Top Ten Project]]<br />
* [[OWASP_Testing_Project|OWASP Testing Guide Project]]<br />
<br />
==Labs Projects==<br />
[[File:Lab banner.jpg]]<br />
<br />
OWASP Labs projects represent projects that have produced a deliverable of value. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are at least ready for mainstream usage.<br />
<br />
===Thumbs up===<br />
Thumbs up are given to LAB projects showing a steady progress in their development, had very active and continuous releases and commits, regular update of information on their wiki page and have quite complete documentation. These projects are almost ready to become flagship<br />
<br />
====Tools [Reviewed February 2015]====<br />
* [[O-Saft|O-Saft]]<br />
* [[OWASP_Dependency_Track_Project|OWASP Dependency Track Project]]<br />
* [[:Category:OWASP_EnDe|OWASP EnDe Project]]<br />
* [[OWASP_Hackademic_Challenges_Project|OWASP Hackademic Challenges Project]]<br />
* [[OWASP_Mantra_-_Security_Framework|OWASP Mantra Security Framework]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security Project]]<br />
* [[OWASP_O2_Platform|OWASP O2 Platform]]<br />
* [[OWASP_Passfault|OWASP Passfault]] <br />
* [https://www.owasp.org/index.php/Category:OWASP_Security_Ninjas_AppSec_Training_Program OWASP Security Ninjas Appsec Training]<br />
* [[OWASP_Security_Shepherd|OWASP Security Shepherd]]<br />
* [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]] <br />
* [[OWASP_Xenotix_XSS_Exploit_Framework|OWASP Xenotix XSS Exploit Framework]]<br />
<br />
====Documentation [In Progress-Results by February/March 2015] ====<br />
<br />
* [[OWASP_Podcast|OWASP Podcast Project]]<br />
* [[:Category:OWASP_Code_Review_Project|OWASP Code Review Guide Project]]<br />
* [[OWASP_Codes_of_Conduct|OWASP Codes of Conduct]]<br />
* [[:Category:OWASP_Guide_Project|OWASP Development Guide Project]]<br />
*[[OWASP_CISO_Survey|OWASP CISO Survey]] <br />
*[[OWASP_Application_Security_Guide_For_CISOs_Project|OWASP Application Security Guide For CISOs]]<br />
*[[OWASP_Cornucopia|OWASP Cornucopia]]<br />
*[[Cheat_Sheets|OWASP Cheat Sheets Project]] [[File:Thumbsup.png|15px]]<br />
<br />
====Contests====<br />
*[[OWASP_University_Challenge|OWASP University Challenge]] <br />
* [[:Category:OWASP_CTF_Project|OWASP CTF Project]]<br />
<br />
====Code [Reviewed February 2015]====<br />
* [[:Category:OWASP_Enterprise_Security_API|OWASP Enterprise Security API]]<br />
<br />
======Low Activity (LABS)[Reviewed February 2015] ======<br />
[[File:low_activity.jpg]]<br />
<br />
These projects had no releases in at least a year, however have shown to be valuable tools<br />
'''Code [Low Activity]'''<br />
* [[Project_Information:template_Vicnum_Project|OWASP Vicnum Project]]<br />
* [[OWASP_Broken_Web_Applications_Project|OWASP Broken Web Applications Project]]<br />
* [[OWASP_Joomla_Vulnerability_Scanner_Project]]<br />
<br />
'''Documentation [Low Activity]'''<br />
* [[OWASP_Appsec_Tutorial_Series|OWASP AppSec Tutorial Series]]<br />
* [[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide]]<br />
* [[:Category:OWASP_Legal_Project|OWASP Legal Project]]<br />
* [[Virtual_Patching_Best_Practices|Virtual Patching Best Practices]]<br />
* [[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide|OWASP Secure Coding Practices - Quick Reference Guide]]<br />
<br />
==Incubator Projects==<br />
[[File:Incubator_banner.jpg]]<br />
<br />
OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity. The label also allows project leaders to leverage the OWASP name while their project is still maturing.<br />
<br />
===Thumbs up===<br />
Thumbs up are given to incubator projects showing a steady progress in their development, had continuous releases and commits or have delivered a complete product, including open source repository location, basic user guidelines and documentation<br />
<br />
<br />
====Code [Reviewed March 2015]====<br />
* [[OWASP_Java_Encoder_Project|OWASP Java Encoder Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_Java_File_I_O_Security_Project|OWASP Java File I/O Security Project]]<br />
* [[OWASP_iMAS_iOS_Mobile_Application_Security_Project|OWASP iMAS - iOS Mobile Application Security Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_PHP_Security_Project|OWASP PHP Security Project]]<br />
* [[OWASP_Node_js_Goat_Project|OWASP Node.js Goat Project]] [[File:Thumbsup.png|15px]<br />
* [[OWASP_File_Format_Validation_Project|OWASP File Format Validation Project]]<br />
* [[OWASP_Security_Logging_Project|OWASP Security Logging Project]]<br />
<br />
<br />
=====Code: Low Activity=====<br />
<br />
* [[OWASP_PHPRBAC_Project|OWASP PHPRBAC Project]]<br />
<br />
====Research====<br />
* [[OWASP_WASC_Distributed_Web_Honeypots_Project|OWASP WASC Distributed Web Honeypots Project]]<br />
* [[OWASP_Security_Research_and_Development_Framework|OWASP Security Research and Development Framework]]<br />
<br />
====Tools [Reviewed last: May 2015]====<br />
* [[OWASP_Wordpress_Vulnerability_Scanner_Project | OWASP Wordpress Vulnerability Scanner]]<br />
* [[OWASP_Threat_Dragon | OWASP Threat Dragon]]<br />
* [[OWASP_Security_Knowledge_Framework#tab=Main | Security Knowledge Framework]]<br />
* [[OWASP_Faux_Bank_Project|OWASP Faux Bank Project]]<br />
* [[OWASP_Droid10_Project|OWASP Droid]]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Wapiti_Project OWASP Wapiti Project]<br />
*[[Benchmark|OWASP WebGoat Benchmark]]<br />
*[[OWASP_WAP-Web_Application_Protection|WAP Web Application_Protection]]<br />
*[[OWASP_Java_HTML_Sanitizer|OWASP Java HTML Sanitizer Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Mantra_OS|OWASP Mantra OS]]<br />
*[[OWASP_iGoat_Project|OWASP iGoat Project]]<br />
*[[OWASP_Bricks|OWASP Bricks]]<br />
*[[OWASP_Bywaf_Project|OWASP Bywaf Project]]<br />
*[[OWASP_Mutillidae_2_Project|OWASP Mutillidae 2 Project]] <br />
*[[OWASP_SeraphimDroid_Project|OWASP SeraphimDroid Project]]<br />
*[[OWASP_Python_Security_Project|OWASP Python Security Project]]<br />
*[[OWASP_WebSpa_Project|OWASP WebSpa Project]]<br />
*[[OWASP_NINJA_PingU_Project|OWASP NINJA PingU Project]]<br />
*[[OWASP_Encoder_Comparison_Reference_Project|OWASP Encoder Comparison Reference Project]]<br />
*[[:Category:OWASP_SQLiX_Project|OWASP sqliX Project]]<br />
*[[OWASP_Secure_TDD_Project|OWASP Secure TDD Project]]<br />
*[[OWASP_XSecurity_Project|OWASP XSecurity Project]]<br />
*[[OWASP_Pyttacker_Project|OWASP Pyttacker Project]]<br />
*[[OWASP_HTTP_Post_Tool|OWASP HTTP POST Tool]]<br />
*[[Projects/OWASP_iOSForensic|OWASP iOSForensic]]<br />
*[[OWASP_SonarQube_Project|OWASP SonarQube Project]]<br />
*[[OWASP Rainbow Maker Project | OWASP Rainbow Maker Project]] <br />
*[[OWASP JSEC CVE Details | OWASP JSEC CVE Details]] <br />
* [[:Category:OWASP_WebGoat.NET|OWASP WebGoat.NET]] <br />
* [[OWASP_ASIDE_Project|OWASP ASIDE Project]]<br />
<br />
====Documentation[Review: May 2015]====<br />
*[[OWASP Automated Threats to Web Applications]]<br />
*[[OWASP_Data_Exchange_Format_Project|OWASP Data Exchange Format Project]]<br />
*[[OWASP_Proactive_Controls|OWASP Proactive Controls]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Enterprise_Application_Security_Project|OWASP Enterprise Application Security Project]]<br />
*[[OWASP_Secure_Application_Design_Project|OWASP Secure Application Design Project]]<br />
*[[OWASP_Top_10_Fuer_Entwickler_Project|OWASP Top 10 Fuer Entwickler Project]]<br />
*[[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP Vulnerable Web Applications Directory Project]]<br />
*[[OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project|OWASP Reverse Engineering and Code Modification Prevention Project]]<br />
*[[OWASP_Internet_of_Things_Top_Ten_Project|OWASP Internet of Things Top Ten Project]]<br />
*[[:Category:OWASP_.NET_Project|OWASP .NET Project]]<br />
*[[OWASP_Top_10_Privacy_Risks_Project|OWASP Top 10 Privacy Risks Project]]<br />
*[[OWASP_WASC_Web_Hacking_Incidents_Database_Project|OWASP WASC Web Hacking Incidents Database Project]]<br />
*[[OWASP_Security_Frameworks_Project|OWASP Security Frameworks Project]]<br />
*[[OWASP_Incident_Response_Project|OWASP Incident Response Project]]<br />
*[[OWASP_Periodic_Table_of_Vulnerabilities|OWASP Periodic Table of Vulnerabilities]]<br />
*[[OWASP_Top_Trumps_for_Projects|OWASP Top Trumps for Projects]]<br />
*[[OWASP KALP Mobile Project | OWASP KALP Mobile Project]]<br />
*[[OWASP Persian Translation Project | OWASP Persian Translation Project]]<br />
*[[OWASP_Application_Security_Program_Quick_Start_Guide_Project|OWASP_Application_Security_Program_Quick_Start_Guide_Project]]<br />
*[[OWASP_Secure_Configuration_Guide|OWASP_Secure_Configuration_Guide]]<br />
*[[OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project|OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project]]<br />
* [[OWASP_RFP-Criteria|OWASP Request For Proposal]]<br />
<br />
==Educational Initiatives==<br />
*[[OWASP_Visual_Crime_Scene_and_Security_Incident_Education_Project#tab=Main | OWASP Visual Crime Scene and Security Incident Project]]<br />
*[[OWASP_Secure_Development_Training|OWASP Secure Development Training]]<br />
*[[OWASP_Student_Chapters_Program|OWASP Student Chapters Project]]<br />
*[[:Category:OWASP_Education_Project|OWASP Education Project]]<br />
*[[:Category:OWASP_Speakers_Project|OWASP Speakers Project]]<br />
*[[OWASP_Global_Chapter_Meetings_Project|OWASP Global Chapter Meetings Project]]<br />
*[[OWASP_Media_Project|OWASP Media Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Hacking_Lab|OWASP Hacking-Lab]]<br />
*[[OWASP_PHP_Security_Training_Project|OWASP PHP Security Training Project]]<br />
<br />
==Donated Projects==<br />
<br />
OWASP Donated Projects are inactive projects that have been donated to the OWASP Projects Infrastructure. <br />
<br />
====Tools====<br />
<br />
* [[OWASP_Excess_XSS_Project|OWASP Excess XSS Project]]<br />
* [[OWASP_JOTP_Project|OWASP jOTP Project]]<br />
<br />
==OWASP Archived Projects==<br />
OWASP Archived Projects are projects that have developed outside OWASP umbrella or have become inactive. If you are interested in pursuing any of the inactive projects (click hyperlink for list), please contact us and let us know of your interest.<br />
<br />
https://www.owasp.org/index.php/Category:OWASP_Project_Archived_Projects<br />
<br />
= Project Task Force =<br />
<br />
<br />
====OWASP Project Task Force====<br />
<br />
{{:Task_Force/OWASP_Projects}}<br />
<br />
= Online Resources =<br />
<br />
===Project Online Resources===<br />
<br />
{{:Project_Online_Resources}}<br />
<br />
<br />
= Starting a New Project =<br />
<font size=2pt><br />
== So you want to start a project... ==<br />
<br />
Starting an OWASP project is quite easy, and your desire to contribute and make it happen is essential.<br />
[[File:HowToStartProjectoWasp.png | 600px | right]]<br />
<br />
Here are some of the guidelines for running a successful OWASP project:<br />
<br />
-Start exploring the actual OWASP projects Inventory. Many projects handle specific areas of security it is a good idea to start looking how other successful projects do this (LABS/Flagship)<br />
<br />
-Place your idea or project on the [https://www.owasp.org/index.php/Project_Ideas_Board#From_Idea_to_Project_Incubator Project Ideas Board].This phase will help you to define the project goals and also explore and exchange with other OWASP leaders and volunteers how to develop the idea into a tangible project<br />
<br />
-Explore and research if your idea covers a unique segment in the Security arena.Think of your project as a product, if you really want people using it, think how this project will cover a necessity in the security area you are working on <br />
<br />
-Define what kind of project you would like to start. Is it a code, tool or documentation?<br />
<br />
-Communicate through the Project leader mailing list about your idea and get feedback and meet potential contributors<br />
<br />
-Develop your project based on the type of project. For example if you are willing to start a documentation project, begin by defining a Table of Content and work it through with potential contributors. First of all begin by creating a Road-map for your project. This is essential to submit your project. We highly recommend to read documentation such as "[http://www2.econ.iastate.edu/tesfatsi/ProducingOSS.KarlFogel2005.pdf How to start /run a successful Open Source Projects]". <br />
<br />
[[File:RoadmapIncubatorProjectExample2.PNG | 500px | left]]<br />
<br />
Some recommendations on how to start a documentation project<br />
[[https://www.owasp.org/index.php/File:Document_Guide_(1).png| Document Guide Project]]<br />
<br />
===Importance of a well thought out Road-map===<br />
Many Incubator project leaders struggle with creating a realistic planning, which should be based on their available resources and time. A well thought out plan makes a difference between a procrastinating project and a successful one. The important aspect of this is, that the project leader is able to create a plan based on his situation. The following is an example of a Roadmap, which has focused to produce a Documentation first release in a year and a basic outline how they plan to cover 4 essential aspects which are Research & Development, Marketing, Planning and Goals.<br />
<br />
<br />
<br />
"Your [project] roadmap should tell a coherent story about the likely growth of your product. Each release should build on the previous one and move you closer towards your vision. Your roadmap should be convincing and realistic: Don’t speculate or oversell your [project]. Be clear who your audience is: An internal roadmap talks to development, marketing, sales, service, and the other groups involved in making your [project] a success; and external one talks to existing and prospective customers."<br />
Extracted from : "[[http://www.romanpichler.com/blog/10-tips-creating-agile-product-roadmap/ 10 Tips for Creating an Agile Product Roadmap]]"<br />
<br />
* Start defining a development, documentation and marketing plan for your project. Set short , medium and long term plans. Include promotion of your project, this is very important in order to engage users and consumers of your project. Contact project coordinator and the Project Task Force to help you achieve this goal. You ''can'' run a single person project, but it's usually best to get the community involved. You should be prepared to support a mailing list, build a team, speak at conferences, and promote your project.<br />
<br />
* You can contribute existing documents or tools to OWASP! Assuming you have the intellectual property rights to a work, you can open it to the world as an OWASP Project. Please coordinate this with OWASP by contacting owasp(at)owasp.org.<br />
<br />
* Available Grants to consider if you need funding - [[Grants|Click Here]]<br />
<br />
* You should promote your project through the OWASP channels as well as by outside means. Get people to blog about it!<br />
<br />
== Creating a new project ==<br />
Once you have passed the Project Ideas phase, then you will be ready to start a new project<br />
To Submit your project please use the following form<br />
. [http://www.tfaforms.com/263506 Please submit a new project application here].<br />
<br />
<br />
* You will need to gather the following information together for your application:<br />
A - PROJECT<br />
# Project Name,<br />
# Project purpose / overview,<br />
# Project Roadmap,<br />
# Project links (if any) to external sites,<br />
# [[Guidelines_for_OWASP_Projects#Project_Licensing|Project License],]<br />
# Project Leader name,<br />
# Project Leader email address,<br />
# Project Leader wiki account - the username (you'll need this to edit the wiki),<br />
# Project Contributor(s) (if any) - name email and wiki account (if any),<br />
# Project Main Links (if any).<br />
# For Documentation: A table of Contents<br />
# For Code: A prototype hosted in an open source repository of your choice. Make sure it has read access.<br />
<br />
* Check out the '''[[Guidelines for OWASP Projects]]'''.<br />
* [[Grant_Spending_Policy|Grant Spending Policy]]<br />
* [[Project_Spending_Policy|Project Spending Policy]]<br />
* [[Project_Sponsorship_Operational_Guidelines|Project Sponsorship Operational Guidelines]]<br />
<br />
==OWASP Recommended Licenses==<br />
<br />
{{Recommended_Licenses}}<br />
<br />
==Funding your Project==<br />
An OWASP project does not receive any funding for development at project inception; however, a new project does have the opportunity to submit a request to receive funds if they are available for the year. Additionally, project leaders have the option of seeking sponsorship from outside organizations, but project leaders are required to seek funding through their own initiative. Please contact the OWASP Projects Manager for more information. <br />
<br />
== Project Release ==<br />
<br />
As your project reaches a point that you'd like OWASP to assist in its promotion, the will need the following information to help spread the word about your project:<br />
<br />
# Short 5 sentence paragraph outlining what your project is about, what you hope to accomplish with your project, what value your project brings to software security, and contributor and project leader names and contact information.<br />
# Link to your wiki page.<br />
# Link to your code repository or a link to where readers can download your project.<br />
# Latest Release description answering the following questions: What is it?, What does it do?, Where can I get it?, Who should I contact if something goes wrong?.<br />
<br />
==Project Process Forms==<br />
These forms were created to help project leaders, and those interested in a going through a process in the OWASP projects infrastructure. They facilitate the management of each query based on the specific task an applicant will need help with. The forms are described below, and they are linked with their designated online application form. <br />
<br />
* [http://www.tfaforms.com/264422 Project Transition Application]:The OWASP project transition form gives current project leaders an easy way of handing over project administration information to individuals wishing to take over a project. <br />
<br />
* [http://www.tfaforms.com/264413 Project Review Application]:This form is for current project leaders to request a review of their project based on OWASP graduation criteria. The aim is to designate an OWASP volunteer to review these projects within 3 months time. <br />
<br />
* [http://www.tfaforms.com/264418 Project Donation Application]:This form is for projects outside of the OWASP project infrastructure. Project Leaders for these open source projects can choose to partner or give their project to OWASP directly through this form.<br />
<br />
* [http://www.tfaforms.com/264428 Project Adoption Request]:This form is used when someone is interested in adopting an archived project. <br />
<br />
* [http://www.tfaforms.com/264426 Project Abandonment Request]:The OWASP project abandonment form gives current project leaders an easy way of letting the OWASP Foundation know that they wish to resign their project leader duties. This form should be used when no replacement project leader exists to take over these duties.<br />
<br />
* [http://www.tfaforms.com/264392 Incubator Project Graduation Application]:This application form is for Incubator Projects to apply for Labs Project status.<br />
<br />
* [https://www.owasp.org/index.php/OWASP_System_Vulnerable_Code_Project Project Request (Bangladesh)]:For Information Security Project contact with OWASP Bangladesh Project Leader [[S. M. Shezan]][http://www.facebook.com/smshezan]<br />
<br />
= Project Assessments =<br />
<font size=2pt><br />
==OWASP Project Lifecycle==<br />
The OWASP Projects Lifecycle represents a balance between keeping a very loose structure around OWASP projects, and ensuring that OWASP consumers are not confused about a project’s maturity and quality. The lifecycle stage allows consumers to easily identify mature projects, and projects that are proofs of concept, experimental, and classified as prototypes in their current state. The greater the maturity of the project, the greater the level of responsibility for the project leader. These responsibilities are not trivial as OWASP provides incentives and benefits (Section 7) for projects who take on these added responsibilities.<br />
<br />
<br />
====The OWASP Project Lifecycle is broken down into the following stages:====<br />
<br />
'''Incubator Projects''': OWASP Incubator projects represent the experimental playground where projects are still being designed, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity; moreover, the label allows project leaders to leverage the OWASP name while their project is still maturing. OWASP Incubator projects are given a place on the OWASP Projects Portal to leverage the organizations' infrastructure, and establish their presence and project history.<br />
<br />
'''Lab Projects''': OWASP Labs projects represent projects that have produced a deliverable of significant value. Leaders of OWASP Labs projects are expected to stand behind the quality of their projects as these projects have matured to the point where they are accepted by a significant portion of the OWASP community. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are ready for mainstream usage. OWASP Labs Projects are meant to be the collection of established projects that have gained community support and acclaim by undergoing the project review process. <br />
<br />
'''Flagship Projects''': The OWASP Flagship designation is given to projects that have demonstrated superior maturity, established quality, and strategic value to OWASP and application security as a whole. Eligible projects are selected from the OWASP Labs project pool. This selection process generally ensures that there is only one project of each type covering any particular security space. OWASP Flagship projects represent projects that are not only mature, but are also projects that OWASP as an organization provides direct support to maintaining. The core mission of OWASP is to make application security visible and so as an organization, OWASP has a vested interest in the success of its Flagship projects. Since Flagship projects have such high visibility, these projects are expected to uphold the most stringent requirements of all OWASP Projects.<br />
<br />
'''Code Projects''': OWASP code projects are very important for the cyber security solutions. Because these projects are used to find out the application security problems and try to solve those problems. Best code project is [[OWASP System Vulnerable Code Project]] and best project leader is [http://www.facebook.com/smshezan S. M. Shezan]<br />
<br />
== OWASP Project Stage Benefits==<br />
This section outlines the benefits of starting an OWASP project, and the benefits of being at each different stage in the projects lifecycle. In my short time here at OWASP as the PM, I have had several potential project leaders ask me what the benefits are of starting their project with OWASP. Below is my proposal for each Stage’s benefits.<br />
<br />
'''Incubator'''<br />
* Financial Donation Management Assistance <br />
* Project Review Support<br />
* WASPY Awards Nominations<br />
* OWASP OSS and OPT Participation<br />
* Opportunity to submit proposal: $500 for Development.<br />
* Community Engagement and Support<br />
* Recognition and visibility of being associated with the OWASP Brand.<br />
<br />
'''Labs'''<br />
* All benefits given to Incubator Projects <br />
* Technical Writing Support<br />
* Graphic Design Support<br />
* Project Promotion Support<br />
* OWASP OSS and OPT: Preference<br />
<br />
'''Flagship'''<br />
* All benefits given to Incubator & Labs Projects<br />
* Grant finding and proposal writing help<br />
* Yearly marketing plan development<br />
* OWASP OSS and OPT participation preference<br />
<br />
For more detailed information on OWASP Project Stage Benefits, please see the 2013 Project Handbook.<br />
<br />
== Project Monitoring Incubator/Documentation ==<br />
Every 6 months, a project monitoring assessment takes place to evaluate if projects had any releases during this period.A warning will be sent to projects without any activity in 90 days and after 180 days, the project will be set automatically as inactive.<br />
You can set your project active at any time, as long as:<br />
* There has been commits to the project's open repository or<br />
* There has been a beta release of the documentation produced so far or<br />
* Provide a detailed Roadmap <br />
<br />
===Importance of a well thought out Roadmap===<br />
Many Incubator project leaders struggle with creating a realistic planning, which should be based on their available resources and time. A well thought out plan makes a difference between a procrastinating project and a successful one. The important aspect of this is, that the project leader is able to create a plan based on his situation. The following is an example of a Roadmap, which has focused to produce a Documentation first release in a year and a basic outline how they plan to cover 4 essential aspects which are Research & Development, Marketing, Planning and Goals.<br />
<br />
<br />
[[File:RoadmapIncubatorProjectExample2.PNG | 600px]]<br />
<br />
"Your [project] roadmap should tell a coherent story about the likely growth of your product. Each release should build on the previous one and move you closer towards your vision. Your roadmap should be convincing and realistic: Don’t speculate or oversell your [project]. Be clear who your audience is: An internal roadmap talks to development, marketing, sales, service, and the other groups involved in making your [project] a success; and external one talks to existing and prospective customers."<br />
Extracted from : "[[http://www.romanpichler.com/blog/10-tips-creating-agile-product-roadmap/ 10 Tips for Creating an Agile Product Roadmap]]"<br />
<br />
==Project Monitoring for LABS/Flagship==<br />
These project represent the best OWASP has to offer, therefore monitoring of these projects is closely supervised.<br />
===For Code and Tools===<br />
For projects holding Flagship status, we closely monitor their health every 6 months on the following, among other key indicators:<br />
*Can the project be built correctly?<br />
*Does the project has any activity(commits) in the last 6 months?<br />
*Does the project had any releases in the last 6 months?<br />
*Has the project leaders updated his wiki or website to reflect latest releases?<br />
===For Documentation===<br />
For this part, we are working on the development of an adequate assessment criteria<br />
The following is a draft of the new process proposal: [[https://www.owasp.org/index.php/File:Qualitative_and_Quantitative_Content_Audit.pdf Proposal for Reviewing OWASP Document projects]]<br />
<br />
== OWASP Project Graduation==<br />
The Project Graduation Process is an optional process undertaken at the request of a project leader using the Incubator Graduation Form. The purpose of this process is to move a project from the OWASP Incubator into the OWASP Labs. In order to be considered for OWASP Labs, an Incubator project must have submitted an OWASP reviewed deliverable, and obtained at least two (2) positive responses for each of the core criteria project health questions.<br />
<br />
The review centers around the following core questions. Each core question has three (3) specific questions made up of binary queries. A project must receive at least two (2) positive responses from each reviewer in two of the binary questions, to warrant a postive response for the core question. Each core question must receive a positive response from both project reviewers to pass the Project Health Assessment for Incubator Projects. <br />
<br />
* [https://docs.google.com/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE Project Graduation Criteria Checklist]<br />
<br />
==OWASP Project Health Assessment==<br />
The Project Health Assessment is an optional process undertaken at the request of a project leader when he/she applies for Project Graduation for projects going from Incubator to LAB and from LAB to Flagship. The purpose of this assessment is to determine whether a project meets the minimum criteria of an OWASP Project outlined in the [https://docs.google.com/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE Project Health Assessment Criteria Document]. If a project passes the assessment, it then becomes eligible to graduate into the OWASP Labs Project stage. In order to be considered for OWASP Labs, an Incubator project must have submitted an OWASP reviewed deliverable, and obtained at least two (2) positive responses for each of the core criteria project health questions.<br />
<br />
==OWASP Project Deliverable/Release Assessment==<br />
The Project Deliverable/Release Review is an optional process undertaken at the request of a project leader using the Project Deliverable Review Form. The purpose of this process is to review a project’s progress, and to make sure the project is heading in the right direction based on the roadmap they provided at project inception. <br />
<br />
Reviews must be performed by two (2) OWASP Chapter or Project Leaders, and their review must answer affirmatively to at least the first two (2) core Project Deliverable/Release Review questions. A project must pass the OWASP Project Deliverable/Release Assessment in order to graduate into the OWASP Labs Project stage. <br />
<br />
* [https://docs.google.com/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE Project Deliverable/Release Assessment Criteria Checklist]<br />
<br />
<br />
= Brand Resources =<br />
<font size=2pt><br />
<br />
==The Brand Usage Rules==<br />
See OWASP's [[Marketing/Resources#tab=BRAND_GUIDELINES|The Brand Usage Rules]] for details.<br />
<br />
==Project Icons & Templates==<br />
See OWASP'S [[Marketing/Resources#PROJECT_RESOURCES|Project Icons & Templates]] for details.<br />
<br />
(Following links and images are provided for a quick overview only, the primary page is [[Marketing/Resources#PROJECT_RESOURCES|Project Icons & Templates]]).<br />
<br />
If you require more assistance with these files and/or templates, please contact the OWASP staff for assistance <br />
<br />
'''[[OWASP_Operations_Project_Template|OWASP Operational Wiki Template]]'''<br />
<br />
'''[[OWASP_Documentation_Project_Template|OWASP Example Template: DO NOT EDIT]]'''<br />
<br />
[[Image:OWASP_Project_Header.jpg|Owasp logo|500px]]<br />
<br />
[[Image:Project_Type_Files_TOOL.jpg|Owasp logo|200px]] [[Image:Project_Type_Files_DOC.jpg||Owasp logo 1c|200px]] <br />
<br />
[[Image:Project_Type_Files_CODE.jpg|Owasp logo|200px]] [[Image:Owasp-defenders-small.png|Owasp logo|100px]] [[Image:Owasp-builders-small.png|Owasp logo|100px]] [[Image:Owasp-breakers-small.png|Owasp logo|100px]] <br />
<br />
[[Image:Owasp-incubator-trans-200.png|Owasp logo rev icon|100px]] [[Image:Owasp-labs-trans-85.png|Owasp logo flat|100px]] [[Image:Owasp-flagship-trans-85.png|Owasp logo icon|100px]]<br />
<br />
===OpenSAMM===<br />
'''[[Media:OpenSAMM_icons.zip|OpenSAMM Icons]]'''<br />
<br />
'''Construction:'''<br />
<br />
[[Image:Construction black.png| Construction black| 100px]] [[Image:Construction blue.png| Construction blue| 100px]] [[image:Construction olive.png |construction olive|100px]]<br />
<br />
'''Deployment:'''<br />
<br />
[[image:Deployment black.png| Deployment black| 100px]] [[image:Deployment blue.png| Deployment blue| 100px]] [[image:Deployment olive.png | Deployment olive| 100px]]<br />
<br />
'''Governance:'''<br />
<br />
[[image:Governance black.png| governance black| 100px]] [[image:Governance blue.png | governance blue | 100px]] [[image:Governance olive.png | governance olive| 100px]]<br />
<br />
'''Verification:'''<br />
<br />
[[image:Verification black.png | Verification black | 100px]] [[image:Verification blue.png | verification blue | 100px]] [[image: Verification olive.png | Verification olive | 100px]]<br />
<br />
==Book Cover Files==<br />
See OWASP's [[Marketing/Resources#PROJECT_RESOURCES|Project Icons & Templates]] for details.<br />
<br />
[[Media:Lulu-guide.pdf|Lulu Guide]]<br />
<br />
'''[https://www.dropbox.com/s/h27gsbe5m7idg0y/Finished%20Covers.zip Download the Book Cover Zip File]'''<br />
{|<br />
|-<br />
! width="500" align="center" | <br> <br />
! width="300" align="center" | <br><br />
|-<br />
| align="center" | [[Image:BookImage_01.jpg|500px| link=https://www.dropbox.com/s/h27gsbe5m7idg0y/Finished%20Covers.zip]] <br />
| align="center" | <br />
<br />
|}<br />
<br />
= Terminology =<br />
<font size=2pt><br />
== OWASP Project Infrastructure ==<br />
<br />
<br />
*'''OWASP Project Lifecycle:''' The OWASP Projects Lifecycle represents a balance between keeping a very loose structure around OWASP projects, and ensuring that OWASP consumers are not confused about a project’s maturity and quality. The lifecycle stage allows consumers to easily identify mature projects, and projects that are proofs of concept, experimental, and classified as prototypes in their current state.<br />
<br />
<br />
*'''Incubator Project:''' OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity. The label also allows project leaders to leverage the OWASP name while their project is still maturing.<br />
<br />
<br />
*'''Labs Project:''' OWASP Labs projects represent projects that have produced a deliverable of value. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are at least ready for mainstream usage.<br />
<br />
<br />
*'''Flagship Project:''' The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole. <br />
<br />
<br />
<br />
*'''Project Benefits:''' The standard list of resources and incentives made available to project leaders based on their project's current maturity level. <br />
<br />
<br />
<br />
== OWASP Project Reviews ==<br />
<br />
<br />
*'''Project Reviews:''' Project reviews are the method OWASP uses to establish a minimal baseline of project characteristics and release quality. Reviews are not mandatory, but they are necessary if a project leader wishes to graduate to the next level of maturity within the OWASP Global Projects infrastructure. Projects can be reviewed when an Incubator project wishes to graduate into the OWASP Labs designation, and project releases can be reviewed if they want the quality of their deliverable to be vouched for by OWASP. <br />
<br />
<br />
*'''Project Reviewer Pool:''' The project reviewer pool is made up of veteran reviewers who have proven themselves dedicated to executing quality reviews of projects. <br />
<br />
<br />
*'''Project Graduation:''' The Project Graduation Process is an optional process undertaken at the request of a project leader using the Incubator Graduation Form. The purpose of this process is to move a project from the OWASP Incubator into the OWASP Labs.<br />
<br />
<br />
*'''Project Health Assessment:''' The Project Health Assessment is an optional process undertaken at the request of a project leader when he/she applies for Project Graduation The purpose of this assessment is to determine whether a project meets the minimum criteria of an OWASP Project outlined in the [https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE#gid=1 Project Health Assessment Criteria Document].<br />
<br />
<br />
*'''Project Release:''' A project release refers to the final deliverable a project produces. It is the final product of the project. <br />
<br />
<br />
*'''Project Deliverable/Release Review:''' The Project Deliverable/Release Review is an optional process undertaken at the request of a project leader using the Project Deliverable Review Form. The purpose of this process is to review a project’s progress, and to make sure the project is heading in the right direction based on the roadmap they provided at project inception.<br />
<br />
<br />
<br />
== OWASP Projects Processes == <br />
<br />
*'''Project Processes:''' The set of streamlined processes that exist to help projects move smoothly through the OWASP Project Lifecycle.<br />
<br />
<br />
*'''Project Inception Process:''' The Project Inception Process is how a brand new idea becomes an OWASP Project. Such projects are labeled as OWASP Incubator projects. The process involves submitting the proposed project name, project leader information, project description, project roadmap, and selecting an appropriate open-source license for the project using the New Project Form on the Projects Portal.<br />
<br />
<br />
*'''Project Donation Process:''' The Project Donation Process is used for a project that has an existing functional release, but is not currently associated with OWASP. This process is the primary mechanism by which individuals or organizations can transfer the ownership of their project’s copyright to OWASP.<br />
<br />
<br />
*'''Project Transition Process:''' The Project Transition Process is used to transition leadership of a project to a new project leader. This is a simple automated process to transfer the relevant accounts, mailing lists, and other project resources to the new project leader.<br />
<br />
<br />
*'''Project Abandonment Process:''' The Project Abandonment Process was put in place for those occasions in which a project leader is no longer able to manage their project, and has not been able to find a suitable replacement for the leader role. Project Abandonment can also occur when the project leader feels his/her project has become obsolete. Under these circumstances, the acting project leader is encourage do submit the Project Abandonment Form found in the Projects Portal.<br />
<br />
<br />
*'''Incubator Graduation Process:''' The Incubator Graduation Process is an optional process undertaken at the request of a project leader using the Incubator Graduation Form. The purpose of this process is to move a project from the OWASP Incubator into the OWASP Labs.<br />
<br />
<br />
== Projects at Conferences == <br />
<br />
*'''AppSec Conferences:''' OWASP AppSec conferences bring together industry, government, security researchers, and practitioners to discuss the state of the art in application security. This series was launched in the United States in 2004 and Europe in 2005. Global AppSec conferences are held annually in North America, Latin America, Europe, and Asia Pacific.<br />
<br />
<br />
*'''Open Source Showcase:''' The Open Source Showcase is an OWASP AppSec Conference event module designed to give Open Source project leaders the opportunity to demo their projects.<br />
<br />
<br />
*'''OWASP Project Track:''' The OWASP Project Track is an OWASP AppSec Conference event module designed to give OWASP Project leaders the opportunity to showcase their projects as an official conference presenter. <br />
<br />
<br />
== OWASP Projects General == <br />
<br />
*'''OWASP Code of Ethics:''' The OWASP Code of Ethics are the set of guidelines and principles that the OWASP Foundation expects all of its members and conference attendees to abide by. A copy of the Code of Ethics can be found here in the [https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics OWASP About page]. <br />
<br />
<br />
= Sponsorships and Donations =<br />
<font size=2pt><br />
<br />
==Donate to OWASP Global Projects ==<br />
OWASP Projects, a global division of the OWASP Foundation, is run under the same world wide not-for-profit charitable status as all the foundation strategic groups. OWASP provides a platform for contributors to share their work while providing them with the project and community support they need throughout their project development. All OWASP Projects are run by volunteers and they rely on personal donations and sponsorship to continue their development. Donate to OWASP Projects, and we promise to spend your money wisely on open source initiatives.<br />
<br />
'''This is how your money can help:'''<br />
<br />
* $20 could help us spread the word on the importance of open source initiatives in the Application Security industry.<br />
* $100 could help fund OWASP project demos at major conferences.<br />
* $250 could help get our volunteer Project Leaders to speaking engagements.<br />
<br />
<br />
[[Image:Donate_Button.jpg | link=http://www.regonline.com/Register/Checkin.aspx?EventID=1044369]]<br />
<br />
<br />
<br />
= Contact US =<br />
<font size=2pt><br />
<br />
If you need any help with anything projects related, or if you simply need some more information, please do not hesitate to [http://owasp4.owasp.org/contactus.html Contact Us].<br />
</font><br />
<br />
<br />
<headertabs /></div>Mark Denihanhttps://wiki.owasp.org/index.php?title=Category:OWASP_Project&diff=196594Category:OWASP Project2015-06-26T17:05:26Z<p>Mark Denihan: /* Tools [Reviewed February 2015] */ Sorting Alphabetically</p>
<hr />
<div>__NOTOC__ <br />
{|<br />
|-<br />
! width="700" align="center" | <br> <br />
! width="500" align="center" | <br><br />
|-<br />
|<br />
| align="right" | <br />
<br />
|}<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
= Welcome =<br />
{| style="width: 100%;"<br />
|-<br />
| style="width: 100%; color: rgb(0, 0, 0);" | <br />
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"<br />
|-<br />
| style="width: 95%; color: rgb(0, 0, 0);" | <br />
<font size=2pt><br />
<br />
=== Welcome to the OWASP Global Projects Page ===<br />
<br />
An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. OWASP currently has over 142 active projects, and new project applications are submitted every week. <br />
<br />
This is one of the most popular divisions of OWASP as it gives members an opportunity to freely test theories and ideas with the professional advice and support of the OWASP community. Every project has an associated mail list. You can view all the lists, examine their archives, and subscribe to any project by visiting the [http://lists.owasp.org/mailman/listinfo OWASP Project Mailing Lists] page. A summary of recent project announcements is available on the [[OWASP Updates]] page. <br />
<br />
Download the '''[[Media:PROJECT_LEADER-HANDBOOK_2014.pdf|OWASP Project Handbook 2014]]'''<br />
<br />
'''[[OWASP_2014_Project_Handbook|OWASP Project Handbook Wiki 2014]]'''<br />
<br />
Download the '''[[Media:OWASP_Projects_Handbook_2013.pdf|OWASP Projects Handbook 2013]]'''<br />
<br />
'''[[Project_Online_Resources|Project Online Resources]]'''<br />
<br />
=== Who Should Start an OWASP Project? ===<br />
<br />
*Application Developers. <br />
*Software Architects. <br />
* Information Security Authors. <br />
*Those who would like the support of a world wide professional community to develop or test an idea.<br />
*Anyone wishing to take advantage of the professional body of knowledge OWASP has to offer.<br />
<br />
=== Contact Us===<br />
<br />
If you have any questions, please do not hesitate to [http://owasp4.owasp.org/contactus.html Contact Us] by using the form provided here. Please allow five working days for your question or comment to be answered. This is due to the large amount of queries the foundation staff receive every day. We thank you for your patience. <br />
<br />
=== OWASP Project Inventory ===<br />
<br />
All OWASP tools, document, and code library projects are organized into the following [[OWASP_Project_Stages|categories:]] <br />
<br />
* '''[[OWASP_Project_Inventory#Flagship_Projects|Flagship Projects:]]''' The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole. <br />
<br />
* '''[[OWASP_Project_Inventory#Labs_Projects|Lab Projects:]]''' OWASP Labs projects represent projects that have produced an OWASP reviewed deliverable of value. <br />
<br />
* '''[[OWASP_Project_Inventory#Incubator_Projects|Incubator Projects:]]''' OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway.<br />
<br />
=== Social Media ===<br />
<br />
We recommend using the links below to find our official OWASP social media channels. These are a great way to keep in touch with the different initiatives going on at OWASP throughout the world. They are all updated regularly by chapter leaders, project leaders, the OWASP Board Members, and our OWASP Staff. If you have any questions or concerns about any of these accounts, please drop us a line using our [http://www.tfaforms.com/308703 "Contact Us"] form found above. <br />
<br />
[[Image:Blogger-32x32.png|32px|link=http://owasp.blogspot.co.uk/]] [[Image:Twitter-32x32.png|32px|link=https://twitter.com/OWASP]] [[Image:Facebook-32x32.png|32px|link=https://www.facebook.com/groups/172892372831444/]] [[Image:Linkedin-32x32.png|32px|link=http://www.linkedin.com/groups/Global-OWASP-Foundation-36874]] [[Image:Google-32x32.png|32px|link=https://plus.google.com/u/0/communities/105181517914716500346?cfem=1]] [[Image:Ning-32x32.png|32px|link=http://myowasp.ning.com/]]<br />
<!-- Twitter Box --> <br />
</font><br />
<br />
|}<br />
<br />
| style="border: 3px solid rgb(204, 204, 204); vertical-align: top; width: 95%; font-size: 95%; color: rgb(0, 0, 0);" | <br />
<div style="padding:2em;padding-bottom:0px;"><!-- DON'T REMOVE ME, I'M STRUCTURAL; also 2 empty lines between images --><br />
<br />
<br />
[[Image:New_initiatives.png|center|300px| link=http://owasp.force.com/volunteers/GW_Volunteers__VolunteersJobListing]] <br />
<br />
<br />
[[Image:Donate_here_banner.png|center|300px| link=http://www.regonline.com/Register/Checkin.aspx?EventID=1044369]]<br />
</div><br />
<br />
{|<br />
<br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<!-- End Banner --> <br />
<br />
<br />
= Project Inventory =<br />
<font size=2pt><br />
<br />
The Project Dashboard lists the all project information at a glance, including release links, the current status of the project and project leader contact information. The Project Dashboard can be found here: https://www.owasp.org/index.php/OWASP_Project_Dashboard<br />
<br />
==Flagship Projects==<br />
[[File:Flagship_banner.jpg]]<br />
<br />
The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole.<br />
After a major review process [[https://www.owasp.org/index.php/LAB_Projects_Code_Analysis_Report More info here]] the following projects are considered to be flagship candidate projects. These project have been evaluated more deeply to confirm their flagship status:<br />
<br />
====Tools [Reviewed September 2014]====<br />
<br />
* [[OWASP_Zed_Attack_Proxy_Project|OWASP Zed Attack Proxy]]<br />
* [[OWASP_Web_Testing_Environment_Project|OWASP Web Testing Environment Project]]<br />
* [[OWASP_OWTF|OWASP OWTF]]<br />
* [[OWASP_Dependency_Check|OWASP Dependency Check]]<br />
<br />
====Code [Reviewed November 2014]====<br />
* [[:Category:OWASP_ModSecurity_Core_Rule_Set_Project|OWASP ModSecurity Core Rule Set Project]]<br />
* [[:Category:OWASP_CSRFGuard_Project|OWASP CSRFGuard Project]]<br />
* [[OWASP_AppSensor_Project|OWASP AppSensor Project]]<br />
<br />
====Documentation[Reviewed February 2015] in progress====<br />
* [[:Category:OWASP_Application_Security_Verification_Standard_Project|OWASP Application Security Verification Standard Project]]<br />
* [[:Category:Software_Assurance_Maturity_Model|OWASP Software Assurance Maturity Model (SAMM)]]<br />
* [[OWASP_AppSensor_Project|OWASP AppSensor Project]]<br />
* [[:Category:OWASP_Top_Ten_Project|OWASP Top Ten Project]]<br />
* [[OWASP_Testing_Project|OWASP Testing Guide Project]]<br />
<br />
==Labs Projects==<br />
[[File:Lab banner.jpg]]<br />
<br />
OWASP Labs projects represent projects that have produced a deliverable of value. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are at least ready for mainstream usage.<br />
<br />
===Thumbs up===<br />
Thumbs up are given to LAB projects showing a steady progress in their development, had very active and continuous releases and commits, regular update of information on their wiki page and have quite complete documentation. These projects are almost ready to become flagship<br />
<br />
====Tools [Reviewed February 2015]====<br />
* [[OWASP_Dependency_Track_Project|OWASP Dependency Track Project]]<br />
* [[:Category:OWASP_EnDe|OWASP EnDe Project]]<br />
* [[OWASP_Hackademic_Challenges_Project|OWASP Hackademic Challenges Project]]<br />
* [[OWASP_Mantra_-_Security_Framework|OWASP Mantra Security Framework]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security Project]]<br />
* [[O-Saft|O-Saft]]<br />
* [[OWASP_O2_Platform|OWASP O2 Platform]]<br />
* [[OWASP_Passfault|OWASP Passfault]] <br />
* [https://www.owasp.org/index.php/Category:OWASP_Security_Ninjas_AppSec_Training_Program OWASP Security Ninjas Appsec Training]<br />
* [[OWASP_Security_Shepherd|OWASP Security Shepherd]]<br />
* [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]] <br />
* [[OWASP_Xenotix_XSS_Exploit_Framework|OWASP Xenotix XSS Exploit Framework]]<br />
<br />
====Documentation [In Progress-Results by February/March 2015] ====<br />
<br />
* [[OWASP_Podcast|OWASP Podcast Project]]<br />
* [[:Category:OWASP_Code_Review_Project|OWASP Code Review Guide Project]]<br />
* [[OWASP_Codes_of_Conduct|OWASP Codes of Conduct]]<br />
* [[:Category:OWASP_Guide_Project|OWASP Development Guide Project]]<br />
*[[OWASP_CISO_Survey|OWASP CISO Survey]] <br />
*[[OWASP_Application_Security_Guide_For_CISOs_Project|OWASP Application Security Guide For CISOs]]<br />
*[[OWASP_Cornucopia|OWASP Cornucopia]]<br />
*[[Cheat_Sheets|OWASP Cheat Sheets Project]] [[File:Thumbsup.png|15px]]<br />
<br />
====Contests====<br />
*[[OWASP_University_Challenge|OWASP University Challenge]] <br />
* [[:Category:OWASP_CTF_Project|OWASP CTF Project]]<br />
<br />
====Code [Reviewed February 2015]====<br />
* [[:Category:OWASP_Enterprise_Security_API|OWASP Enterprise Security API]]<br />
<br />
======Low Activity (LABS)[Reviewed February 2015] ======<br />
[[File:low_activity.jpg]]<br />
<br />
These projects had no releases in at least a year, however have shown to be valuable tools<br />
'''Code [Low Activity]'''<br />
* [[Project_Information:template_Vicnum_Project|OWASP Vicnum Project]]<br />
* [[OWASP_Broken_Web_Applications_Project|OWASP Broken Web Applications Project]]<br />
* [[OWASP_Joomla_Vulnerability_Scanner_Project]]<br />
<br />
'''Documentation [Low Activity]'''<br />
* [[OWASP_Appsec_Tutorial_Series|OWASP AppSec Tutorial Series]]<br />
* [[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide]]<br />
* [[:Category:OWASP_Legal_Project|OWASP Legal Project]]<br />
* [[Virtual_Patching_Best_Practices|Virtual Patching Best Practices]]<br />
* [[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide|OWASP Secure Coding Practices - Quick Reference Guide]]<br />
<br />
==Incubator Projects==<br />
[[File:Incubator_banner.jpg]]<br />
<br />
OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity. The label also allows project leaders to leverage the OWASP name while their project is still maturing.<br />
<br />
===Thumbs up===<br />
Thumbs up are given to incubator projects showing a steady progress in their development, had continuous releases and commits or have delivered a complete product, including open source repository location, basic user guidelines and documentation<br />
<br />
<br />
====Code [Reviewed March 2015]====<br />
* [[OWASP_Java_Encoder_Project|OWASP Java Encoder Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_Java_File_I_O_Security_Project|OWASP Java File I/O Security Project]]<br />
* [[OWASP_iMAS_iOS_Mobile_Application_Security_Project|OWASP iMAS - iOS Mobile Application Security Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_PHP_Security_Project|OWASP PHP Security Project]]<br />
* [[OWASP_Node_js_Goat_Project|OWASP Node.js Goat Project]] [[File:Thumbsup.png|15px]<br />
* [[OWASP_File_Format_Validation_Project|OWASP File Format Validation Project]]<br />
* [[OWASP_Security_Logging_Project|OWASP Security Logging Project]]<br />
<br />
<br />
=====Code: Low Activity=====<br />
<br />
* [[OWASP_PHPRBAC_Project|OWASP PHPRBAC Project]]<br />
<br />
====Research====<br />
* [[OWASP_WASC_Distributed_Web_Honeypots_Project|OWASP WASC Distributed Web Honeypots Project]]<br />
* [[OWASP_Security_Research_and_Development_Framework|OWASP Security Research and Development Framework]]<br />
<br />
====Tools [Reviewed last: May 2015]====<br />
* [[OWASP_Wordpress_Vulnerability_Scanner_Project | OWASP Wordpress Vulnerability Scanner]]<br />
* [[OWASP_Threat_Dragon | OWASP Threat Dragon]]<br />
* [[OWASP_Security_Knowledge_Framework#tab=Main | Security Knowledge Framework]]<br />
* [[OWASP_Faux_Bank_Project|OWASP Faux Bank Project]]<br />
* [[OWASP_Droid10_Project|OWASP Droid]]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Wapiti_Project OWASP Wapiti Project]<br />
*[[Benchmark|OWASP WebGoat Benchmark]]<br />
*[[OWASP_WAP-Web_Application_Protection|WAP Web Application_Protection]]<br />
*[[OWASP_Java_HTML_Sanitizer|OWASP Java HTML Sanitizer Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Mantra_OS|OWASP Mantra OS]]<br />
*[[OWASP_iGoat_Project|OWASP iGoat Project]]<br />
*[[OWASP_Bricks|OWASP Bricks]]<br />
*[[OWASP_Bywaf_Project|OWASP Bywaf Project]]<br />
*[[OWASP_Mutillidae_2_Project|OWASP Mutillidae 2 Project]] <br />
*[[OWASP_SeraphimDroid_Project|OWASP SeraphimDroid Project]]<br />
*[[OWASP_Python_Security_Project|OWASP Python Security Project]]<br />
*[[OWASP_WebSpa_Project|OWASP WebSpa Project]]<br />
*[[OWASP_NINJA_PingU_Project|OWASP NINJA PingU Project]]<br />
*[[OWASP_Encoder_Comparison_Reference_Project|OWASP Encoder Comparison Reference Project]]<br />
*[[:Category:OWASP_SQLiX_Project|OWASP sqliX Project]]<br />
*[[OWASP_Secure_TDD_Project|OWASP Secure TDD Project]]<br />
*[[OWASP_XSecurity_Project|OWASP XSecurity Project]]<br />
*[[OWASP_Pyttacker_Project|OWASP Pyttacker Project]]<br />
*[[OWASP_HTTP_Post_Tool|OWASP HTTP POST Tool]]<br />
*[[Projects/OWASP_iOSForensic|OWASP iOSForensic]]<br />
*[[OWASP_SonarQube_Project|OWASP SonarQube Project]]<br />
*[[OWASP Rainbow Maker Project | OWASP Rainbow Maker Project]] <br />
*[[OWASP JSEC CVE Details | OWASP JSEC CVE Details]] <br />
* [[:Category:OWASP_WebGoat.NET|OWASP WebGoat.NET]] <br />
* [[OWASP_ASIDE_Project|OWASP ASIDE Project]]<br />
<br />
====Documentation[Review: May 2015]====<br />
*[[OWASP Automated Threats to Web Applications]]<br />
*[[OWASP_Data_Exchange_Format_Project|OWASP Data Exchange Format Project]]<br />
*[[OWASP_Proactive_Controls|OWASP Proactive Controls]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Enterprise_Application_Security_Project|OWASP Enterprise Application Security Project]]<br />
*[[OWASP_Secure_Application_Design_Project|OWASP Secure Application Design Project]]<br />
*[[OWASP_Top_10_Fuer_Entwickler_Project|OWASP Top 10 Fuer Entwickler Project]]<br />
*[[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP Vulnerable Web Applications Directory Project]]<br />
*[[OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project|OWASP Reverse Engineering and Code Modification Prevention Project]]<br />
*[[OWASP_Internet_of_Things_Top_Ten_Project|OWASP Internet of Things Top Ten Project]]<br />
*[[:Category:OWASP_.NET_Project|OWASP .NET Project]]<br />
*[[OWASP_Top_10_Privacy_Risks_Project|OWASP Top 10 Privacy Risks Project]]<br />
*[[OWASP_WASC_Web_Hacking_Incidents_Database_Project|OWASP WASC Web Hacking Incidents Database Project]]<br />
*[[OWASP_Security_Frameworks_Project|OWASP Security Frameworks Project]]<br />
*[[OWASP_Incident_Response_Project|OWASP Incident Response Project]]<br />
*[[OWASP_Periodic_Table_of_Vulnerabilities|OWASP Periodic Table of Vulnerabilities]]<br />
*[[OWASP_Top_Trumps_for_Projects|OWASP Top Trumps for Projects]]<br />
*[[OWASP KALP Mobile Project | OWASP KALP Mobile Project]]<br />
*[[OWASP Persian Translation Project | OWASP Persian Translation Project]]<br />
*[[OWASP_Application_Security_Program_Quick_Start_Guide_Project|OWASP_Application_Security_Program_Quick_Start_Guide_Project]]<br />
*[[OWASP_Secure_Configuration_Guide|OWASP_Secure_Configuration_Guide]]<br />
*[[OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project|OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project]]<br />
* [[OWASP_RFP-Criteria|OWASP Request For Proposal]]<br />
<br />
==Educational Initiatives==<br />
*[[OWASP_Visual_Crime_Scene_and_Security_Incident_Education_Project#tab=Main | OWASP Visual Crime Scene and Security Incident Project]]<br />
*[[OWASP_Secure_Development_Training|OWASP Secure Development Training]]<br />
*[[OWASP_Student_Chapters_Program|OWASP Student Chapters Project]]<br />
*[[:Category:OWASP_Education_Project|OWASP Education Project]]<br />
*[[:Category:OWASP_Speakers_Project|OWASP Speakers Project]]<br />
*[[OWASP_Global_Chapter_Meetings_Project|OWASP Global Chapter Meetings Project]]<br />
*[[OWASP_Media_Project|OWASP Media Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Hacking_Lab|OWASP Hacking-Lab]]<br />
*[[OWASP_PHP_Security_Training_Project|OWASP PHP Security Training Project]]<br />
<br />
==Donated Projects==<br />
<br />
OWASP Donated Projects are inactive projects that have been donated to the OWASP Projects Infrastructure. <br />
<br />
====Tools====<br />
<br />
* [[OWASP_Excess_XSS_Project|OWASP Excess XSS Project]]<br />
* [[OWASP_JOTP_Project|OWASP jOTP Project]]<br />
<br />
==OWASP Archived Projects==<br />
OWASP Archived Projects are projects that have developed outside OWASP umbrella or have become inactive. If you are interested in pursuing any of the inactive projects (click hyperlink for list), please contact us and let us know of your interest.<br />
<br />
https://www.owasp.org/index.php/Category:OWASP_Project_Archived_Projects<br />
<br />
= Project Task Force =<br />
<br />
<br />
====OWASP Project Task Force====<br />
<br />
{{:Task_Force/OWASP_Projects}}<br />
<br />
= Online Resources =<br />
<br />
===Project Online Resources===<br />
<br />
{{:Project_Online_Resources}}<br />
<br />
<br />
= Starting a New Project =<br />
<font size=2pt><br />
== So you want to start a project... ==<br />
<br />
Starting an OWASP project is quite easy, and your desire to contribute and make it happen is essential.<br />
[[File:HowToStartProjectoWasp.png | 600px | right]]<br />
<br />
Here are some of the guidelines for running a successful OWASP project:<br />
<br />
-Start exploring the actual OWASP projects Inventory. Many projects handle specific areas of security it is a good idea to start looking how other successful projects do this (LABS/Flagship)<br />
<br />
-Place your idea or project on the [https://www.owasp.org/index.php/Project_Ideas_Board#From_Idea_to_Project_Incubator Project Ideas Board].This phase will help you to define the project goals and also explore and exchange with other OWASP leaders and volunteers how to develop the idea into a tangible project<br />
<br />
-Explore and research if your idea covers a unique segment in the Security arena.Think of your project as a product, if you really want people using it, think how this project will cover a necessity in the security area you are working on <br />
<br />
-Define what kind of project you would like to start. Is it a code, tool or documentation?<br />
<br />
-Communicate through the Project leader mailing list about your idea and get feedback and meet potential contributors<br />
<br />
-Develop your project based on the type of project. For example if you are willing to start a documentation project, begin by defining a Table of Content and work it through with potential contributors. First of all begin by creating a Road-map for your project. This is essential to submit your project. We highly recommend to read documentation such as "[http://www2.econ.iastate.edu/tesfatsi/ProducingOSS.KarlFogel2005.pdf How to start /run a successful Open Source Projects]". <br />
<br />
[[File:RoadmapIncubatorProjectExample2.PNG | 500px | left]]<br />
<br />
Some recommendations on how to start a documentation project<br />
[[https://www.owasp.org/index.php/File:Document_Guide_(1).png| Document Guide Project]]<br />
<br />
===Importance of a well thought out Road-map===<br />
Many Incubator project leaders struggle with creating a realistic planning, which should be based on their available resources and time. A well thought out plan makes a difference between a procrastinating project and a successful one. The important aspect of this is, that the project leader is able to create a plan based on his situation. The following is an example of a Roadmap, which has focused to produce a Documentation first release in a year and a basic outline how they plan to cover 4 essential aspects which are Research & Development, Marketing, Planning and Goals.<br />
<br />
<br />
<br />
"Your [project] roadmap should tell a coherent story about the likely growth of your product. Each release should build on the previous one and move you closer towards your vision. Your roadmap should be convincing and realistic: Don’t speculate or oversell your [project]. Be clear who your audience is: An internal roadmap talks to development, marketing, sales, service, and the other groups involved in making your [project] a success; and external one talks to existing and prospective customers."<br />
Extracted from : "[[http://www.romanpichler.com/blog/10-tips-creating-agile-product-roadmap/ 10 Tips for Creating an Agile Product Roadmap]]"<br />
<br />
* Start defining a development, documentation and marketing plan for your project. Set short , medium and long term plans. Include promotion of your project, this is very important in order to engage users and consumers of your project. Contact project coordinator and the Project Task Force to help you achieve this goal. You ''can'' run a single person project, but it's usually best to get the community involved. You should be prepared to support a mailing list, build a team, speak at conferences, and promote your project.<br />
<br />
* You can contribute existing documents or tools to OWASP! Assuming you have the intellectual property rights to a work, you can open it to the world as an OWASP Project. Please coordinate this with OWASP by contacting owasp(at)owasp.org.<br />
<br />
* Available Grants to consider if you need funding - [[Grants|Click Here]]<br />
<br />
* You should promote your project through the OWASP channels as well as by outside means. Get people to blog about it!<br />
<br />
== Creating a new project ==<br />
Once you have passed the Project Ideas phase, then you will be ready to start a new project<br />
To Submit your project please use the following form<br />
. [http://www.tfaforms.com/263506 Please submit a new project application here].<br />
<br />
<br />
* You will need to gather the following information together for your application:<br />
A - PROJECT<br />
# Project Name,<br />
# Project purpose / overview,<br />
# Project Roadmap,<br />
# Project links (if any) to external sites,<br />
# [[Guidelines_for_OWASP_Projects#Project_Licensing|Project License],]<br />
# Project Leader name,<br />
# Project Leader email address,<br />
# Project Leader wiki account - the username (you'll need this to edit the wiki),<br />
# Project Contributor(s) (if any) - name email and wiki account (if any),<br />
# Project Main Links (if any).<br />
# For Documentation: A table of Contents<br />
# For Code: A prototype hosted in an open source repository of your choice. Make sure it has read access.<br />
<br />
* Check out the '''[[Guidelines for OWASP Projects]]'''.<br />
* [[Grant_Spending_Policy|Grant Spending Policy]]<br />
* [[Project_Spending_Policy|Project Spending Policy]]<br />
* [[Project_Sponsorship_Operational_Guidelines|Project Sponsorship Operational Guidelines]]<br />
<br />
==OWASP Recommended Licenses==<br />
<br />
{{Recommended_Licenses}}<br />
<br />
==Funding your Project==<br />
An OWASP project does not receive any funding for development at project inception; however, a new project does have the opportunity to submit a request to receive funds if they are available for the year. Additionally, project leaders have the option of seeking sponsorship from outside organizations, but project leaders are required to seek funding through their own initiative. Please contact the OWASP Projects Manager for more information. <br />
<br />
== Project Release ==<br />
<br />
As your project reaches a point that you'd like OWASP to assist in its promotion, the will need the following information to help spread the word about your project:<br />
<br />
# Short 5 sentence paragraph outlining what your project is about, what you hope to accomplish with your project, what value your project brings to software security, and contributor and project leader names and contact information.<br />
# Link to your wiki page.<br />
# Link to your code repository or a link to where readers can download your project.<br />
# Latest Release description answering the following questions: What is it?, What does it do?, Where can I get it?, Who should I contact if something goes wrong?.<br />
<br />
==Project Process Forms==<br />
These forms were created to help project leaders, and those interested in a going through a process in the OWASP projects infrastructure. They facilitate the management of each query based on the specific task an applicant will need help with. The forms are described below, and they are linked with their designated online application form. <br />
<br />
* [http://www.tfaforms.com/264422 Project Transition Application]:The OWASP project transition form gives current project leaders an easy way of handing over project administration information to individuals wishing to take over a project. <br />
<br />
* [http://www.tfaforms.com/264413 Project Review Application]:This form is for current project leaders to request a review of their project based on OWASP graduation criteria. The aim is to designate an OWASP volunteer to review these projects within 3 months time. <br />
<br />
* [http://www.tfaforms.com/264418 Project Donation Application]:This form is for projects outside of the OWASP project infrastructure. Project Leaders for these open source projects can choose to partner or give their project to OWASP directly through this form.<br />
<br />
* [http://www.tfaforms.com/264428 Project Adoption Request]:This form is used when someone is interested in adopting an archived project. <br />
<br />
* [http://www.tfaforms.com/264426 Project Abandonment Request]:The OWASP project abandonment form gives current project leaders an easy way of letting the OWASP Foundation know that they wish to resign their project leader duties. This form should be used when no replacement project leader exists to take over these duties.<br />
<br />
* [http://www.tfaforms.com/264392 Incubator Project Graduation Application]:This application form is for Incubator Projects to apply for Labs Project status.<br />
<br />
* [https://www.owasp.org/index.php/OWASP_System_Vulnerable_Code_Project Project Request (Bangladesh)]:For Information Security Project contact with OWASP Bangladesh Project Leader [[S. M. Shezan]][http://www.facebook.com/smshezan]<br />
<br />
= Project Assessments =<br />
<font size=2pt><br />
==OWASP Project Lifecycle==<br />
The OWASP Projects Lifecycle represents a balance between keeping a very loose structure around OWASP projects, and ensuring that OWASP consumers are not confused about a project’s maturity and quality. The lifecycle stage allows consumers to easily identify mature projects, and projects that are proofs of concept, experimental, and classified as prototypes in their current state. The greater the maturity of the project, the greater the level of responsibility for the project leader. These responsibilities are not trivial as OWASP provides incentives and benefits (Section 7) for projects who take on these added responsibilities.<br />
<br />
<br />
====The OWASP Project Lifecycle is broken down into the following stages:====<br />
<br />
'''Incubator Projects''': OWASP Incubator projects represent the experimental playground where projects are still being designed, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity; moreover, the label allows project leaders to leverage the OWASP name while their project is still maturing. OWASP Incubator projects are given a place on the OWASP Projects Portal to leverage the organizations' infrastructure, and establish their presence and project history.<br />
<br />
'''Lab Projects''': OWASP Labs projects represent projects that have produced a deliverable of significant value. Leaders of OWASP Labs projects are expected to stand behind the quality of their projects as these projects have matured to the point where they are accepted by a significant portion of the OWASP community. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are ready for mainstream usage. OWASP Labs Projects are meant to be the collection of established projects that have gained community support and acclaim by undergoing the project review process. <br />
<br />
'''Flagship Projects''': The OWASP Flagship designation is given to projects that have demonstrated superior maturity, established quality, and strategic value to OWASP and application security as a whole. Eligible projects are selected from the OWASP Labs project pool. This selection process generally ensures that there is only one project of each type covering any particular security space. OWASP Flagship projects represent projects that are not only mature, but are also projects that OWASP as an organization provides direct support to maintaining. The core mission of OWASP is to make application security visible and so as an organization, OWASP has a vested interest in the success of its Flagship projects. Since Flagship projects have such high visibility, these projects are expected to uphold the most stringent requirements of all OWASP Projects.<br />
<br />
'''Code Projects''': OWASP code projects are very important for the cyber security solutions. Because these projects are used to find out the application security problems and try to solve those problems. Best code project is [[OWASP System Vulnerable Code Project]] and best project leader is [http://www.facebook.com/smshezan S. M. Shezan]<br />
<br />
== OWASP Project Stage Benefits==<br />
This section outlines the benefits of starting an OWASP project, and the benefits of being at each different stage in the projects lifecycle. In my short time here at OWASP as the PM, I have had several potential project leaders ask me what the benefits are of starting their project with OWASP. Below is my proposal for each Stage’s benefits.<br />
<br />
'''Incubator'''<br />
* Financial Donation Management Assistance <br />
* Project Review Support<br />
* WASPY Awards Nominations<br />
* OWASP OSS and OPT Participation<br />
* Opportunity to submit proposal: $500 for Development.<br />
* Community Engagement and Support<br />
* Recognition and visibility of being associated with the OWASP Brand.<br />
<br />
'''Labs'''<br />
* All benefits given to Incubator Projects <br />
* Technical Writing Support<br />
* Graphic Design Support<br />
* Project Promotion Support<br />
* OWASP OSS and OPT: Preference<br />
<br />
'''Flagship'''<br />
* All benefits given to Incubator & Labs Projects<br />
* Grant finding and proposal writing help<br />
* Yearly marketing plan development<br />
* OWASP OSS and OPT participation preference<br />
<br />
For more detailed information on OWASP Project Stage Benefits, please see the 2013 Project Handbook.<br />
<br />
== Project Monitoring Incubator/Documentation ==<br />
Every 6 months, a project monitoring assessment takes place to evaluate if projects had any releases during this period.A warning will be sent to projects without any activity in 90 days and after 180 days, the project will be set automatically as inactive.<br />
You can set your project active at any time, as long as:<br />
* There has been commits to the project's open repository or<br />
* There has been a beta release of the documentation produced so far or<br />
* Provide a detailed Roadmap <br />
<br />
===Importance of a well thought out Roadmap===<br />
Many Incubator project leaders struggle with creating a realistic planning, which should be based on their available resources and time. A well thought out plan makes a difference between a procrastinating project and a successful one. The important aspect of this is, that the project leader is able to create a plan based on his situation. The following is an example of a Roadmap, which has focused to produce a Documentation first release in a year and a basic outline how they plan to cover 4 essential aspects which are Research & Development, Marketing, Planning and Goals.<br />
<br />
<br />
[[File:RoadmapIncubatorProjectExample2.PNG | 600px]]<br />
<br />
"Your [project] roadmap should tell a coherent story about the likely growth of your product. Each release should build on the previous one and move you closer towards your vision. Your roadmap should be convincing and realistic: Don’t speculate or oversell your [project]. Be clear who your audience is: An internal roadmap talks to development, marketing, sales, service, and the other groups involved in making your [project] a success; and external one talks to existing and prospective customers."<br />
Extracted from : "[[http://www.romanpichler.com/blog/10-tips-creating-agile-product-roadmap/ 10 Tips for Creating an Agile Product Roadmap]]"<br />
<br />
==Project Monitoring for LABS/Flagship==<br />
These project represent the best OWASP has to offer, therefore monitoring of these projects is closely supervised.<br />
===For Code and Tools===<br />
For projects holding Flagship status, we closely monitor their health every 6 months on the following, among other key indicators:<br />
*Can the project be built correctly?<br />
*Does the project has any activity(commits) in the last 6 months?<br />
*Does the project had any releases in the last 6 months?<br />
*Has the project leaders updated his wiki or website to reflect latest releases?<br />
===For Documentation===<br />
For this part, we are working on the development of an adequate assessment criteria<br />
The following is a draft of the new process proposal: [[https://www.owasp.org/index.php/File:Qualitative_and_Quantitative_Content_Audit.pdf Proposal for Reviewing OWASP Document projects]]<br />
<br />
== OWASP Project Graduation==<br />
The Project Graduation Process is an optional process undertaken at the request of a project leader using the Incubator Graduation Form. The purpose of this process is to move a project from the OWASP Incubator into the OWASP Labs. In order to be considered for OWASP Labs, an Incubator project must have submitted an OWASP reviewed deliverable, and obtained at least two (2) positive responses for each of the core criteria project health questions.<br />
<br />
The review centers around the following core questions. Each core question has three (3) specific questions made up of binary queries. A project must receive at least two (2) positive responses from each reviewer in two of the binary questions, to warrant a postive response for the core question. Each core question must receive a positive response from both project reviewers to pass the Project Health Assessment for Incubator Projects. <br />
<br />
* [https://docs.google.com/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE Project Graduation Criteria Checklist]<br />
<br />
==OWASP Project Health Assessment==<br />
The Project Health Assessment is an optional process undertaken at the request of a project leader when he/she applies for Project Graduation for projects going from Incubator to LAB and from LAB to Flagship. The purpose of this assessment is to determine whether a project meets the minimum criteria of an OWASP Project outlined in the [https://docs.google.com/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE Project Health Assessment Criteria Document]. If a project passes the assessment, it then becomes eligible to graduate into the OWASP Labs Project stage. In order to be considered for OWASP Labs, an Incubator project must have submitted an OWASP reviewed deliverable, and obtained at least two (2) positive responses for each of the core criteria project health questions.<br />
<br />
==OWASP Project Deliverable/Release Assessment==<br />
The Project Deliverable/Release Review is an optional process undertaken at the request of a project leader using the Project Deliverable Review Form. The purpose of this process is to review a project’s progress, and to make sure the project is heading in the right direction based on the roadmap they provided at project inception. <br />
<br />
Reviews must be performed by two (2) OWASP Chapter or Project Leaders, and their review must answer affirmatively to at least the first two (2) core Project Deliverable/Release Review questions. A project must pass the OWASP Project Deliverable/Release Assessment in order to graduate into the OWASP Labs Project stage. <br />
<br />
* [https://docs.google.com/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE Project Deliverable/Release Assessment Criteria Checklist]<br />
<br />
<br />
= Brand Resources =<br />
<font size=2pt><br />
<br />
==The Brand Usage Rules==<br />
See OWASP's [[Marketing/Resources#tab=BRAND_GUIDELINES|The Brand Usage Rules]] for details.<br />
<br />
==Project Icons & Templates==<br />
See OWASP'S [[Marketing/Resources#PROJECT_RESOURCES|Project Icons & Templates]] for details.<br />
<br />
(Following links and images are provided for a quick overview only, the primary page is [[Marketing/Resources#PROJECT_RESOURCES|Project Icons & Templates]]).<br />
<br />
If you require more assistance with these files and/or templates, please contact the OWASP staff for assistance <br />
<br />
'''[[OWASP_Operations_Project_Template|OWASP Operational Wiki Template]]'''<br />
<br />
'''[[OWASP_Documentation_Project_Template|OWASP Example Template: DO NOT EDIT]]'''<br />
<br />
[[Image:OWASP_Project_Header.jpg|Owasp logo|500px]]<br />
<br />
[[Image:Project_Type_Files_TOOL.jpg|Owasp logo|200px]] [[Image:Project_Type_Files_DOC.jpg||Owasp logo 1c|200px]] <br />
<br />
[[Image:Project_Type_Files_CODE.jpg|Owasp logo|200px]] [[Image:Owasp-defenders-small.png|Owasp logo|100px]] [[Image:Owasp-builders-small.png|Owasp logo|100px]] [[Image:Owasp-breakers-small.png|Owasp logo|100px]] <br />
<br />
[[Image:Owasp-incubator-trans-200.png|Owasp logo rev icon|100px]] [[Image:Owasp-labs-trans-85.png|Owasp logo flat|100px]] [[Image:Owasp-flagship-trans-85.png|Owasp logo icon|100px]]<br />
<br />
===OpenSAMM===<br />
'''[[Media:OpenSAMM_icons.zip|OpenSAMM Icons]]'''<br />
<br />
'''Construction:'''<br />
<br />
[[Image:Construction black.png| Construction black| 100px]] [[Image:Construction blue.png| Construction blue| 100px]] [[image:Construction olive.png |construction olive|100px]]<br />
<br />
'''Deployment:'''<br />
<br />
[[image:Deployment black.png| Deployment black| 100px]] [[image:Deployment blue.png| Deployment blue| 100px]] [[image:Deployment olive.png | Deployment olive| 100px]]<br />
<br />
'''Governance:'''<br />
<br />
[[image:Governance black.png| governance black| 100px]] [[image:Governance blue.png | governance blue | 100px]] [[image:Governance olive.png | governance olive| 100px]]<br />
<br />
'''Verification:'''<br />
<br />
[[image:Verification black.png | Verification black | 100px]] [[image:Verification blue.png | verification blue | 100px]] [[image: Verification olive.png | Verification olive | 100px]]<br />
<br />
==Book Cover Files==<br />
See OWASP's [[Marketing/Resources#PROJECT_RESOURCES|Project Icons & Templates]] for details.<br />
<br />
[[Media:Lulu-guide.pdf|Lulu Guide]]<br />
<br />
'''[https://www.dropbox.com/s/h27gsbe5m7idg0y/Finished%20Covers.zip Download the Book Cover Zip File]'''<br />
{|<br />
|-<br />
! width="500" align="center" | <br> <br />
! width="300" align="center" | <br><br />
|-<br />
| align="center" | [[Image:BookImage_01.jpg|500px| link=https://www.dropbox.com/s/h27gsbe5m7idg0y/Finished%20Covers.zip]] <br />
| align="center" | <br />
<br />
|}<br />
<br />
= Terminology =<br />
<font size=2pt><br />
== OWASP Project Infrastructure ==<br />
<br />
<br />
*'''OWASP Project Lifecycle:''' The OWASP Projects Lifecycle represents a balance between keeping a very loose structure around OWASP projects, and ensuring that OWASP consumers are not confused about a project’s maturity and quality. The lifecycle stage allows consumers to easily identify mature projects, and projects that are proofs of concept, experimental, and classified as prototypes in their current state.<br />
<br />
<br />
*'''Incubator Project:''' OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity. The label also allows project leaders to leverage the OWASP name while their project is still maturing.<br />
<br />
<br />
*'''Labs Project:''' OWASP Labs projects represent projects that have produced a deliverable of value. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are at least ready for mainstream usage.<br />
<br />
<br />
*'''Flagship Project:''' The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole. <br />
<br />
<br />
<br />
*'''Project Benefits:''' The standard list of resources and incentives made available to project leaders based on their project's current maturity level. <br />
<br />
<br />
<br />
== OWASP Project Reviews ==<br />
<br />
<br />
*'''Project Reviews:''' Project reviews are the method OWASP uses to establish a minimal baseline of project characteristics and release quality. Reviews are not mandatory, but they are necessary if a project leader wishes to graduate to the next level of maturity within the OWASP Global Projects infrastructure. Projects can be reviewed when an Incubator project wishes to graduate into the OWASP Labs designation, and project releases can be reviewed if they want the quality of their deliverable to be vouched for by OWASP. <br />
<br />
<br />
*'''Project Reviewer Pool:''' The project reviewer pool is made up of veteran reviewers who have proven themselves dedicated to executing quality reviews of projects. <br />
<br />
<br />
*'''Project Graduation:''' The Project Graduation Process is an optional process undertaken at the request of a project leader using the Incubator Graduation Form. The purpose of this process is to move a project from the OWASP Incubator into the OWASP Labs.<br />
<br />
<br />
*'''Project Health Assessment:''' The Project Health Assessment is an optional process undertaken at the request of a project leader when he/she applies for Project Graduation The purpose of this assessment is to determine whether a project meets the minimum criteria of an OWASP Project outlined in the [https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE#gid=1 Project Health Assessment Criteria Document].<br />
<br />
<br />
*'''Project Release:''' A project release refers to the final deliverable a project produces. It is the final product of the project. <br />
<br />
<br />
*'''Project Deliverable/Release Review:''' The Project Deliverable/Release Review is an optional process undertaken at the request of a project leader using the Project Deliverable Review Form. The purpose of this process is to review a project’s progress, and to make sure the project is heading in the right direction based on the roadmap they provided at project inception.<br />
<br />
<br />
<br />
== OWASP Projects Processes == <br />
<br />
*'''Project Processes:''' The set of streamlined processes that exist to help projects move smoothly through the OWASP Project Lifecycle.<br />
<br />
<br />
*'''Project Inception Process:''' The Project Inception Process is how a brand new idea becomes an OWASP Project. Such projects are labeled as OWASP Incubator projects. The process involves submitting the proposed project name, project leader information, project description, project roadmap, and selecting an appropriate open-source license for the project using the New Project Form on the Projects Portal.<br />
<br />
<br />
*'''Project Donation Process:''' The Project Donation Process is used for a project that has an existing functional release, but is not currently associated with OWASP. This process is the primary mechanism by which individuals or organizations can transfer the ownership of their project’s copyright to OWASP.<br />
<br />
<br />
*'''Project Transition Process:''' The Project Transition Process is used to transition leadership of a project to a new project leader. This is a simple automated process to transfer the relevant accounts, mailing lists, and other project resources to the new project leader.<br />
<br />
<br />
*'''Project Abandonment Process:''' The Project Abandonment Process was put in place for those occasions in which a project leader is no longer able to manage their project, and has not been able to find a suitable replacement for the leader role. Project Abandonment can also occur when the project leader feels his/her project has become obsolete. Under these circumstances, the acting project leader is encourage do submit the Project Abandonment Form found in the Projects Portal.<br />
<br />
<br />
*'''Incubator Graduation Process:''' The Incubator Graduation Process is an optional process undertaken at the request of a project leader using the Incubator Graduation Form. The purpose of this process is to move a project from the OWASP Incubator into the OWASP Labs.<br />
<br />
<br />
== Projects at Conferences == <br />
<br />
*'''AppSec Conferences:''' OWASP AppSec conferences bring together industry, government, security researchers, and practitioners to discuss the state of the art in application security. This series was launched in the United States in 2004 and Europe in 2005. Global AppSec conferences are held annually in North America, Latin America, Europe, and Asia Pacific.<br />
<br />
<br />
*'''Open Source Showcase:''' The Open Source Showcase is an OWASP AppSec Conference event module designed to give Open Source project leaders the opportunity to demo their projects.<br />
<br />
<br />
*'''OWASP Project Track:''' The OWASP Project Track is an OWASP AppSec Conference event module designed to give OWASP Project leaders the opportunity to showcase their projects as an official conference presenter. <br />
<br />
<br />
== OWASP Projects General == <br />
<br />
*'''OWASP Code of Ethics:''' The OWASP Code of Ethics are the set of guidelines and principles that the OWASP Foundation expects all of its members and conference attendees to abide by. A copy of the Code of Ethics can be found here in the [https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics OWASP About page]. <br />
<br />
<br />
= Sponsorships and Donations =<br />
<font size=2pt><br />
<br />
==Donate to OWASP Global Projects ==<br />
OWASP Projects, a global division of the OWASP Foundation, is run under the same world wide not-for-profit charitable status as all the foundation strategic groups. OWASP provides a platform for contributors to share their work while providing them with the project and community support they need throughout their project development. All OWASP Projects are run by volunteers and they rely on personal donations and sponsorship to continue their development. Donate to OWASP Projects, and we promise to spend your money wisely on open source initiatives.<br />
<br />
'''This is how your money can help:'''<br />
<br />
* $20 could help us spread the word on the importance of open source initiatives in the Application Security industry.<br />
* $100 could help fund OWASP project demos at major conferences.<br />
* $250 could help get our volunteer Project Leaders to speaking engagements.<br />
<br />
<br />
[[Image:Donate_Button.jpg | link=http://www.regonline.com/Register/Checkin.aspx?EventID=1044369]]<br />
<br />
<br />
<br />
= Contact US =<br />
<font size=2pt><br />
<br />
If you need any help with anything projects related, or if you simply need some more information, please do not hesitate to [http://owasp4.owasp.org/contactus.html Contact Us].<br />
</font><br />
<br />
<br />
<headertabs /></div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=196593OWASP Security Shepherd2015-06-26T16:47:05Z<p>Mark Denihan: /* FAQs */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
== Why use Security Shepherd? ==<br />
<br />
* '''Wide Topic Coverage: ''' Shepherd includes over sixty levels across the entire spectrum of Web and Mobile application security under a single project.<br />
* '''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
* '''Layman Write Ups:''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
* '''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
* '''Scalability:''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
* '''Highly Customisable:''' Shepherd enables admins to set what levels are available to their users and in what way they are presentended (Open, CTF and Tournament Layouts)<br />
* '''Perfect for Classrooms:''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
* '''Scoreboard:''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
* '''User Management:''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
* '''Robust Service:''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
* '''Configurable Feedback:''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
* '''Granular Logging:''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [July 2015] Shepherd v2.4 Released<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
* [December 2014] Shepherd V2.2 Released<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Follow [[https://github.com/OWASP/SecurityShepherd/wiki/How-To-Reskin-Shepherd this guide]]!<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
; Q3 Where can I download Security Shepherd?<br />
: A3 You can download it on [[https://sourceforge.net/projects/owaspshepherd/files/ Source Forge]]<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Ciaran Napier<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.4 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Configuration -> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.3 to Version 2.4:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4.sql Upgrade Core Schema Script]]<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateModuleSchemasV2.4.sql Upgrade Module Schemas Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.3 war file with the new V2.4 war file.<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v2.4 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* Time to Play!<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=196592OWASP Security Shepherd2015-06-26T16:34:00Z<p>Mark Denihan: /* Setup Help */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
== Why use Security Shepherd? ==<br />
<br />
* '''Wide Topic Coverage: ''' Shepherd includes over sixty levels across the entire spectrum of Web and Mobile application security under a single project.<br />
* '''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
* '''Layman Write Ups:''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
* '''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
* '''Scalability:''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
* '''Highly Customisable:''' Shepherd enables admins to set what levels are available to their users and in what way they are presentended (Open, CTF and Tournament Layouts)<br />
* '''Perfect for Classrooms:''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
* '''Scoreboard:''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
* '''User Management:''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
* '''Robust Service:''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
* '''Configurable Feedback:''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
* '''Granular Logging:''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [July 2015] Shepherd v2.4 Released<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
* [December 2014] Shepherd V2.2 Released<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Shepherd plans to include this in-app in version 2.4<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Ciaran Napier<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.4 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Configuration -> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.3 to Version 2.4:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateCoreSchemaV2.4.sql Upgrade Core Schema Script]]<br />
* Download and run this SQL file on your DB server: [[https://github.com/OWASP/SecurityShepherd/raw/master/SecurityShepherdCore/setupFiles/updateModuleSchemasV2.4.sql Upgrade Module Schemas Script]]<br />
* Download the 2.4 Manual Pack, and replace your V2.3 war file with the new V2.4 war file.<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v2.4 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* Time to Play!<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=196591OWASP Security Shepherd2015-06-26T16:22:17Z<p>Mark Denihan: /* Setup Help */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
== Why use Security Shepherd? ==<br />
<br />
* '''Wide Topic Coverage: ''' Shepherd includes over sixty levels across the entire spectrum of Web and Mobile application security under a single project.<br />
* '''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
* '''Layman Write Ups:''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
* '''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
* '''Scalability:''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
* '''Highly Customisable:''' Shepherd enables admins to set what levels are available to their users and in what way they are presentended (Open, CTF and Tournament Layouts)<br />
* '''Perfect for Classrooms:''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
* '''Scoreboard:''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
* '''User Management:''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
* '''Robust Service:''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
* '''Configurable Feedback:''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
* '''Granular Logging:''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [July 2015] Shepherd v2.4 Released<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
* [December 2014] Shepherd V2.2 Released<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Shepherd plans to include this in-app in version 2.4<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Ciaran Napier<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.4 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Configuration -> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===How to Upgrade Version 2.3 to Version 2.4:===<br />
You have a current instance of Security Shepherd V2.3, and you want to upgrade it to 2.4 without loosing any data? No Problem. Follow these steps to upgrade;<br />
<br />
* Download and run this SQL file on your DB server: Upgrade Core Schema Script<br />
* Download and run this SQL file on your DB server: Upgrade Module Schemas Script<br />
* Download the 2.4 Manual Pack, and replace your V2.3 war file with the new V2.4 war file.<br />
<br />
All settings will be set to default after completing these steps and new levels will be marked as open.<br />
<br />
===Security Shepherd v2.4 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* Time to Play!<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=196575OWASP Security Shepherd2015-06-25T15:56:48Z<p>Mark Denihan: Updates for 2.4 Release</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
== Why use Security Shepherd? ==<br />
<br />
* '''Wide Topic Coverage: ''' Shepherd includes over sixty levels across the entire spectrum of Web and Mobile application security under a single project.<br />
* '''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
* '''Layman Write Ups:''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
* '''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
* '''Scalability:''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
* '''Highly Customisable:''' Shepherd enables admins to set what levels are available to their users and in what way they are presentended (Open, CTF and Tournament Layouts)<br />
* '''Perfect for Classrooms:''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
* '''Scoreboard:''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
* '''User Management:''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
* '''Robust Service:''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
* '''Configurable Feedback:''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
* '''Granular Logging:''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A5|Security Misconfiguration]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Data_Validation|Poor Data Validation]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [July 2015] Shepherd v2.4 Released<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
* [December 2014] Shepherd V2.2 Released<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Shepherd plans to include this in-app in version 2.4<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their websites and follow them on Twitter. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
[[File:Manicode-logo.png]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Paul McCann<br />
* John Clarke<br />
* Ciaran Napier<br />
* Jason Flood<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.4 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Update the VM Network Adapters to suit what you have available. (Bridged Adapter for Network Availability, Host-Only for local access only and NAT for just outbound access) The VM by default has 2 Network adapters, one NAT and a Host-Only.<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address of the network adapter that is not configured for NAT. Make note of this<br />
* On your host machine, open https://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Go to Admin -> Configuration -> Change Module Layout to change the way levels are presented. Default is CTF Mode (One at a time)<br />
* Time to play!<br />
<br />
===Security Shepherd v2.4 Manual Pack (Windows):===<br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using CowSaysMoo as the default password to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p )<br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source coreSchema.sql<br />
source moduleSchemas.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the temp directory, in the ROOT directory in the temp folder, modify the /WEB-INF/coreDatabase.properties and /WEB-INF/database.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT folder in your temp directory, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password (Can't be 'password' again)<br />
* Make sure JAVA_HOME is set;<br />
* Right click My Computer and select Properties.<br />
* On the Advanced tab, select Environment Variables, and then edit JAVA_HOME to point to where the JDK software is located, e.g C:\Program Files\Java\jdk1.8.0_45.<br />
* To setup SSL for port 443 (HTTPS) firstly generate the self signed certificate<br />
<br />
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA<br />
<br />
* The following is an example of filling out the details for the cert. You can choose your own.<br />
<br />
Enter keystore password: passw0rd<br />
Re-enter new password: password<br />
What is your first and last name?<br />
[Unknown]: Paul Stone<br />
What is the name of your organizational unit?<br />
[Unknown]: Security Shepherd<br />
What is the name of your organization?<br />
[Unknown]: OWASP<br />
What is the name of your City or Locality?<br />
[Unknown]: Baile Átha Cliath<br />
What is the name of your State or Province?<br />
[Unknown]: Laighin<br />
What is the two-letter country code for this unit?<br />
[Unknown]: IE<br />
Is CN=Paul Stone, OU=Security Shepherd, O=OWASP, L=Baile Átha Cliath, ST=Laighin, C=IE correct?<br />
[no]: yes<br />
<br />
Enter key password for (RETURN if same as keystore password): <RETURN><br />
<br />
* This will create a file under C:\Users\YOUR_USERNAME.keystore<br />
* Now Update the C:\INSTALL_LOCATION\tomcat7\conf\server.xml file manually. Make a note of the password to the cert you generated and enter it under the 'keystorePass'. Change the listener port to the following:<br />
<br />
<Connector address="0.0.0.0" port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" /><br />
<br />
<Connector address="0.0.0.0" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Users\YOUR_USERNAME\.keystore" keystorePass="passw0rd" keyAlias="tomcat"/><br />
<br />
* To Redirect traffic to 443 (HTTPS)add the following to C:\INSTALL_LOCATION\tomcat7\conf\web.xml<br />
<br />
<security-constraint><web-resource-collection><web-resource-name>Entire Application</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint><br />
<br />
* Time to Play!<br />
<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=File:Manicode-logo.png&diff=196574File:Manicode-logo.png2015-06-25T15:48:35Z<p>Mark Denihan: </p>
<hr />
<div></div>Mark Denihanhttps://wiki.owasp.org/index.php?title=Projects/OWASP_Security_Shepherd/Roadmap&diff=195411Projects/OWASP Security Shepherd/Roadmap2015-05-28T07:19:19Z<p>Mark Denihan: </p>
<hr />
<div>The current objectives of the Security Shepherd project are;<br />
<br />
To create more levels to provide a wider coverage of vulnerabilities<br />
<br />
Extend admin UI configuration options<br />
<br />
Expand Mobile Risk Examples to iOS and Windows Mobile<br />
<br />
Improve Documentation</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=195410OWASP Security Shepherd2015-05-28T07:13:02Z<p>Mark Denihan: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
== Why use Security Shepherd? ==<br />
<br />
* '''Wide Topic Coverage: ''' Shepherd includes over sixty levels across the entire spectrum of Web and Mobile application security under a single project.<br />
* '''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
* '''Layman Write Ups:''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
* '''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
* '''Scalability:''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
* '''Highly Customisable:''' Shepherd enables admins to set what levels are available to their users and in what way they are presentended (Open, CTF and Tournament Layouts)<br />
* '''Perfect for Classrooms:''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
* '''Scoreboard:''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
* '''User Management:''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
* '''Robust Service:''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
* '''Configurable Feedback:''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
* '''Granular Logging:''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
* [December 2014] Shepherd V2.2 Released<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Shepherd plans to include this in-app in version 2.4<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their stall at the [http://bit.ly/AppSecEu2014|OWASP AppSec EU 2015] conference as well as follow them on [http://bit.ly/bccRiskAdvisory Twitter]. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Ciaran Napier<br />
* Jason Flood<br />
* Patrick Hanily<br />
* Peter Dolan<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.3 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Make sure the VM has a bridged adapter (or a Host-Only adapter if you don't want anyone else to connect)<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address. Make note of this<br />
* On your host machine, open http://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Time to play!<br />
<br />
===Security Shepherd v2.3 Manual Pack:===<br />
The manual release is a single download, unrar, and follow the steps release. <br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using the default password (Contained in readme.txt) to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p ) <br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source core.sql<br />
source exposedSchema.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the ROOT directory found in the temp folder, modify the /WEB-INF/coreDatabase.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT or Exposed folder in your temp folder, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password<br />
* Follow in application prompts for further configuration<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/Offline&diff=195254OWASP Vulnerable Web Applications Directory Project/Pages/Offline2015-05-26T13:14:43Z<p>Mark Denihan: Adding Security Shepherd to List</p>
<hr />
<div>{| border="1" width="80%" cellspacing="0" cellpadding="2"<br />
|-<br />
! scope="col" | App Name / Link<br />
! scope="col" | Technology<br />
! scope="col" | Other links<br />
! scope="col" | Author<br />
! scope="col" | Notes<br />
|-<br />
| [http://www.badstore.net/ BadStore]<br />
| Perl(CGI)<br />
| <br />
| <br />
| <br />
|-<br />
| [http://code.google.com/p/bodgeit/ BodgeIt Store ]<br />
| Java<br />
| [http://code.google.com/p/bodgeit/downloads/list download]<br />
| Simon Bennetts <br />
|<br />
|-<br />
| [http://sechow.com/bricks/index.html Bricks ]<br />
| PHP<br />
| [http://sechow.com/bricks/download.html download] [http://sechow.com/bricks/docs/ docs]<br />
| OWASP<br />
| <br />
|-<br />
| [http://sourceforge.net/projects/thebutterflytmp/files/ButterFly%20Project/ Butterfly Security Project]<br />
| PHP<br />
| [http://sourceforge.net/projects/thebutterflytmp/files/ download]<br />
| <br />
| Last updated in 2008<br />
|-<br />
| [http://www.itsecgames.com/ bWAPP ]<br />
| PHP<br />
| [http://sourceforge.net/projects/bwapp/files/ download] [http://itsecgames.blogspot.be/2013/01/bwapp-installation.html docs]<br />
| <br />
| <br />
|-<br />
| [https://github.com/fridaygoldsmith/bwa_cyclone_transfers Cyclone Transfers ]<br />
| Ruby on Rails<br />
| <br />
| <br />
| <br />
|-<br />
| [http://www.dvwa.co.uk/ Damn Vulnerable Web Application - DVWA ]<br />
| PHP<br />
| [http://code.google.com/p/dvwa/downloads/list download]<br />
| RandomStorm<br />
| <br />
|-<br />
| [http://dvws.secureideas.net/ Damn Vulnerable Web Services - DVWS ]<br />
| PHP<br />
| [http://dvws.secureideas.net/downloads/files/dvws.tgz download]<br />
| Secure Ideas<br />
| <br />
|-<br />
| [https://www.owasp.org/index.php/OWASP_Faux_Bank_Project Faux Bank ]<br />
| ASP<br />
| [https://github.com/thatcoderguy/OWASP-Faux-Bank-ClassicASP download]<br />
| OWASP<br />
| <br />
|-<br />
| [http://google-gruyere.appspot.com/ Gruyere ]<br />
| Python<br />
| [http://google-gruyere.appspot.com/gruyere-code.zip download]<br />
| Google<br />
| <br />
|-<br />
| [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project Hackademic Challenges Project ]<br />
| PHP<br />
| [https://github.com/Hackademic/hackademic download]<br />
| OWASP<br />
| <br />
|-<br />
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx Hacme Bank - Android]<br />
| <br />
| <br />
| McAfee / Foundstone<br />
| <br />
|-<br />
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx Hacme Bank ]<br />
| .NET<br />
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-bank.aspx download]<br />
| McAfee / Foundstone<br />
| <br />
|-<br />
| [http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx Hacme Books ]<br />
| Java<br />
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmebooks.aspx download]<br />
| McAfee / Foundstone<br />
| <br />
|-<br />
| [http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx Hacme Casino ]<br />
| Ruby on Rails<br />
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-casino.aspx download]<br />
| McAfee / Foundstone<br />
| <br />
|-<br />
| [http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx Hacme Shipping ]<br />
| ColdFusion<br />
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmeshipping.aspx download]<br />
| McAfee / Foundstone<br />
| <br />
|-<br />
| [http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx Hacme Travel ]<br />
| C++<br />
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmetravel.aspx download]<br />
| McAfee / Foundstone<br />
| <br />
|-<br />
| [http://hackxor.sourceforge.net/cgi-bin/index.pl hackxor]<br />
| <br />
| <br />
| <br />
| First 2 levels online, rest offline<br />
|-<br />
| [http://bkimminich.github.io/juice-shop Juice Shop ]<br />
| Node, Express, Angular<br />
| [https://github.com/bkimminich/juice-shop download] [https://registry.hub.docker.com/u/bkimminich/juice-shop docker image]<br />
| Björn Kimminich<br />
| <br />
|-<br />
| [http://sourceforge.net/projects/lampsecurity/ LampSecurity]<br />
| PHP<br />
| <br />
| <br />
| <br />
|-<br />
| [http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 Mutillidae ]<br />
| PHP<br />
| [http://www.irongeek.com/mutillidae/ download]<br />
| <br />
| <br />
|-<br />
| [https://owasp.codeplex.com/ .NET Goat ]<br />
| C#<br />
| [https://owasp.codeplex.com/SourceControl/list/changesets# download]<br />
| OWASP<br />
| <br />
|-<br />
| [http://peruggia.sourceforge.net/ Peruggia ]<br />
| PHP<br />
| [http://sourceforge.net/projects/peruggia/files/ download]<br />
| <br />
| <br />
|-<br />
| [https://code.google.com/p/puzzlemall/ Puzzlemall ]<br />
| Java<br />
| [https://code.google.com/p/puzzlemall/downloads/list download] [https://code.google.com/p/puzzlemall/downloads/list docs]<br />
| <br />
| <br />
|-<br />
| [https://www.owasp.org/index.php/OWASP_Rails_Goat_Project Rails Goat ]<br />
| Ruby on Rails<br />
| [https://github.com/OWASP/railsgoat/archive/master.zip download] [http://railsgoat.cktricky.com/getting_started.html docs]<br />
| OWASP<br />
| <br />
|-<br />
| [http://suif.stanford.edu/%7Elivshits/securibench/ SecuriBench]<br />
| Java<br />
| <br />
| Stanford<br />
| <br />
|-<br />
| [http://suif.stanford.edu/%7Elivshits/work/securibench-micro/ SecuriBench Micro]<br />
| Java<br />
| [http://suif.stanford.edu/~livshits/securibench/download.html download]<br />
| Stanford<br />
| <br />
|-<br />
| [https://www.owasp.org/index.php/OWASP_Security_Shepherd#tab=Main Security Shepherd]<br />
| Java<br />
| [https://sourceforge.net/projects/owaspshepherd/ download]<br />
| OWASP<br />
| <br />
|-<br />
| [https://github.com/Audi-1/sqli-labs SQLI-labs]<br />
| PHP<br />
| [https://github.com/Audi-1/sqli-labs/archive/master.zip download] [http://dummy2dummies.blogspot.com/ blog]<br />
| <br />
| <br />
|-<br />
| [https://github.com/SpiderLabs/SQLol SQLol ]<br />
| PHP<br />
| [https://github.com/SpiderLabs/SQLol/archive/master.zip download]<br />
| <br />
| <br />
|-<br />
| [https://github.com/sakti/twitterlike twitterlike ]<br />
| PHP<br />
| [https://github.com/sakti/twitterlike git repository]<br />
| Sakti Dwi Cahyono<br />
| <br />
|-<br />
| [http://www.nth-dimension.org.uk/blog.php?id=88 VulnApp ]<br />
| .NET<br />
| [http://projects.nth-dimension.org.uk/dir?d=VulnApp CVS download] [http://projects.nth-dimension.org.uk/rptview?rn=6 vulns]<br />
| <br />
| <br />
|-<br />
| [http://kanishkashowto.com/2014/06/30/vulnerawa-vulnerable-website/ Vulnerawa ]<br />
|<br />
| [http://sourceforge.net/projects/vulnerawa/ download]<br />
| <br />
| <br />
|-<br />
| [http://exploit.co.il/hacking/exploit-kb-vulnerable-web-app/ Vulnerable Web App]<br />
| <br />
| <br />
| Exploit.co.il<br />
| <br />
|-<br />
| [https://github.com/adamdoupe/WackoPicko WackoPicko ]<br />
| PHP<br />
| [https://github.com/adamdoupe/WackoPicko/zipball/master download] [http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf whitepaper]<br />
| <br />
| <br />
|-<br />
| [https://code.google.com/p/wavsep/ Wavsep - Web Application Vulnerability Scanner Evaluation Project ]<br />
| Java<br />
| [https://code.google.com/p/wavsep/downloads/list download] [https://code.google.com/p/wavsep/downloads/list docs]<br />
| <br />
| <br />
|-<br />
| [https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project WebGoat ]<br />
| Java<br />
| [http://code.google.com/p/webgoat/downloads/list download] [https://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents guide]<br />
| OWASP<br />
| <br />
|-<br />
| [https://owasp.codeplex.com/ WebGoat.NET]<br />
| C#<br />
| [https://owasp.codeplex.com/SourceControl/list/changesets# download]<br />
| OWASP<br />
| <br />
|-<br />
| [https://code.google.com/p/wivet/ WIVET&nbsp;- Web Input Vector Extractor Teaser]<br />
| <br />
| [http://www.webguvenligi.org/projeler/wivet download] [https://code.google.com/p/wivet/downloads/list?can=1&amp;q= tests]<br />
| <br />
| <br />
|-<br />
|}</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=195245OWASP Security Shepherd2015-05-26T10:11:01Z<p>Mark Denihan: /* Acknowledgements */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
OWASP Security Shepherd is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
== Why use Security Shepherd? ==<br />
<br />
* '''Wide Topic Coverage: ''' Shepherd includes over sixty levels across the entire spectrum of Web and Mobile application security under a single project.<br />
* '''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
* '''Layman Write Ups:''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
* '''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
* '''Scalability:''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
* '''Highly Customisable:''' Shepherd enables admins to set what levels are available to their users and in what way they are presentended (Open, CTF and Tournament Layouts)<br />
* '''Perfect for Classrooms:''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
* '''Scoreboard:''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
* '''User Management:''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
* '''Robust Service:''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
* '''Configurable Feedback:''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
* '''Granular Logging:''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
* [December 2014] Shepherd V2.2 Released<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Shepherd plans to include this in-app in version 2.4<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
= Acknowledgements =<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their stall at the [http://bit.ly/AppSecEu2014|OWASP AppSec EU 2015] conference as well as follow them on [http://bit.ly/bccRiskAdvisory Twitter]. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Ciaran Napier<br />
* Jason Flood<br />
* Patrick Hanily<br />
* Peter Dolan<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.3 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Make sure the VM has a bridged adapter (or a Host-Only adapter if you don't want anyone else to connect)<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address. Make note of this<br />
* On your host machine, open http://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Time to play!<br />
<br />
===Security Shepherd v2.3 Manual Pack:===<br />
The manual release is a single download, unrar, and follow the steps release. <br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using the default password (Contained in readme.txt) to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p ) <br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source core.sql<br />
source exposedSchema.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the ROOT directory found in the temp folder, modify the /WEB-INF/coreDatabase.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT or Exposed folder in your temp folder, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password<br />
* Follow in application prompts for further configuration<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Project_Inventory&diff=195105OWASP Project Inventory2015-05-21T09:11:47Z<p>Mark Denihan: /* Tools [Reviewed February 2015] */ Adding Security Shepherd</p>
<hr />
<div>__NOTOC__ <br />
{|<br />
|-<br />
! width="700" align="center" | <br> <br />
! width="500" align="center" | <br><br />
|-<br />
| align="right" | [[Image:Owasp_banner_web_pro.jpg|800px| link=https://www.owasp.org/index.php/Category:OWASP_Project]] <br />
| align="right" | <br />
<br />
|}<br />
<br />
<br />
= Incubator Projects =<br />
{| style="width: 100%;"<br />
|-<br />
| style="width: 100%; color: rgb(0, 0, 0);" | <br />
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"<br />
|-<br />
| style="width: 95%; color: rgb(0, 0, 0);" | <br />
<font size=2pt><br />
==Incubator Projects==<br />
<br />
OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity. The label also allows project leaders to leverage the OWASP name while their project is still maturing.<br />
<br />
<br />
<br />
===Thumbs up===<br />
Thumbs up are given to incubator projects showing a steady progress in their development, had continuous releases and commits or have delivered a complete product, including open source repository location, basic user guidelines and documentation<br />
<br />
<br />
====Code [Reviewed September 2014]====<br />
* [[OWASP_Java_Encoder_Project|OWASP Java Encoder Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_Passfault|OWASP Passfault]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_Java_File_I_O_Security_Project|OWASP Java File I/O Security Project]]<br />
* [[OWASP_PHPRBAC_Project|OWASP PHPRBAC Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_EJSF_Project|OWASP EJSF Project]]<br />
* [[OWASP_iMAS_iOS_Mobile_Application_Security_Project|OWASP iMAS - iOS Mobile Application Security Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_PHP_Security_Project|OWASP PHP Security Project]] [[File:Thumbsup.png|15px]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_Node_js_Goat_Project|OWASP Node.js Goat Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_System_Vulnerable_Code_Project|OWASP System Vulnerable Code Project]]<br />
* [[OWASP_ISO_IEC_27034_Application_Security_Controls_Project|OWASP ISO/IEC 27034 Application Security Controls Project]]<br />
* [[OWASP_Hardened_Phalcon_Project|OWASP Hardened Phalcon Project]]<br />
* [[OWASP_Faux_Bank_Project|OWASP Faux Bank Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_Security_Research_and_Development_Framework|OWASP Security Research and Development Framework]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_File_Format_Validation_Project|OWASP File Format Validation Project]]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Wapiti_Project OWASP Wapiti Project] [[File:Thumbsup.png|15px]]<br />
<br />
====Tools [Reviewed September 2014]====<br />
*[[OWASP_Java_HTML_Sanitizer|OWASP Java HTML Sanitizer Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Xenotix_XSS_Exploit_Framework|OWASP Xenotix XSS Exploit Framework]] [[File:Thumbsup.png|15px]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Mantra_OS|OWASP Mantra OS]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_iGoat_Project|OWASP iGoat Project]]<br />
*[[OWASP_Bricks|OWASP Bricks]]<br />
*[[OWASP_Bywaf_Project|OWASP Bywaf Project]]<br />
*[[OWASP_Mutillidae_2_Project|OWASP Mutillidae 2 Project]] [[File:Thumbsup.png|15px]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_SeraphimDroid_Project|OWASP SeraphimDroid Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Androick_Project|OWASP Androïck Project]]<br />
*[[OWASP_Dependency_Track_Project|OWASP Dependency Track Project]]<br />
*[[OWASP_PHP_Portscanner_Project|OWASP PHP Portscaner Project]]<br />
*[[OWASP_Python_Security_Project|OWASP Python Security Project]]<br />
*[[OWASP_WebSpa_Project|OWASP WebSpa Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_NINJA_PingU_Project|OWASP NINJA PingU Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Encoder_Comparison_Reference_Project|OWASP Encoder Comparison Reference Project]]<br />
*[[:Category:OWASP_SQLiX_Project|OWASP sqliX Project]]<br />
*[[:Category:OWASP_Orizon_Project|OWASP Orizon Project]]<br />
*[[OWASP_WASC_Distributed_Web_Honeypots_Project|OWASP WASC Distributed Web Honeypots Project]]<br />
*[[OWASP_Click_Me_Project|OWASP Click Me Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Secure_TDD_Project|OWASP Secure TDD Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_XSecurity_Project|OWASP XSecurity Project]]<br />
*[[OWASP_Pyttacker_Project|OWASP Pyttacker Project]]<br />
*[[OWASP_Code_Pulse_Project|OWASP Code Pulse Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_HTTP_Post_Tool|OWASP HTTP POST Tool]]<br />
*[[OWASP_PHP_Security_Training_Project|OWASP PHP Security Training Project]]<br />
*[[Projects/OWASP_iOSForensic|OWASP iOSForensic]]<br />
*[[OWASP_Project_Metrics|OWASP Project Metrics]]<br />
*[[OWASP_Store_Sheep_Project|OWASP Store Sheep Project]]<br />
*[[OWASP_SonarQube_Project|OWASP SonarQube Project]]<br />
*[[OWASP_URL_Checker|OWASP URL Checker]]<br />
*[[OWASP Rainbow Maker Project | OWASP Rainbow Maker Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP JSEC CVE Details | OWASP JSEC CVE Details]] [[File:Thumbsup.png|15px]]<br />
* [[:Category:OWASP_WebGoat.NET|OWASP WebGoat.NET]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_ASIDE_Project|OWASP ASIDE Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_ASVS_Assessment_tool | OWASP Assesment Tool]]<br />
<br />
====Documentation[Reviewed September 2014-In progress]====<br />
*[[OWASP_Data_Exchange_Format_Project|OWASP Data Exchange Format Project]]<br />
*[[Cheat_Sheets|OWASP Cheat Sheets Project]] [[File:Thumbsup.png|15px]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Proactive_Controls|OWASP Proactive Controls]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Enterprise_Application_Security_Project|OWASP Enterprise Application Security Project]]<br />
*[[Projects/OWASP_GoatDroid_Project|OWASP GoatDroid Project]]<br />
*[[OWASP_RFP-Criteria|OWASP Request For Proposal]]<br />
*[[OWASP_University_Challenge|OWASP University Challenge]]<br />
*[[OWASP_Hacking_Lab|OWASP Hacking-Lab]]<br />
*[[WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project|WASC/OWASP Web Application Firewall Evaluation Criteria (WAFEC)]]<br />
*[[OWASP_CISO_Survey|OWASP CISO Survey]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Application_Security_Guide_For_CISOs_Project|OWASP Application Security Guide For CISOs]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Cornucopia|OWASP Cornucopia]] [[File:Thumbsup.png|15px]] <br />
*[[OWASP_Secure_Application_Design_Project|OWASP Secure Application Design Project]]<br />
*[[OWASP_Top_10_Fuer_Entwickler_Project|OWASP Top 10 Fuer Entwickler Project]]<br />
*[[OWASP_Security_Principles_Project|OWASP Security Principles Project]]<br />
*[[OWASP_Media_Project|OWASP Media Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Global_Chapter_Meetings_Project|OWASP Global Chapter Meetings Project]]<br />
*[[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP Vulnerable Web Applications Directory Project]]<br />
*[[OWASP_Insecure_Web_Components_Project|OWASP Insecure Web Components Project]]<br />
*[[OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project|OWASP Reverse Engineering and Code Modification Prevention Project]]<br />
*[[OWASP_Student_Chapters_Program|OWASP Student Chapters Project]]<br />
*[[:Category:OWASP_Education_Project|OWASP Education Project]]<br />
*[[:Category:OWASP_Speakers_Project|OWASP Speakers Project]]<br />
*[[OWASP_Internet_of_Things_Top_Ten_Project|OWASP Internet of Things Top Ten Project]]<br />
*[[:Category:OWASP_.NET_Project|OWASP .NET Project]]<br />
*[[OWASP_Open_Cyber_Security_Framework_Project|OWASP Open Cyber Security Framework Project]]<br />
*[[OWASP_Top_10_Privacy_Risks_Project|OWASP Top 10 Privacy Risks Project]]<br />
*[[OWASP_WASC_Web_Hacking_Incidents_Database_Project|OWASP WASC Web Hacking Incidents Database Project]]<br />
*[[OWASP_Security_Frameworks_Project|OWASP Security Frameworks Project]]<br />
*[[OWASP_Incident_Response_Project|OWASP Incident Response Project]]<br />
*[[OWASP_Embedded_Application_Security|OWASP Embedded Application Security]]<br />
*[[OWASP_STING_Game_Project|OWASP STING Game Project]]<br />
*[[Projects/OWASP_Ruby_on_Rails_and_friends_Security_Guide|OWASP Ruby on Rails and Friends Security Guide]]<br />
*[[OWASP_Secure_Development_Training|OWASP Secure Development Training]]<br />
*[[OWASP_Periodic_Table_of_Vulnerabilities|OWASP Periodic Table of Vulnerabilities]]<br />
*[[OWASP_Top_Trumps_for_Projects|OWASP Top Trumps for Projects]]<br />
*[[OWASP_Supporting_Legacy_Web_Applications_in_the_Current_Environment_Project|OWASP Supporting Legacy Web Applications in the Current Environment Project]]<br />
*[[OWASP KALP Mobile Project | OWASP KALP Mobile Project]]<br />
*[[OWASP Persian Translation Project | OWASP Persian Translation Project]]<br />
*[[OWASP_Security_Controls_in_Web_Application_Development_Lifecycle |OWASP Security Controls in Web Application Development Lifecycle Project]]<br />
*[[OWASP_Application_Security_Program_Quick_Start_Guide_Project|OWASP_Application_Security_Program_Quick_Start_Guide_Project]]<br />
*[[OWASP_Secure_Configuration_Guide|OWASP_Secure_Configuration_Guide]]<br />
*[[OWASP_Product_Requirement_Recommendations_Library|OWASP_Product_Requirement_Recommendations_Library]]<br />
*[[OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project|OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project]]<br />
<br />
====Educational Project====<br />
*[[OWASP_Visual_Crime_Scene_and_Security_Incident_Education_Project#tab=Main | OWASP Visual Crime Scene and Security Incident Project]]<br />
<br />
<br />
</font><br />
<br />
<!-- Mediawiki needs all these spaces --> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
<!-- DON'T REMOVE ME, I'M STRUCTURAL --><br />
<!-- There be dragons here --><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br />
{|<br />
<br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<!-- End Banner --><br />
<br />
= Labs Projects =<br />
<font size=2pt><br />
==Labs Projects==<br />
<br />
OWASP Labs projects represent projects that have produced a deliverable of value. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are at least ready for mainstream usage.<br />
<br />
===Thumbs up===<br />
Thumbs up are given to LAB projects showing a steady progress in their development, had very active and continuous releases and commits, regular update of information on their wiki page and have quite complete documentation. These projects are almost ready to become flagship<br />
<br />
====Tools [Reviewed February 2015]====<br />
* [[OWASP_Hackademic_Challenges_Project|OWASP Hackademic Challenges Project]]<br />
* [[OWASP_Mantra_-_Security_Framework|OWASP Mantra Security Framework]]<br />
* [[OWASP_O2_Platform|OWASP O2 Platform]]<br />
* [[OWASP_Security_Shepherd|OWASP Security Shepherd]] <br />
* [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]] <br />
* [[O-Saft|O-Saft]]<br />
* [[:Category:OWASP_EnDe|OWASP EnDe Project]]<br />
* [[OWASP_Passfault|OWASP Passfault]] <br />
*[[OWASP_Xenotix_XSS_Exploit_Framework|OWASP Xenotix XSS Exploit Framework]]<br />
<br />
====Documentation [In Progress-Results by February/March 2015] ====<br />
<br />
* [[OWASP_Podcast|OWASP Podcast Project]]<br />
* [[:Category:OWASP_Code_Review_Project|OWASP Code Review Guide Project]]<br />
* [[:Category:OWASP_Guide_Project|OWASP Development Guide Project]]<br />
*[[OWASP_CISO_Survey|OWASP CISO Survey]] <br />
*[[OWASP_Application_Security_Guide_For_CISOs_Project|OWASP Application Security Guide For CISOs]]<br />
*[[OWASP_Cornucopia|OWASP Cornucopia]]<br />
*[[Cheat_Sheets|OWASP Cheat Sheets Project]] [[File:Thumbsup.png|15px]]<br />
<br />
====Contests====<br />
*[[OWASP_University_Challenge|OWASP University Challenge]] <br />
* [[:Category:OWASP_CTF_Project|OWASP CTF Project]]<br />
<br />
====Code [Reviewed February 2015]====<br />
* [[:Category:OWASP_Enterprise_Security_API|OWASP Enterprise Security API]]<br />
<br />
======Low Activity (LABS)[Reviewed February 2015] ======<br />
These projects had no releases in at least a year, however have shown to be valuable tools<br />
Code [Low Activity]<br />
* [[Project_Information:template_Vicnum_Project|OWASP Vicnum Project]]<br />
* [[OWASP_Broken_Web_Applications_Project|OWASP Broken Web Applications Project]]<br />
<br />
Documentation [Low Activity]<br />
* [[OWASP_Appsec_Tutorial_Series|OWASP AppSec Tutorial Series]]<br />
* [[:Category:OWASP_Legal_Project|OWASP Legal Project]]<br />
* [[Virtual_Patching_Best_Practices|Virtual Patching Best Practices]]<br />
* [[OWASP_Codes_of_Conduct|OWASP Codes of Conduct]]<br />
* [[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide|OWASP Secure Coding Practices - Quick Reference Guide]]<br />
<br />
= Flagship Projects =<br />
<font size=2pt><br />
==Flagship Projects==<br />
<br />
The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole.<br />
<br />
====Tools [Reviewed September 2014]====<br />
<br />
* [[OWASP_Zed_Attack_Proxy_Project|OWASP Zed Attack Proxy]]<br />
* [[OWASP_Web_Testing_Environment_Project|OWASP Web Testing Environment Project]]<br />
* [[OWASP_OWTF|OWASP OWTF]]<br />
* [[OWASP_Dependency_Check|OWASP Dependency Check]]<br />
<br />
====Code [Reviewed November 2014]====<br />
* [[:Category:OWASP_ModSecurity_Core_Rule_Set_Project|OWASP ModSecurity Core Rule Set Project]]<br />
* [[:Category:OWASP_CSRFGuard_Project|OWASP CSRFGuard Project]]<br />
* [[OWASP_AppSensor_Project|OWASP AppSensor Project]]<br />
<br />
====Documentation[Reviewed February 2015] in progress====<br />
* [[:Category:OWASP_Application_Security_Verification_Standard_Project|OWASP Application Security Verification Standard Project]]<br />
* [[:Category:Software_Assurance_Maturity_Model|OWASP Software Assurance Maturity Model (SAMM)]]<br />
* [[OWASP_AppSensor_Project|OWASP AppSensor Project]]<br />
* [[:Category:OWASP_Top_Ten_Project|OWASP Top Ten Project]]<br />
* [[OWASP_Testing_Project|OWASP Testing Guide Project]]<br />
<br />
= Archived Projects =<br />
<font size=2pt><br />
<br />
== Archived Projects ==<br />
<br />
OWASP Archived Projects are inactive Labs projects. If you are interested in pursuing any of the projects below, please contact us and let us know of your interest. <br />
<br />
* [https://www.owasp.org/index.php/OWASP_WebSandBox_Project OWASP WebSandBox Project]<br />
* [https://www.owasp.org/index.php/OWASP_Focus OWASP Focus]<br />
* [https://www.owasp.org/index.php/Opa OWASP OPA]<br />
* [https://www.owasp.org/index.php/OWASP_Web_Application_Security_Quick_Reference_Guide_Project OWASP Web Application Security Quick Reference Guide Project]<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Awareness_Top_10_E-learning_Project OWASP Application Security Awareness Top 10 E-learning Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project OWASP CSRFTester Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Wapiti_Project OWASP Wapiti Project]<br />
* [https://www.owasp.org/index.php/OWASP_S.T.I.N.G_Project OWASP S.T.I.N.G Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Assessment_Standards_Project OWASP Application Security Assessment Standards Project]<br />
* [https://www.owasp.org/index.php/OWASP_XSSER OWASP XSSER]<br />
* [https://www.owasp.org/index.php/OWASP_Passw3rd_Project OWASP Passw3rd Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_CBT_Project OWASP Computer Based Training Project (OWASP CBT Project)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Requirements_Project OWASP Application Security Requirements Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project OWASP AntiSamy Project]<br />
* [https://www.owasp.org/index.php/OWASP_Ultimatum_Project OWASP Ultimatum Project]<br />
* [https://www.owasp.org/index.php/OWASP_STeBB_Project OWASP STeBB Project]<br />
* [https://www.owasp.org/index.php/OWASP_Security_Labeling_System_Project OWASP Security Labeling System Project]<br />
* [https://www.owasp.org/index.php/OWASP_Pygoat_Project OWASP Pygoat Project]<br />
* [https://www.owasp.org/index.php/OWASP_HA_Vulnerability_Scanner_Project OWASP HA Vulnerability Scanner Project]<br />
* [https://www.owasp.org/index.php/OWASP_Unmaskme_Project OWASP Unmaskme Project]<br />
* [https://www.owasp.org/index.php/OWASP_Simple_Host_Base_Incidence_Detection_System_Project OWASP Simple Host Base Incidence Detection System Project]<br />
* [https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project OWASP Wordpress Security Checklist Project]<br />
* [https://www.owasp.org/index.php/OWASP_Windows_Binary_Executable_Files_Security_Checks_Project OWASP Windows Binary Executable Files Security Checks Project]<br />
* [https://www.owasp.org/index.php/OWASP_WS_Amplification_DoS_Project OWASP WS-Amplification DoS Project]<br />
* [https://www.owasp.org/index.php/OWASP_iSABEL_Proxy_Server OWASP iSABEL Proxy Server]<br />
* [https://www.owasp.org/index.php/OWASP_Droid_Fusion OWASP Droid Fusion]<br />
* [https://www.owasp.org/index.php/OWASP_Java_J2EE_Secure_Development_Curriculum OWASP Java/J2EE Secure Development Curriculum]<br />
* [https://www.owasp.org/index.php/OWASP_OctoMS OWASP OctoMS]<br />
* [https://www.owasp.org/index.php/OWASP_Web_Application_Security_Accessibility_Project#tab=Project_About OWASP Web Application Security Accessibility Project]<br />
*[https://www.owasp.org/index.php/Category:OWASP_Java_Project OWASP Java Project]<br />
* [https://www.owasp.org/index.php/OWASP_1-Liner OWASP 1-Liner]<br />
* [https://www.owasp.org/index.php/OWASP_Good_Component_Practices_Project OWASP Good Component Practices Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Access_Control_Rules_Tester_Project OWASP Access Control Rules Tester Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Metrics_Project OWASP Application Security Metrics Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_AppSec_FAQ_Project OWASP AppSec FAQ Project]<br />
* [https://www.owasp.org/index.php/Asdr OWASP ASDR Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Backend_Security_Project OWASP Backend Security Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls OWASP Best Practices: Use of Web Application Firewalls]<br />
* [https://www.owasp.org/index.php/Category:OWASP_CAL9000_Project OWASP CAL9000 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_CLASP_Project OWASP CLASP Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Code_Crawler OWASP CodeCrawler Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Content_Validation_using_Java_Annotations_Project OWASP Content Validation using Java Annotations Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project OWASP DirBuster Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Encoding_Project OWASP Encoding Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Google_Hacking_Project OWASP Google Hacking Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project OWASP Insecure Web App Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Interceptor_Project OWASP Interceptor Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_JSP_Testing_Tool_Project OWASP JSP Testing Tool Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_LiveCD_Education_Project OWASP LiveCD Education Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Logging_Project OWASP Logging Guide]<br />
* [https://www.owasp.org/index.php/Category:OWASP_NetBouncer_Project OWASP NetBouncer Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_OpenPGP_Extensions_for_HTTP_-_Enigform_and_mod_openpgp OWASP OpenPGP Extensions for HTTP - Enigform and mod_openpgp Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_OpenSign_Server_Project OWASP OpenSign Server Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project OWASP Pantera Web Assessment Studio Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_PHP_Project OWASP PHP Project]<br />
* [https://www.owasp.org/index.php/ORG_%28OWASP_Report_Generator%29 OWASP Report Generator]<br />
* [https://www.owasp.org/index.php/Category:OWASP_SASAP_Project OWASP Scholastic Application Security Assessment Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Security_Analysis_of_Core_J2EE_Design_Patterns_Project OWASP Security Analysis of Core J2EE Design Patterns Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Security_Spending_Benchmarks OWASP Security Spending Benchmarks Project]<br />
* [https://www.owasp.org/index.php/OWASP_SiteGenerator OWASP Site Generator Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Skavenger_Project OWASP Skavenger Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Source_Code_Flaws_Top_10_Project OWASP Source Code Flaws Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Sprajax_Project OWASP Sprajax Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Sqlibench_Project OWASP Sqlibench Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Stinger_Project OWASP Stinger Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Teachable_Static_Analysis_Workbench_Project OWASP Teachable Static Analysis Workbench Project]<br />
* [https://www.owasp.org/index.php/OWASP_Tiger OWASP Tiger]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Tools_Project OWASP Tools Project]<br />
* [https://www.owasp.org/index.php/Projects/OWASP_Uniform_Reporting_Guidelines OWASP Uniform Reporting Guidelines]<br />
* [https://www.owasp.org/index.php/Category:OWASP_WeBekci_Project OWASP Webekci Project]<br />
* [https://www.owasp.org/index.php/JBroFuzz JBroFuzz]<br />
* [https://owasp.org/index.php/Category:OWASP_SWAAT_Project OWASP SWAAT Project]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Web_Application_Framework_Manifesto OWASP Secure Web Application Framework Manifesto]<br />
* [https://www.owasp.org/index.php/Scrubbr OWASP Scrubbr]<br />
* [https://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes OWASP JavaScript Sandboxes Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project OWASP Joomla Vulnerability Scanner Project]<br />
* [https://www.owasp.org/index.php/OWASP_Hatkit_Datafiddler_Project OWASP Hatkit Datafiddler Project]<br />
* [https://www.owasp.org/index.php/OWASP_Hatkit_Proxy_Project OWASP Hatkit Proxy Project]<br />
* [https://www.owasp.org/index.php/OWASP_Fiddler_Addons_for_Security_Testing_Project OWASP Fiddler Addons for Security Testing Project]<br />
* [https://www.owasp.org/index.php/OWASP_Forward_Exploit_Tool_Project OWASP Forward Exploit Tool Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database OWASP Fuzzing Code Database]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Cloud_‐_10_Project OWASP Cloud ‐ 10 Project]<br />
* [https://www.owasp.org/index.php/OWASP_Web_Browser_Testing_System_Project OWASP Web Browser Testing System Project]<br />
* [https://www.owasp.org/index.php/Webscarab OWASP WebScarab Project]<br />
* [https://www.owasp.org/index.php/Project_Information:template_Webslayer_Project OWASP Webslayer Project]<br />
* [https://www.owasp.org/index.php/Project_Information:template_WSFuzzer_Project OWASP WSFuzzer Project]<br />
* [http://owasp.com/index.php/Category:OWASP_Security_Assurance_Testing_of_Virtual_Worlds_Project OWASP Security Assurance Testing of Virtual Worlds Project]<br />
* [https://www.owasp.org/index.php/OWASP_WAF_Project OWASP WAF Project]<br />
* [https://www.owasp.org/index.php/OWASP_VFW_Project OWASP VFW Project]<br />
* [https://www.owasp.org/index.php/OWASP_SIMBA_Project OWASP SIMBA Project]<br />
* [https://www.owasp.org/index.php/OWASP_ONYX OWASP ONYX]<br />
* [https://www.owasp.org/index.php/OWASP_Java_Uncertain_Form_Submit_Prevention OWASP Java Uncertain Form Submit Prevention]<br />
* [https://www.owasp.org/index.php/OWASP_Ecuador OWASP Ecuador]<br />
* [https://www.owasp.org/index.php/OWASP_ESOP_Framework OWASP ESOP Framework]<br />
* [https://www.owasp.org/index.php/OWASP_Alchemist_Project OWASP Alchemist Project]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_the_Flag_Competition_Project OWASP Secure the Flag Project]<br />
* [https://www.owasp.org/index.php/OWASP_Browser_Security_ACID_Tests_Project OWASP Browser Security ACID Test Project]<br />
* [https://www.owasp.org/index.php/OWASP_AJAX_Crawling_Tool OWASP AJAX Crawling Tool]<br />
* [https://www.owasp.org/index.php/OWASP_Threat_Modelling_Project OWASP Threat Modeling Project]<br />
* [https://www.owasp.org/index.php/OWASP_Crossword_of_the_Month OWASP Crossword of the Month]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Password_Project OWASP Secure Password Project]<br />
* [https://www.owasp.org/index.php/OWASP_Myth_Breakers_Project OWASP Myth Breakers Project]<br />
* [http://owasp.com/index.php/OWASP_Project_Partnership_Model OWASP Project Partnership Model]<br />
* [https://www.owasp.org/index.php/OWASP_Browser_Security_Project OWASP Browser Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_for_Managers OWASP Application Security Program for Managers]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Favicon_Database_Project OWASP Favicon Database Project]<br />
* [https://www.owasp.org/index.php/OWASP_Security_JDIs_Project OWASP Security JDIs Project]<br />
* [https://www.owasp.org/index.php/OWASP_File_Hash_Repository OWASP File Hash Repository]<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Skills_Assessment OWASP Application Security Skills Assessment]<br />
* [https://www.owasp.org/index.php/OWASP_Common_Numbering_Project OWASP Common Numbering Project]<br />
* [https://www.owasp.org/index.php/OWASP_WhatTheFuzz_Project#tab=Project_About OWASP WhatTheFuzz Project]<br />
* [https://www.owasp.org/index.php/OWASP_Security_Tools_for_Developers_Project OWASP Security Tools for Developers Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Proxy OWASP Proxy Project]<br />
* [https://www.owasp.org/index.php/OWASP_Desktop_Goat_and_Top_5_Project OWASP Desktop Goat and Top 5 Project]<br />
* [https://www.owasp.org/index.php/OWASP_AW00T OWASP AW00t]<br />
* [https://www.owasp.org/index.php/OWASP_Framework_Security_Project OWASP Framework Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_Crowdtesting OWASP Crowdtesting]<br />
* [https://www.owasp.org/index.php/OWASP_OVAL_Content_Project OWASP OVAL Content Project]<br />
* [https://www.owasp.org/index.php/OWASP_Software_Security_Assurance_Process OWASP Software Security Assurance Process]<br />
* [https://www.owasp.org/index.php/OWASP_Application_Fuzzing_Framework_Project OWASP Application Fuzzing Framework Project]<br />
* [https://www.owasp.org/index.php/OWASP_IoTs_Project OWASP IoTs Project]<br />
* [https://www.owasp.org/index.php/ESAPI_Swingset OWASP ESAPI Swingset Project]<br />
* [https://www.owasp.org/index.php/OWASP_VaultDB_Project OWASP VaultDB Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Mutillidae OWASP Mutillidae Project]<br />
* [https://www.owasp.org/index.php/Project_Information:template_Yasca_Project OWASP Yasca Project]<br />
* [https://www.owasp.org/index.php/OWASP_Exams_Project OWASP Exams Project]<br />
* [https://www.owasp.org/index.php/OWASP_Security_Baseline_Project OWASP Security Baseline Project]<br />
* [https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project OWASP OpenStack Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_File_Format_Validation_Project OWASP File Format Validation Project]<br />
<br />
</font><br />
<br />
= OWASP Project Types =<br />
<br />
== Code ==<br />
* [https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project OWASP AntiSamy Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API OWASP Enterprise Security API]<br />
* [https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project OWASP ModSecurity Core Rule Set Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project OWASPCSRF Guard Project]<br />
* [https://www.owasp.org/index.php/Opa OWASP OPA]<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [https://www.owasp.org/index.php/OWASP_Passfault OWASP Passfault]<br />
* [https://www.owasp.org/index.php/OWASP_OctoMS OWASP OctoMS]<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer]<br />
* [https://www.owasp.org/index.php/OWASP_Security_Research_and_Development_Framework OWASP Security Research and Development Framework]<br />
* [https://www.owasp.org/index.php/OWASP_1-Liner OWASP 1-Liner]<br />
* [https://www.owasp.org/index.php/OWASP_Focus OWASP Focus]<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
* [https://www.owasp.org/index.php/OWASP_EJSF_Project OWASP EJSF Project]<br />
* [https://www.owasp.org/index.php/OWASP_Barbarus OWASP Barbarus]<br />
* [https://www.owasp.org/index.php/OWASP_iMAS_iOS_Mobile_Application_Security_Project OWASP iMAS - iOS Mobile Application Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_RBAC_Project OWASP RBAC Project]<br />
* [https://www.owasp.org/index.php/OWASP_PHP_Security_Project OWASP PHP Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_Simple_Host_Base_Incidence_Detection_System_Project OWASP Simple Host Base Incidence Detection System Project]<br />
* [https://www.owasp.org/index.php/OWASP_File_Format_Validation_Project OWASP File Format Validation Project]<br />
* [https://www.owasp.org/index.php/OWASP_JAWS_Project OWASP JAWS Project]<br />
* [https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project OWASP Node.js Goat Project]<br />
* [https://www.owasp.org/index.php/OWASP_System_Vulnerable_Code_Project OWASP System Vulnerable Code Project]<br />
* [https://www.owasp.org/index.php/OWASP_ISO_IEC_27034_Application_Security_Controls_Project OWASP ISO/IEC 27034 Application Security Controls Project]<br />
* [https://www.owasp.org/index.php/OWASP_Ultimatum_Project OWASP Ultimatum Project]<br />
* [https://www.owasp.org/index.php/OWASP_Hardened_Phalcon_Project OWASP Hardened Phalcon Project]<br />
* [https://www.owasp.org/index.php/OWASP_Faux_Bank_Project OWASP Faux Bank Project]<br />
<br />
==Tools==<br />
* [https://www.owasp.org/index.php?title=OWASP_Web_Testing_Environment_Project OWASP Web Testing Environment Project]<br />
* [https://www.owasp.org/index.php/Webgoat OWASP WebGoat Project]<br />
* [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project OWASP Zed Attack Proxy]<br />
* [https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project OWASP Broken Web Applications Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project OWAsP CSRFTester Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_EnDe OWASP EnDe Project]<br />
* [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project]<br />
* [https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool OWASP HTTP Post Tool]<br />
* [https://www.owasp.org/index.php/OWASP_Java_XML_Templates_Project OWASP Java XML Templates Project]<br />
* [https://www.owasp.org/index.php/OWASP_Mantra_-_Security_Framework OWASP Mantra Security Framework]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Mutillidae OWASP Mutillidae Project]<br />
* [https://www.owasp.org/index.php/OWASP_O2_Platform OWASP O2 Platform]<br />
* [https://www.owasp.org/index.php/Project_Information:template_Vicnum_Project OWASP Vicnum Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Wapiti_Project OWASP Wapiti Project]<br />
* [https://www.owasp.org/index.php/Project_Information:template_Yasca_Project OWASP Yasca Project]<br />
* [https://www.owasp.org/index.php/OWASP_NAXSI_Project OWASP NAXSI Project]<br />
* [https://www.owasp.org/index.php/OWASP_Passw3rd_Project OWASP Passw3rd Project]<br />
* [https://www.owasp.org/index.php/OWASP_File_Hash_Repository OWASP File Hash Repository]<br />
* [https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET OWASP WebGoat.NET]<br />
* [https://www.owasp.org/index.php/OWASP_OWTF OWASP OWTF]<br />
* [https://www.owasp.org/index.php/OWASP_Path_Traverser OWASP Path Traverser]<br />
* [https://www.owasp.org/index.php/OWASP_OWASP_Watiqay OWASP Watiqay]<br />
* [https://www.owasp.org/index.php/Projects/OWASP_Security_Shepherd/Roadmap OWASP Security Shepherd]<br />
* [https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework OWASP Xenotix XSS Exploit Framework]<br />
* [https://www.owasp.org/index.php/OWASP_Mantra_OS OWASP Mantra OS]<br />
* [https://www.owasp.org/index.php/OWASP_XSSER OWASP XSSER]<br />
* [https://www.owasp.org/index.php/OWASP_Academy_Portal_Project OWASP Academy Portal Project]<br />
* [https://www.owasp.org/index.php/OWASP_ASIDE_Project OWASP ASIDE Project]<br />
* [https://www.owasp.org/index.php/OWASP_iGoat_Project OWASP iGoat Project]<br />
* [https://www.owasp.org/index.php/OWASP_SamuraiWTF_Project OWASP SamuraiWTF]<br />
* [https://www.owasp.org/index.php/O-Saft O-Saft]<br />
* [https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project OWASP OpenStack Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_Bricks OWASP Bricks]<br />
* [https://www.owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check]<br />
* [https://www.owasp.org/index.php/OWASP_Hive_Project OWASP Hive Project]<br />
* [https://www.owasp.org/index.php/OWASP_Droid_Fusion OWASP Droid Fusion]<br />
* [https://www.owasp.org/index.php/OWASP_iSABEL_Proxy_Server OWASP iSABEL Proxy Server]<br />
* [https://www.owasp.org/index.php/OWASP_Rails_Goat_Project OWASP Rails Goat Project]<br />
* [https://www.owasp.org/index.php/OWASP_Bywaf_Project OWASP Bywaf Project]<br />
* [https://www.owasp.org/index.php/OWASP_S.T.I.N.G_Project OWASP S.T.I.N.G Project]<br />
* [https://www.owasp.org/index.php/OWASP_VaultDB_Project OWASP VaultDB Project]<br />
* [https://www.owasp.org/index.php/OWASP_WS_Amplification_DoS_Project OWASP WS-Amplification DoS Project]<br />
* [https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project OWASP Mutillidae 2 Project]<br />
* [https://www.owasp.org/index.php/OWASP_Skanda_SSRF_Exploitation_Framework OWASP Skanda - SSRF Exploitation Framework]<br />
* [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP SeraphimDroid Project]<br />
* [https://www.owasp.org/index.php/OWASP_Unmaskme_Project OWASP Unmaskme Project]<br />
* [https://www.owasp.org/index.php/OWASP_Androick_Project OWASP Androïck Project]<br />
* [https://www.owasp.org/index.php/OWASP_SafeNuGet_Project OWASP SafeNuGet Project]<br />
* [https://www.owasp.org/index.php/OWASP_WebSandBox_Project OWASP WebSandBox Project]<br />
* [https://www.owasp.org/index.php/OWASP_HA_Vulnerability_Scanner_Project OWASP HA Vulnerability Scanner Project]<br />
* [https://www.owasp.org/index.php/OWASP_Dependency_Track_Project OWASP Dependency Track Project]<br />
* [https://www.owasp.org/index.php/OWASP_PHP_Portscanner_Project OWASP PHP Portscaner Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Pygoat_Project OWASP Pygoat Project]<br />
* [https://www.owasp.org/index.php/OWASP_Python_Security_Project OWASP Python Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_Web_Knocking_Project OWASP Web Knocking Project]<br />
* [https://www.owasp.org/index.php/OWASP_Financial_Information_Exchange_Security_Project OWASP Financial Information Exchange Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_STeBB_Project OWASP STeBB Project]<br />
* [https://www.owasp.org/index.php/OWASP_NINJA_PingU_Project OWASP NINJA PingU Project]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
*[https://www.owasp.org/index.php/OWASP_PHP_Security_Training_Project OWASP PHP Security Training Project]<br />
*[https://www.owasp.org/index.php/Projects/OWASP_iOSForensic OWASP iOSForensic]<br />
*[https://www.owasp.org/index.php/OWASP_Project_Metrics OWASP Project Metrics]<br />
*[https://www.owasp.org/index.php/OWASP_Store_Sheep_Project OWASP Store Sheep Project]<br />
*[https://www.owasp.org/index.php/OWASP_SonarQube_Project OWASP SonarQube Project]<br />
*[https://www.owasp.org/index.php/OWASP_URL_Checker OWASP URL Checker]<br />
<br />
==Documentation==<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project OWASP Code Review Project]<br />
* [https://www.owasp.org/index.php/OWASP_Codes_of_Conduct OWASP Codes of Conduct]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide Project]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices - Quick Reference Guide]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model OWASP Software Assurance Maturity Model(SAMM)]<br />
* [https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Project]<br />
* [https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series OWASP AppSec Tutorial Series]<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project OWASP AppSensor Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_CTF_Project OWASP CTF Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Legal_Project OWASP Legal Project]<br />
* [https://www.owasp.org/index.php/OWASP_Podcast OWASP Podcast Project]<br />
* [https://www.owasp.org/index.php/Virtual_Patching_Best_Practices Virtual Patching Best Practices]<br />
* [https://www.owasp.org/index.php/OWASP_Data_Exchange_Format_Project OWASP Data Exchange Format Project]<br />
* [https://www.owasp.org/index.php/Cheat_Sheets OWASP Cheat Sheets Project]<br />
* [https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Proactive Controls]<br />
* [https://www.owasp.org/index.php/OWASP_Java_J2EE_Secure_Development_Curriculum OWASP Java/J2EE Secure Development Curriculum]<br />
* [https://www.owasp.org/index.php/OWASP_Security_Baseline_Project OWASP Security Baseline Project]<br />
* [https://www.owasp.org/index.php/OWASP_Web_Application_Security_Accessibility_Project#tab=Project_About OWASP Web Application Security Accessibility Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Requirements_Project OWASP Application Security Requirements Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Assessment_Standards_Project OWASP Application Security Assessment Standards Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_CBT_Project OWASP Computer Based Training Project (OWASP CBT Project)]<br />
* [https://www.owasp.org/index.php/OWASP_Enterprise_Application_Security_Project OWASP Enterprise Application Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_Exams_Project OWASP Exams Project]<br />
* [https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project OWASP GoatDroid Project]<br />
* [https://www.owasp.org/index.php/OWASP_RFP-Criteria OWASP Request For Proposal]<br />
* [https://www.owasp.org/index.php/OWASP_University_Challenge OWASP University Challenge]<br />
* [https://www.owasp.org/index.php/OWASP_Hacking_Lab OWASP Hacking-Lab]<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Awareness_Top_10_E-learning_Project OWASP Application Security Awareness Top 10 E-learning Project]<br />
* [https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities OWASP Periodic Table of Vulnerabilities]<br />
* [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project WASC/OWASP Web Application Firewall Evaluation Criteria (WAFEC)]<br />
* [https://www.owasp.org/index.php/ESAPI_Swingset OWASP ESAPI Swingset Project]<br />
* [https://www.owasp.org/index.php/OWASP_Press OWASP Press]<br />
* [https://www.owasp.org/index.php/OWASP_CISO_Survey OWASP CISO Survey]<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Guide_For_CISOs_Project OWASP Application Security Guide For CISOs]<br />
* [https://www.owasp.org/index.php/OWASP_Scada_Security_Project OWASP Scada Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Cornucopia]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Application_Design_Project OWASP Secure Application Design Project]<br />
* [https://www.owasp.org/index.php/OWASP_Top_10_Fuer_Entwickler_Project OWASP Top 10 Fuer Entwickler Project]<br />
* [https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project OWASP Top 10 Privacy Risks]<br />
* [https://www.owasp.org/index.php/OWASP_Web_Application_Security_Quick_Reference_Guide_Project OWASP Web Application Security Quick Reference Guide Project]<br />
* [https://www.owasp.org/index.php/OWASP_Windows_Binary_Executable_Files_Security_Checks_Project OWASP Windows Binary Executable Files Security Checks Project]<br />
* [https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project OWASP Wordpress Security Checklist Project]<br />
* [https://www.owasp.org/index.php/OWASP_Supporting_Legacy_Web_Applications_in_the_Current_Environment_Project OWASP Supporting Legacy Web Applications in the Current Environment Project]<br />
* [https://www.owasp.org/index.php/OWASP_Security_Principles_Project OWASP Security Principles Project]<br />
* [https://www.owasp.org/index.php/OWASP_Ruby_on_Rails_and_friends_Security_Guide OWASP Ruby on Rails and friends Security Guide Project]<br />
* [https://www.owasp.org/index.php/OWASP_Media_Project OWASP Media Project]<br />
* [https://www.owasp.org/index.php/OWASP_Global_Chapter_Meetings_Project OWASP Global Chapter Meetings Project]<br />
* [https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project OWASP Vulnerable Web Applications Directory Project]<br />
* [https://www.owasp.org/index.php/OWASP_Game_Security_Framework_Project OWASP Game Security Framework Project]<br />
* [https://www.owasp.org/index.php/OWASP_Security_Labeling_System_Project OWASP Security Labeling System Project]<br />
* [https://www.owasp.org/index.php/OWASP_IoTs_Project OWASP IoTs Project]<br />
* [https://www.owasp.org/index.php/OWASP_Insecure_Web_Components_Project OWASP Insecure Web Components Project]<br />
* [https://www.owasp.org/index.php/OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project OWASP Reverse Engineering and Code Modification Prevention Project]<br />
* [https://www.owasp.org/index.php/OWASP_Student_Chapters_Program OWASP Student Chapters Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Speakers_Project OWASP Speakers Project]<br />
* [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project OWASP Internet of Things Top Ten Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_.NET_Project OWASP .NET Project]<br />
* [https://www.owasp.org/index.php/OWASP_Research_Book_Project OWASP Research Book Project]<br />
* [https://www.owasp.org/index.php/OWASP_Open_Cyber_Security_Framework_Project OWASP Open Cyber Security Framework Project]<br />
* [https://www.owasp.org/index.php/OWASP_Top_Trumps_for_Projects OWASP Top Trumps for Projects]<br />
<br />
<headertabs /></div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Project_Inventory&diff=195104OWASP Project Inventory2015-05-21T09:11:17Z<p>Mark Denihan: /* Tools [Reviewed September 2014] */ Removing Security Shepherd from Incubators</p>
<hr />
<div>__NOTOC__ <br />
{|<br />
|-<br />
! width="700" align="center" | <br> <br />
! width="500" align="center" | <br><br />
|-<br />
| align="right" | [[Image:Owasp_banner_web_pro.jpg|800px| link=https://www.owasp.org/index.php/Category:OWASP_Project]] <br />
| align="right" | <br />
<br />
|}<br />
<br />
<br />
= Incubator Projects =<br />
{| style="width: 100%;"<br />
|-<br />
| style="width: 100%; color: rgb(0, 0, 0);" | <br />
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"<br />
|-<br />
| style="width: 95%; color: rgb(0, 0, 0);" | <br />
<font size=2pt><br />
==Incubator Projects==<br />
<br />
OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity. The label also allows project leaders to leverage the OWASP name while their project is still maturing.<br />
<br />
<br />
<br />
===Thumbs up===<br />
Thumbs up are given to incubator projects showing a steady progress in their development, had continuous releases and commits or have delivered a complete product, including open source repository location, basic user guidelines and documentation<br />
<br />
<br />
====Code [Reviewed September 2014]====<br />
* [[OWASP_Java_Encoder_Project|OWASP Java Encoder Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_Passfault|OWASP Passfault]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_Java_File_I_O_Security_Project|OWASP Java File I/O Security Project]]<br />
* [[OWASP_PHPRBAC_Project|OWASP PHPRBAC Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_EJSF_Project|OWASP EJSF Project]]<br />
* [[OWASP_iMAS_iOS_Mobile_Application_Security_Project|OWASP iMAS - iOS Mobile Application Security Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_PHP_Security_Project|OWASP PHP Security Project]] [[File:Thumbsup.png|15px]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_Node_js_Goat_Project|OWASP Node.js Goat Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_System_Vulnerable_Code_Project|OWASP System Vulnerable Code Project]]<br />
* [[OWASP_ISO_IEC_27034_Application_Security_Controls_Project|OWASP ISO/IEC 27034 Application Security Controls Project]]<br />
* [[OWASP_Hardened_Phalcon_Project|OWASP Hardened Phalcon Project]]<br />
* [[OWASP_Faux_Bank_Project|OWASP Faux Bank Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_Security_Research_and_Development_Framework|OWASP Security Research and Development Framework]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_File_Format_Validation_Project|OWASP File Format Validation Project]]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Wapiti_Project OWASP Wapiti Project] [[File:Thumbsup.png|15px]]<br />
<br />
====Tools [Reviewed September 2014]====<br />
*[[OWASP_Java_HTML_Sanitizer|OWASP Java HTML Sanitizer Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Xenotix_XSS_Exploit_Framework|OWASP Xenotix XSS Exploit Framework]] [[File:Thumbsup.png|15px]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Mantra_OS|OWASP Mantra OS]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_iGoat_Project|OWASP iGoat Project]]<br />
*[[OWASP_Bricks|OWASP Bricks]]<br />
*[[OWASP_Bywaf_Project|OWASP Bywaf Project]]<br />
*[[OWASP_Mutillidae_2_Project|OWASP Mutillidae 2 Project]] [[File:Thumbsup.png|15px]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_SeraphimDroid_Project|OWASP SeraphimDroid Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Androick_Project|OWASP Androïck Project]]<br />
*[[OWASP_Dependency_Track_Project|OWASP Dependency Track Project]]<br />
*[[OWASP_PHP_Portscanner_Project|OWASP PHP Portscaner Project]]<br />
*[[OWASP_Python_Security_Project|OWASP Python Security Project]]<br />
*[[OWASP_WebSpa_Project|OWASP WebSpa Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_NINJA_PingU_Project|OWASP NINJA PingU Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Encoder_Comparison_Reference_Project|OWASP Encoder Comparison Reference Project]]<br />
*[[:Category:OWASP_SQLiX_Project|OWASP sqliX Project]]<br />
*[[:Category:OWASP_Orizon_Project|OWASP Orizon Project]]<br />
*[[OWASP_WASC_Distributed_Web_Honeypots_Project|OWASP WASC Distributed Web Honeypots Project]]<br />
*[[OWASP_Click_Me_Project|OWASP Click Me Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Secure_TDD_Project|OWASP Secure TDD Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_XSecurity_Project|OWASP XSecurity Project]]<br />
*[[OWASP_Pyttacker_Project|OWASP Pyttacker Project]]<br />
*[[OWASP_Code_Pulse_Project|OWASP Code Pulse Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_HTTP_Post_Tool|OWASP HTTP POST Tool]]<br />
*[[OWASP_PHP_Security_Training_Project|OWASP PHP Security Training Project]]<br />
*[[Projects/OWASP_iOSForensic|OWASP iOSForensic]]<br />
*[[OWASP_Project_Metrics|OWASP Project Metrics]]<br />
*[[OWASP_Store_Sheep_Project|OWASP Store Sheep Project]]<br />
*[[OWASP_SonarQube_Project|OWASP SonarQube Project]]<br />
*[[OWASP_URL_Checker|OWASP URL Checker]]<br />
*[[OWASP Rainbow Maker Project | OWASP Rainbow Maker Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP JSEC CVE Details | OWASP JSEC CVE Details]] [[File:Thumbsup.png|15px]]<br />
* [[:Category:OWASP_WebGoat.NET|OWASP WebGoat.NET]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_ASIDE_Project|OWASP ASIDE Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_ASVS_Assessment_tool | OWASP Assesment Tool]]<br />
<br />
====Documentation[Reviewed September 2014-In progress]====<br />
*[[OWASP_Data_Exchange_Format_Project|OWASP Data Exchange Format Project]]<br />
*[[Cheat_Sheets|OWASP Cheat Sheets Project]] [[File:Thumbsup.png|15px]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Proactive_Controls|OWASP Proactive Controls]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Enterprise_Application_Security_Project|OWASP Enterprise Application Security Project]]<br />
*[[Projects/OWASP_GoatDroid_Project|OWASP GoatDroid Project]]<br />
*[[OWASP_RFP-Criteria|OWASP Request For Proposal]]<br />
*[[OWASP_University_Challenge|OWASP University Challenge]]<br />
*[[OWASP_Hacking_Lab|OWASP Hacking-Lab]]<br />
*[[WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project|WASC/OWASP Web Application Firewall Evaluation Criteria (WAFEC)]]<br />
*[[OWASP_CISO_Survey|OWASP CISO Survey]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Application_Security_Guide_For_CISOs_Project|OWASP Application Security Guide For CISOs]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Cornucopia|OWASP Cornucopia]] [[File:Thumbsup.png|15px]] <br />
*[[OWASP_Secure_Application_Design_Project|OWASP Secure Application Design Project]]<br />
*[[OWASP_Top_10_Fuer_Entwickler_Project|OWASP Top 10 Fuer Entwickler Project]]<br />
*[[OWASP_Security_Principles_Project|OWASP Security Principles Project]]<br />
*[[OWASP_Media_Project|OWASP Media Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Global_Chapter_Meetings_Project|OWASP Global Chapter Meetings Project]]<br />
*[[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP Vulnerable Web Applications Directory Project]]<br />
*[[OWASP_Insecure_Web_Components_Project|OWASP Insecure Web Components Project]]<br />
*[[OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project|OWASP Reverse Engineering and Code Modification Prevention Project]]<br />
*[[OWASP_Student_Chapters_Program|OWASP Student Chapters Project]]<br />
*[[:Category:OWASP_Education_Project|OWASP Education Project]]<br />
*[[:Category:OWASP_Speakers_Project|OWASP Speakers Project]]<br />
*[[OWASP_Internet_of_Things_Top_Ten_Project|OWASP Internet of Things Top Ten Project]]<br />
*[[:Category:OWASP_.NET_Project|OWASP .NET Project]]<br />
*[[OWASP_Open_Cyber_Security_Framework_Project|OWASP Open Cyber Security Framework Project]]<br />
*[[OWASP_Top_10_Privacy_Risks_Project|OWASP Top 10 Privacy Risks Project]]<br />
*[[OWASP_WASC_Web_Hacking_Incidents_Database_Project|OWASP WASC Web Hacking Incidents Database Project]]<br />
*[[OWASP_Security_Frameworks_Project|OWASP Security Frameworks Project]]<br />
*[[OWASP_Incident_Response_Project|OWASP Incident Response Project]]<br />
*[[OWASP_Embedded_Application_Security|OWASP Embedded Application Security]]<br />
*[[OWASP_STING_Game_Project|OWASP STING Game Project]]<br />
*[[Projects/OWASP_Ruby_on_Rails_and_friends_Security_Guide|OWASP Ruby on Rails and Friends Security Guide]]<br />
*[[OWASP_Secure_Development_Training|OWASP Secure Development Training]]<br />
*[[OWASP_Periodic_Table_of_Vulnerabilities|OWASP Periodic Table of Vulnerabilities]]<br />
*[[OWASP_Top_Trumps_for_Projects|OWASP Top Trumps for Projects]]<br />
*[[OWASP_Supporting_Legacy_Web_Applications_in_the_Current_Environment_Project|OWASP Supporting Legacy Web Applications in the Current Environment Project]]<br />
*[[OWASP KALP Mobile Project | OWASP KALP Mobile Project]]<br />
*[[OWASP Persian Translation Project | OWASP Persian Translation Project]]<br />
*[[OWASP_Security_Controls_in_Web_Application_Development_Lifecycle |OWASP Security Controls in Web Application Development Lifecycle Project]]<br />
*[[OWASP_Application_Security_Program_Quick_Start_Guide_Project|OWASP_Application_Security_Program_Quick_Start_Guide_Project]]<br />
*[[OWASP_Secure_Configuration_Guide|OWASP_Secure_Configuration_Guide]]<br />
*[[OWASP_Product_Requirement_Recommendations_Library|OWASP_Product_Requirement_Recommendations_Library]]<br />
*[[OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project|OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project]]<br />
<br />
====Educational Project====<br />
*[[OWASP_Visual_Crime_Scene_and_Security_Incident_Education_Project#tab=Main | OWASP Visual Crime Scene and Security Incident Project]]<br />
<br />
<br />
</font><br />
<br />
<!-- Mediawiki needs all these spaces --> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
<!-- DON'T REMOVE ME, I'M STRUCTURAL --><br />
<!-- There be dragons here --><br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br />
{|<br />
<br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<!-- End Banner --><br />
<br />
= Labs Projects =<br />
<font size=2pt><br />
==Labs Projects==<br />
<br />
OWASP Labs projects represent projects that have produced a deliverable of value. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are at least ready for mainstream usage.<br />
<br />
===Thumbs up===<br />
Thumbs up are given to LAB projects showing a steady progress in their development, had very active and continuous releases and commits, regular update of information on their wiki page and have quite complete documentation. These projects are almost ready to become flagship<br />
<br />
====Tools [Reviewed February 2015]====<br />
* [[OWASP_Hackademic_Challenges_Project|OWASP Hackademic Challenges Project]]<br />
* [[OWASP_Mantra_-_Security_Framework|OWASP Mantra Security Framework]]<br />
* [[OWASP_O2_Platform|OWASP O2 Platform]]<br />
* [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]] <br />
* [[O-Saft|O-Saft]]<br />
* [[:Category:OWASP_EnDe|OWASP EnDe Project]]<br />
* [[OWASP_Passfault|OWASP Passfault]] <br />
*[[OWASP_Xenotix_XSS_Exploit_Framework|OWASP Xenotix XSS Exploit Framework]]<br />
<br />
====Documentation [In Progress-Results by February/March 2015] ====<br />
<br />
* [[OWASP_Podcast|OWASP Podcast Project]]<br />
* [[:Category:OWASP_Code_Review_Project|OWASP Code Review Guide Project]]<br />
* [[:Category:OWASP_Guide_Project|OWASP Development Guide Project]]<br />
*[[OWASP_CISO_Survey|OWASP CISO Survey]] <br />
*[[OWASP_Application_Security_Guide_For_CISOs_Project|OWASP Application Security Guide For CISOs]]<br />
*[[OWASP_Cornucopia|OWASP Cornucopia]]<br />
*[[Cheat_Sheets|OWASP Cheat Sheets Project]] [[File:Thumbsup.png|15px]]<br />
<br />
====Contests====<br />
*[[OWASP_University_Challenge|OWASP University Challenge]] <br />
* [[:Category:OWASP_CTF_Project|OWASP CTF Project]]<br />
<br />
====Code [Reviewed February 2015]====<br />
* [[:Category:OWASP_Enterprise_Security_API|OWASP Enterprise Security API]]<br />
<br />
======Low Activity (LABS)[Reviewed February 2015] ======<br />
These projects had no releases in at least a year, however have shown to be valuable tools<br />
Code [Low Activity]<br />
* [[Project_Information:template_Vicnum_Project|OWASP Vicnum Project]]<br />
* [[OWASP_Broken_Web_Applications_Project|OWASP Broken Web Applications Project]]<br />
<br />
Documentation [Low Activity]<br />
* [[OWASP_Appsec_Tutorial_Series|OWASP AppSec Tutorial Series]]<br />
* [[:Category:OWASP_Legal_Project|OWASP Legal Project]]<br />
* [[Virtual_Patching_Best_Practices|Virtual Patching Best Practices]]<br />
* [[OWASP_Codes_of_Conduct|OWASP Codes of Conduct]]<br />
* [[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide|OWASP Secure Coding Practices - Quick Reference Guide]]<br />
<br />
= Flagship Projects =<br />
<font size=2pt><br />
==Flagship Projects==<br />
<br />
The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole.<br />
<br />
====Tools [Reviewed September 2014]====<br />
<br />
* [[OWASP_Zed_Attack_Proxy_Project|OWASP Zed Attack Proxy]]<br />
* [[OWASP_Web_Testing_Environment_Project|OWASP Web Testing Environment Project]]<br />
* [[OWASP_OWTF|OWASP OWTF]]<br />
* [[OWASP_Dependency_Check|OWASP Dependency Check]]<br />
<br />
====Code [Reviewed November 2014]====<br />
* [[:Category:OWASP_ModSecurity_Core_Rule_Set_Project|OWASP ModSecurity Core Rule Set Project]]<br />
* [[:Category:OWASP_CSRFGuard_Project|OWASP CSRFGuard Project]]<br />
* [[OWASP_AppSensor_Project|OWASP AppSensor Project]]<br />
<br />
====Documentation[Reviewed February 2015] in progress====<br />
* [[:Category:OWASP_Application_Security_Verification_Standard_Project|OWASP Application Security Verification Standard Project]]<br />
* [[:Category:Software_Assurance_Maturity_Model|OWASP Software Assurance Maturity Model (SAMM)]]<br />
* [[OWASP_AppSensor_Project|OWASP AppSensor Project]]<br />
* [[:Category:OWASP_Top_Ten_Project|OWASP Top Ten Project]]<br />
* [[OWASP_Testing_Project|OWASP Testing Guide Project]]<br />
<br />
= Archived Projects =<br />
<font size=2pt><br />
<br />
== Archived Projects ==<br />
<br />
OWASP Archived Projects are inactive Labs projects. If you are interested in pursuing any of the projects below, please contact us and let us know of your interest. <br />
<br />
* [https://www.owasp.org/index.php/OWASP_WebSandBox_Project OWASP WebSandBox Project]<br />
* [https://www.owasp.org/index.php/OWASP_Focus OWASP Focus]<br />
* [https://www.owasp.org/index.php/Opa OWASP OPA]<br />
* [https://www.owasp.org/index.php/OWASP_Web_Application_Security_Quick_Reference_Guide_Project OWASP Web Application Security Quick Reference Guide Project]<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Awareness_Top_10_E-learning_Project OWASP Application Security Awareness Top 10 E-learning Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project OWASP CSRFTester Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Wapiti_Project OWASP Wapiti Project]<br />
* [https://www.owasp.org/index.php/OWASP_S.T.I.N.G_Project OWASP S.T.I.N.G Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Assessment_Standards_Project OWASP Application Security Assessment Standards Project]<br />
* [https://www.owasp.org/index.php/OWASP_XSSER OWASP XSSER]<br />
* [https://www.owasp.org/index.php/OWASP_Passw3rd_Project OWASP Passw3rd Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_CBT_Project OWASP Computer Based Training Project (OWASP CBT Project)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Requirements_Project OWASP Application Security Requirements Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project OWASP AntiSamy Project]<br />
* [https://www.owasp.org/index.php/OWASP_Ultimatum_Project OWASP Ultimatum Project]<br />
* [https://www.owasp.org/index.php/OWASP_STeBB_Project OWASP STeBB Project]<br />
* [https://www.owasp.org/index.php/OWASP_Security_Labeling_System_Project OWASP Security Labeling System Project]<br />
* [https://www.owasp.org/index.php/OWASP_Pygoat_Project OWASP Pygoat Project]<br />
* [https://www.owasp.org/index.php/OWASP_HA_Vulnerability_Scanner_Project OWASP HA Vulnerability Scanner Project]<br />
* [https://www.owasp.org/index.php/OWASP_Unmaskme_Project OWASP Unmaskme Project]<br />
* [https://www.owasp.org/index.php/OWASP_Simple_Host_Base_Incidence_Detection_System_Project OWASP Simple Host Base Incidence Detection System Project]<br />
* [https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project OWASP Wordpress Security Checklist Project]<br />
* [https://www.owasp.org/index.php/OWASP_Windows_Binary_Executable_Files_Security_Checks_Project OWASP Windows Binary Executable Files Security Checks Project]<br />
* [https://www.owasp.org/index.php/OWASP_WS_Amplification_DoS_Project OWASP WS-Amplification DoS Project]<br />
* [https://www.owasp.org/index.php/OWASP_iSABEL_Proxy_Server OWASP iSABEL Proxy Server]<br />
* [https://www.owasp.org/index.php/OWASP_Droid_Fusion OWASP Droid Fusion]<br />
* [https://www.owasp.org/index.php/OWASP_Java_J2EE_Secure_Development_Curriculum OWASP Java/J2EE Secure Development Curriculum]<br />
* [https://www.owasp.org/index.php/OWASP_OctoMS OWASP OctoMS]<br />
* [https://www.owasp.org/index.php/OWASP_Web_Application_Security_Accessibility_Project#tab=Project_About OWASP Web Application Security Accessibility Project]<br />
*[https://www.owasp.org/index.php/Category:OWASP_Java_Project OWASP Java Project]<br />
* [https://www.owasp.org/index.php/OWASP_1-Liner OWASP 1-Liner]<br />
* [https://www.owasp.org/index.php/OWASP_Good_Component_Practices_Project OWASP Good Component Practices Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Access_Control_Rules_Tester_Project OWASP Access Control Rules Tester Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Metrics_Project OWASP Application Security Metrics Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_AppSec_FAQ_Project OWASP AppSec FAQ Project]<br />
* [https://www.owasp.org/index.php/Asdr OWASP ASDR Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Backend_Security_Project OWASP Backend Security Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls OWASP Best Practices: Use of Web Application Firewalls]<br />
* [https://www.owasp.org/index.php/Category:OWASP_CAL9000_Project OWASP CAL9000 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_CLASP_Project OWASP CLASP Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Code_Crawler OWASP CodeCrawler Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Content_Validation_using_Java_Annotations_Project OWASP Content Validation using Java Annotations Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project OWASP DirBuster Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Encoding_Project OWASP Encoding Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Google_Hacking_Project OWASP Google Hacking Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project OWASP Insecure Web App Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Interceptor_Project OWASP Interceptor Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_JSP_Testing_Tool_Project OWASP JSP Testing Tool Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_LiveCD_Education_Project OWASP LiveCD Education Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Logging_Project OWASP Logging Guide]<br />
* [https://www.owasp.org/index.php/Category:OWASP_NetBouncer_Project OWASP NetBouncer Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_OpenPGP_Extensions_for_HTTP_-_Enigform_and_mod_openpgp OWASP OpenPGP Extensions for HTTP - Enigform and mod_openpgp Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_OpenSign_Server_Project OWASP OpenSign Server Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project OWASP Pantera Web Assessment Studio Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_PHP_Project OWASP PHP Project]<br />
* [https://www.owasp.org/index.php/ORG_%28OWASP_Report_Generator%29 OWASP Report Generator]<br />
* [https://www.owasp.org/index.php/Category:OWASP_SASAP_Project OWASP Scholastic Application Security Assessment Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Security_Analysis_of_Core_J2EE_Design_Patterns_Project OWASP Security Analysis of Core J2EE Design Patterns Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Security_Spending_Benchmarks OWASP Security Spending Benchmarks Project]<br />
* [https://www.owasp.org/index.php/OWASP_SiteGenerator OWASP Site Generator Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Skavenger_Project OWASP Skavenger Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Source_Code_Flaws_Top_10_Project OWASP Source Code Flaws Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Sprajax_Project OWASP Sprajax Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Sqlibench_Project OWASP Sqlibench Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Stinger_Project OWASP Stinger Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Teachable_Static_Analysis_Workbench_Project OWASP Teachable Static Analysis Workbench Project]<br />
* [https://www.owasp.org/index.php/OWASP_Tiger OWASP Tiger]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Tools_Project OWASP Tools Project]<br />
* [https://www.owasp.org/index.php/Projects/OWASP_Uniform_Reporting_Guidelines OWASP Uniform Reporting Guidelines]<br />
* [https://www.owasp.org/index.php/Category:OWASP_WeBekci_Project OWASP Webekci Project]<br />
* [https://www.owasp.org/index.php/JBroFuzz JBroFuzz]<br />
* [https://owasp.org/index.php/Category:OWASP_SWAAT_Project OWASP SWAAT Project]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Web_Application_Framework_Manifesto OWASP Secure Web Application Framework Manifesto]<br />
* [https://www.owasp.org/index.php/Scrubbr OWASP Scrubbr]<br />
* [https://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes OWASP JavaScript Sandboxes Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project OWASP Joomla Vulnerability Scanner Project]<br />
* [https://www.owasp.org/index.php/OWASP_Hatkit_Datafiddler_Project OWASP Hatkit Datafiddler Project]<br />
* [https://www.owasp.org/index.php/OWASP_Hatkit_Proxy_Project OWASP Hatkit Proxy Project]<br />
* [https://www.owasp.org/index.php/OWASP_Fiddler_Addons_for_Security_Testing_Project OWASP Fiddler Addons for Security Testing Project]<br />
* [https://www.owasp.org/index.php/OWASP_Forward_Exploit_Tool_Project OWASP Forward Exploit Tool Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database OWASP Fuzzing Code Database]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Cloud_‐_10_Project OWASP Cloud ‐ 10 Project]<br />
* [https://www.owasp.org/index.php/OWASP_Web_Browser_Testing_System_Project OWASP Web Browser Testing System Project]<br />
* [https://www.owasp.org/index.php/Webscarab OWASP WebScarab Project]<br />
* [https://www.owasp.org/index.php/Project_Information:template_Webslayer_Project OWASP Webslayer Project]<br />
* [https://www.owasp.org/index.php/Project_Information:template_WSFuzzer_Project OWASP WSFuzzer Project]<br />
* [http://owasp.com/index.php/Category:OWASP_Security_Assurance_Testing_of_Virtual_Worlds_Project OWASP Security Assurance Testing of Virtual Worlds Project]<br />
* [https://www.owasp.org/index.php/OWASP_WAF_Project OWASP WAF Project]<br />
* [https://www.owasp.org/index.php/OWASP_VFW_Project OWASP VFW Project]<br />
* [https://www.owasp.org/index.php/OWASP_SIMBA_Project OWASP SIMBA Project]<br />
* [https://www.owasp.org/index.php/OWASP_ONYX OWASP ONYX]<br />
* [https://www.owasp.org/index.php/OWASP_Java_Uncertain_Form_Submit_Prevention OWASP Java Uncertain Form Submit Prevention]<br />
* [https://www.owasp.org/index.php/OWASP_Ecuador OWASP Ecuador]<br />
* [https://www.owasp.org/index.php/OWASP_ESOP_Framework OWASP ESOP Framework]<br />
* [https://www.owasp.org/index.php/OWASP_Alchemist_Project OWASP Alchemist Project]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_the_Flag_Competition_Project OWASP Secure the Flag Project]<br />
* [https://www.owasp.org/index.php/OWASP_Browser_Security_ACID_Tests_Project OWASP Browser Security ACID Test Project]<br />
* [https://www.owasp.org/index.php/OWASP_AJAX_Crawling_Tool OWASP AJAX Crawling Tool]<br />
* [https://www.owasp.org/index.php/OWASP_Threat_Modelling_Project OWASP Threat Modeling Project]<br />
* [https://www.owasp.org/index.php/OWASP_Crossword_of_the_Month OWASP Crossword of the Month]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Password_Project OWASP Secure Password Project]<br />
* [https://www.owasp.org/index.php/OWASP_Myth_Breakers_Project OWASP Myth Breakers Project]<br />
* [http://owasp.com/index.php/OWASP_Project_Partnership_Model OWASP Project Partnership Model]<br />
* [https://www.owasp.org/index.php/OWASP_Browser_Security_Project OWASP Browser Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Program_for_Managers OWASP Application Security Program for Managers]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Favicon_Database_Project OWASP Favicon Database Project]<br />
* [https://www.owasp.org/index.php/OWASP_Security_JDIs_Project OWASP Security JDIs Project]<br />
* [https://www.owasp.org/index.php/OWASP_File_Hash_Repository OWASP File Hash Repository]<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Skills_Assessment OWASP Application Security Skills Assessment]<br />
* [https://www.owasp.org/index.php/OWASP_Common_Numbering_Project OWASP Common Numbering Project]<br />
* [https://www.owasp.org/index.php/OWASP_WhatTheFuzz_Project#tab=Project_About OWASP WhatTheFuzz Project]<br />
* [https://www.owasp.org/index.php/OWASP_Security_Tools_for_Developers_Project OWASP Security Tools for Developers Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Proxy OWASP Proxy Project]<br />
* [https://www.owasp.org/index.php/OWASP_Desktop_Goat_and_Top_5_Project OWASP Desktop Goat and Top 5 Project]<br />
* [https://www.owasp.org/index.php/OWASP_AW00T OWASP AW00t]<br />
* [https://www.owasp.org/index.php/OWASP_Framework_Security_Project OWASP Framework Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_Crowdtesting OWASP Crowdtesting]<br />
* [https://www.owasp.org/index.php/OWASP_OVAL_Content_Project OWASP OVAL Content Project]<br />
* [https://www.owasp.org/index.php/OWASP_Software_Security_Assurance_Process OWASP Software Security Assurance Process]<br />
* [https://www.owasp.org/index.php/OWASP_Application_Fuzzing_Framework_Project OWASP Application Fuzzing Framework Project]<br />
* [https://www.owasp.org/index.php/OWASP_IoTs_Project OWASP IoTs Project]<br />
* [https://www.owasp.org/index.php/ESAPI_Swingset OWASP ESAPI Swingset Project]<br />
* [https://www.owasp.org/index.php/OWASP_VaultDB_Project OWASP VaultDB Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Mutillidae OWASP Mutillidae Project]<br />
* [https://www.owasp.org/index.php/Project_Information:template_Yasca_Project OWASP Yasca Project]<br />
* [https://www.owasp.org/index.php/OWASP_Exams_Project OWASP Exams Project]<br />
* [https://www.owasp.org/index.php/OWASP_Security_Baseline_Project OWASP Security Baseline Project]<br />
* [https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project OWASP OpenStack Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_File_Format_Validation_Project OWASP File Format Validation Project]<br />
<br />
</font><br />
<br />
= OWASP Project Types =<br />
<br />
== Code ==<br />
* [https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project OWASP AntiSamy Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API OWASP Enterprise Security API]<br />
* [https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project OWASP ModSecurity Core Rule Set Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project OWASPCSRF Guard Project]<br />
* [https://www.owasp.org/index.php/Opa OWASP OPA]<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [https://www.owasp.org/index.php/OWASP_Passfault OWASP Passfault]<br />
* [https://www.owasp.org/index.php/OWASP_OctoMS OWASP OctoMS]<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer]<br />
* [https://www.owasp.org/index.php/OWASP_Security_Research_and_Development_Framework OWASP Security Research and Development Framework]<br />
* [https://www.owasp.org/index.php/OWASP_1-Liner OWASP 1-Liner]<br />
* [https://www.owasp.org/index.php/OWASP_Focus OWASP Focus]<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
* [https://www.owasp.org/index.php/OWASP_EJSF_Project OWASP EJSF Project]<br />
* [https://www.owasp.org/index.php/OWASP_Barbarus OWASP Barbarus]<br />
* [https://www.owasp.org/index.php/OWASP_iMAS_iOS_Mobile_Application_Security_Project OWASP iMAS - iOS Mobile Application Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_RBAC_Project OWASP RBAC Project]<br />
* [https://www.owasp.org/index.php/OWASP_PHP_Security_Project OWASP PHP Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_Simple_Host_Base_Incidence_Detection_System_Project OWASP Simple Host Base Incidence Detection System Project]<br />
* [https://www.owasp.org/index.php/OWASP_File_Format_Validation_Project OWASP File Format Validation Project]<br />
* [https://www.owasp.org/index.php/OWASP_JAWS_Project OWASP JAWS Project]<br />
* [https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project OWASP Node.js Goat Project]<br />
* [https://www.owasp.org/index.php/OWASP_System_Vulnerable_Code_Project OWASP System Vulnerable Code Project]<br />
* [https://www.owasp.org/index.php/OWASP_ISO_IEC_27034_Application_Security_Controls_Project OWASP ISO/IEC 27034 Application Security Controls Project]<br />
* [https://www.owasp.org/index.php/OWASP_Ultimatum_Project OWASP Ultimatum Project]<br />
* [https://www.owasp.org/index.php/OWASP_Hardened_Phalcon_Project OWASP Hardened Phalcon Project]<br />
* [https://www.owasp.org/index.php/OWASP_Faux_Bank_Project OWASP Faux Bank Project]<br />
<br />
==Tools==<br />
* [https://www.owasp.org/index.php?title=OWASP_Web_Testing_Environment_Project OWASP Web Testing Environment Project]<br />
* [https://www.owasp.org/index.php/Webgoat OWASP WebGoat Project]<br />
* [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project OWASP Zed Attack Proxy]<br />
* [https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project OWASP Broken Web Applications Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project OWAsP CSRFTester Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_EnDe OWASP EnDe Project]<br />
* [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project]<br />
* [https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool OWASP HTTP Post Tool]<br />
* [https://www.owasp.org/index.php/OWASP_Java_XML_Templates_Project OWASP Java XML Templates Project]<br />
* [https://www.owasp.org/index.php/OWASP_Mantra_-_Security_Framework OWASP Mantra Security Framework]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Mutillidae OWASP Mutillidae Project]<br />
* [https://www.owasp.org/index.php/OWASP_O2_Platform OWASP O2 Platform]<br />
* [https://www.owasp.org/index.php/Project_Information:template_Vicnum_Project OWASP Vicnum Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Wapiti_Project OWASP Wapiti Project]<br />
* [https://www.owasp.org/index.php/Project_Information:template_Yasca_Project OWASP Yasca Project]<br />
* [https://www.owasp.org/index.php/OWASP_NAXSI_Project OWASP NAXSI Project]<br />
* [https://www.owasp.org/index.php/OWASP_Passw3rd_Project OWASP Passw3rd Project]<br />
* [https://www.owasp.org/index.php/OWASP_File_Hash_Repository OWASP File Hash Repository]<br />
* [https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET OWASP WebGoat.NET]<br />
* [https://www.owasp.org/index.php/OWASP_OWTF OWASP OWTF]<br />
* [https://www.owasp.org/index.php/OWASP_Path_Traverser OWASP Path Traverser]<br />
* [https://www.owasp.org/index.php/OWASP_OWASP_Watiqay OWASP Watiqay]<br />
* [https://www.owasp.org/index.php/Projects/OWASP_Security_Shepherd/Roadmap OWASP Security Shepherd]<br />
* [https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework OWASP Xenotix XSS Exploit Framework]<br />
* [https://www.owasp.org/index.php/OWASP_Mantra_OS OWASP Mantra OS]<br />
* [https://www.owasp.org/index.php/OWASP_XSSER OWASP XSSER]<br />
* [https://www.owasp.org/index.php/OWASP_Academy_Portal_Project OWASP Academy Portal Project]<br />
* [https://www.owasp.org/index.php/OWASP_ASIDE_Project OWASP ASIDE Project]<br />
* [https://www.owasp.org/index.php/OWASP_iGoat_Project OWASP iGoat Project]<br />
* [https://www.owasp.org/index.php/OWASP_SamuraiWTF_Project OWASP SamuraiWTF]<br />
* [https://www.owasp.org/index.php/O-Saft O-Saft]<br />
* [https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project OWASP OpenStack Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_Bricks OWASP Bricks]<br />
* [https://www.owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check]<br />
* [https://www.owasp.org/index.php/OWASP_Hive_Project OWASP Hive Project]<br />
* [https://www.owasp.org/index.php/OWASP_Droid_Fusion OWASP Droid Fusion]<br />
* [https://www.owasp.org/index.php/OWASP_iSABEL_Proxy_Server OWASP iSABEL Proxy Server]<br />
* [https://www.owasp.org/index.php/OWASP_Rails_Goat_Project OWASP Rails Goat Project]<br />
* [https://www.owasp.org/index.php/OWASP_Bywaf_Project OWASP Bywaf Project]<br />
* [https://www.owasp.org/index.php/OWASP_S.T.I.N.G_Project OWASP S.T.I.N.G Project]<br />
* [https://www.owasp.org/index.php/OWASP_VaultDB_Project OWASP VaultDB Project]<br />
* [https://www.owasp.org/index.php/OWASP_WS_Amplification_DoS_Project OWASP WS-Amplification DoS Project]<br />
* [https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project OWASP Mutillidae 2 Project]<br />
* [https://www.owasp.org/index.php/OWASP_Skanda_SSRF_Exploitation_Framework OWASP Skanda - SSRF Exploitation Framework]<br />
* [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP SeraphimDroid Project]<br />
* [https://www.owasp.org/index.php/OWASP_Unmaskme_Project OWASP Unmaskme Project]<br />
* [https://www.owasp.org/index.php/OWASP_Androick_Project OWASP Androïck Project]<br />
* [https://www.owasp.org/index.php/OWASP_SafeNuGet_Project OWASP SafeNuGet Project]<br />
* [https://www.owasp.org/index.php/OWASP_WebSandBox_Project OWASP WebSandBox Project]<br />
* [https://www.owasp.org/index.php/OWASP_HA_Vulnerability_Scanner_Project OWASP HA Vulnerability Scanner Project]<br />
* [https://www.owasp.org/index.php/OWASP_Dependency_Track_Project OWASP Dependency Track Project]<br />
* [https://www.owasp.org/index.php/OWASP_PHP_Portscanner_Project OWASP PHP Portscaner Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Pygoat_Project OWASP Pygoat Project]<br />
* [https://www.owasp.org/index.php/OWASP_Python_Security_Project OWASP Python Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_Web_Knocking_Project OWASP Web Knocking Project]<br />
* [https://www.owasp.org/index.php/OWASP_Financial_Information_Exchange_Security_Project OWASP Financial Information Exchange Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_STeBB_Project OWASP STeBB Project]<br />
* [https://www.owasp.org/index.php/OWASP_NINJA_PingU_Project OWASP NINJA PingU Project]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
*[https://www.owasp.org/index.php/OWASP_PHP_Security_Training_Project OWASP PHP Security Training Project]<br />
*[https://www.owasp.org/index.php/Projects/OWASP_iOSForensic OWASP iOSForensic]<br />
*[https://www.owasp.org/index.php/OWASP_Project_Metrics OWASP Project Metrics]<br />
*[https://www.owasp.org/index.php/OWASP_Store_Sheep_Project OWASP Store Sheep Project]<br />
*[https://www.owasp.org/index.php/OWASP_SonarQube_Project OWASP SonarQube Project]<br />
*[https://www.owasp.org/index.php/OWASP_URL_Checker OWASP URL Checker]<br />
<br />
==Documentation==<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project OWASP Code Review Project]<br />
* [https://www.owasp.org/index.php/OWASP_Codes_of_Conduct OWASP Codes of Conduct]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide Project]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices - Quick Reference Guide]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model OWASP Software Assurance Maturity Model(SAMM)]<br />
* [https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Project]<br />
* [https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series OWASP AppSec Tutorial Series]<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project OWASP AppSensor Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_CTF_Project OWASP CTF Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Legal_Project OWASP Legal Project]<br />
* [https://www.owasp.org/index.php/OWASP_Podcast OWASP Podcast Project]<br />
* [https://www.owasp.org/index.php/Virtual_Patching_Best_Practices Virtual Patching Best Practices]<br />
* [https://www.owasp.org/index.php/OWASP_Data_Exchange_Format_Project OWASP Data Exchange Format Project]<br />
* [https://www.owasp.org/index.php/Cheat_Sheets OWASP Cheat Sheets Project]<br />
* [https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Proactive Controls]<br />
* [https://www.owasp.org/index.php/OWASP_Java_J2EE_Secure_Development_Curriculum OWASP Java/J2EE Secure Development Curriculum]<br />
* [https://www.owasp.org/index.php/OWASP_Security_Baseline_Project OWASP Security Baseline Project]<br />
* [https://www.owasp.org/index.php/OWASP_Web_Application_Security_Accessibility_Project#tab=Project_About OWASP Web Application Security Accessibility Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Requirements_Project OWASP Application Security Requirements Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Assessment_Standards_Project OWASP Application Security Assessment Standards Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_CBT_Project OWASP Computer Based Training Project (OWASP CBT Project)]<br />
* [https://www.owasp.org/index.php/OWASP_Enterprise_Application_Security_Project OWASP Enterprise Application Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_Exams_Project OWASP Exams Project]<br />
* [https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project OWASP GoatDroid Project]<br />
* [https://www.owasp.org/index.php/OWASP_RFP-Criteria OWASP Request For Proposal]<br />
* [https://www.owasp.org/index.php/OWASP_University_Challenge OWASP University Challenge]<br />
* [https://www.owasp.org/index.php/OWASP_Hacking_Lab OWASP Hacking-Lab]<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Awareness_Top_10_E-learning_Project OWASP Application Security Awareness Top 10 E-learning Project]<br />
* [https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities OWASP Periodic Table of Vulnerabilities]<br />
* [https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project WASC/OWASP Web Application Firewall Evaluation Criteria (WAFEC)]<br />
* [https://www.owasp.org/index.php/ESAPI_Swingset OWASP ESAPI Swingset Project]<br />
* [https://www.owasp.org/index.php/OWASP_Press OWASP Press]<br />
* [https://www.owasp.org/index.php/OWASP_CISO_Survey OWASP CISO Survey]<br />
* [https://www.owasp.org/index.php/OWASP_Application_Security_Guide_For_CISOs_Project OWASP Application Security Guide For CISOs]<br />
* [https://www.owasp.org/index.php/OWASP_Scada_Security_Project OWASP Scada Security Project]<br />
* [https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Cornucopia]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Application_Design_Project OWASP Secure Application Design Project]<br />
* [https://www.owasp.org/index.php/OWASP_Top_10_Fuer_Entwickler_Project OWASP Top 10 Fuer Entwickler Project]<br />
* [https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project OWASP Top 10 Privacy Risks]<br />
* [https://www.owasp.org/index.php/OWASP_Web_Application_Security_Quick_Reference_Guide_Project OWASP Web Application Security Quick Reference Guide Project]<br />
* [https://www.owasp.org/index.php/OWASP_Windows_Binary_Executable_Files_Security_Checks_Project OWASP Windows Binary Executable Files Security Checks Project]<br />
* [https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project OWASP Wordpress Security Checklist Project]<br />
* [https://www.owasp.org/index.php/OWASP_Supporting_Legacy_Web_Applications_in_the_Current_Environment_Project OWASP Supporting Legacy Web Applications in the Current Environment Project]<br />
* [https://www.owasp.org/index.php/OWASP_Security_Principles_Project OWASP Security Principles Project]<br />
* [https://www.owasp.org/index.php/OWASP_Ruby_on_Rails_and_friends_Security_Guide OWASP Ruby on Rails and friends Security Guide Project]<br />
* [https://www.owasp.org/index.php/OWASP_Media_Project OWASP Media Project]<br />
* [https://www.owasp.org/index.php/OWASP_Global_Chapter_Meetings_Project OWASP Global Chapter Meetings Project]<br />
* [https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project OWASP Vulnerable Web Applications Directory Project]<br />
* [https://www.owasp.org/index.php/OWASP_Game_Security_Framework_Project OWASP Game Security Framework Project]<br />
* [https://www.owasp.org/index.php/OWASP_Security_Labeling_System_Project OWASP Security Labeling System Project]<br />
* [https://www.owasp.org/index.php/OWASP_IoTs_Project OWASP IoTs Project]<br />
* [https://www.owasp.org/index.php/OWASP_Insecure_Web_Components_Project OWASP Insecure Web Components Project]<br />
* [https://www.owasp.org/index.php/OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project OWASP Reverse Engineering and Code Modification Prevention Project]<br />
* [https://www.owasp.org/index.php/OWASP_Student_Chapters_Program OWASP Student Chapters Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Speakers_Project OWASP Speakers Project]<br />
* [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project OWASP Internet of Things Top Ten Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_.NET_Project OWASP .NET Project]<br />
* [https://www.owasp.org/index.php/OWASP_Research_Book_Project OWASP Research Book Project]<br />
* [https://www.owasp.org/index.php/OWASP_Open_Cyber_Security_Framework_Project OWASP Open Cyber Security Framework Project]<br />
* [https://www.owasp.org/index.php/OWASP_Top_Trumps_for_Projects OWASP Top Trumps for Projects]<br />
<br />
<headertabs /></div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=195079OWASP Security Shepherd2015-05-20T13:54:19Z<p>Mark Denihan: /* Recent News and Events */ Fixing Date</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
OWASP Security Shepherd is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
== Why use Security Shepherd? ==<br />
<br />
* '''Wide Topic Coverage: ''' Shepherd includes over sixty levels across the entire spectrum of Web and Mobile application security under a single project.<br />
* '''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
* '''Layman Write Ups:''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
* '''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
* '''Scalability:''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
* '''Highly Customisable:''' Shepherd enables admins to set what levels are available to their users and in what way they are presentended (Open, CTF and Tournament Layouts)<br />
* '''Perfect for Classrooms:''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
* '''Scoreboard:''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
* '''User Management:''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
* '''Robust Service:''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
* '''Configurable Feedback:''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
* '''Granular Logging:''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
* [December 2014] Shepherd V2.2 Released<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Shepherd plans to include this in-app in version 2.4<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Ciaran Napier<br />
* Jason Flood<br />
* Patrick Hanily<br />
* Peter Dolan<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their stall at the [http://bit.ly/AppSecEu2014|OWASP AppSec EU 2015] conference as well as follow them on [http://bit.ly/bccRiskAdvisory Twitter]. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.3 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Make sure the VM has a bridged adapter (or a Host-Only adapter if you don't want anyone else to connect)<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address. Make note of this<br />
* On your host machine, open http://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Time to play!<br />
<br />
===Security Shepherd v2.3 Manual Pack:===<br />
The manual release is a single download, unrar, and follow the steps release. <br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using the default password (Contained in readme.txt) to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p ) <br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source core.sql<br />
source exposedSchema.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the ROOT directory found in the temp folder, modify the /WEB-INF/coreDatabase.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT or Exposed folder in your temp folder, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password<br />
* Follow in application prompts for further configuration<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=195038OWASP Security Shepherd2015-05-19T23:10:06Z<p>Mark Denihan: /* Acknowledgements */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
OWASP Security Shepherd is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
== Why use Security Shepherd? ==<br />
<br />
* '''Wide Topic Coverage: ''' Shepherd includes over sixty levels across the entire spectrum of Web and Mobile application security under a single project.<br />
* '''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
* '''Layman Write Ups:''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
* '''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
* '''Scalability:''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
* '''Highly Customisable:''' Shepherd enables admins to set what levels are available to their users and in what way they are presentended (Open, CTF and Tournament Layouts)<br />
* '''Perfect for Classrooms:''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
* '''Scoreboard:''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
* '''User Management:''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
* '''Robust Service:''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
* '''Configurable Feedback:''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
* '''Granular Logging:''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
* [December 2015] Shepherd V2.2 Released<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Shepherd plans to include this in-app in version 2.4<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Ciaran Napier<br />
* Jason Flood<br />
* Patrick Hanily<br />
* Peter Dolan<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their stall at the [http://bit.ly/AppSecEu2014|OWASP AppSec EU 2015] conference as well as follow them on [http://bit.ly/bccRiskAdvisory Twitter]. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.3 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Make sure the VM has a bridged adapter (or a Host-Only adapter if you don't want anyone else to connect)<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address. Make note of this<br />
* On your host machine, open http://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Time to play!<br />
<br />
===Security Shepherd v2.3 Manual Pack:===<br />
The manual release is a single download, unrar, and follow the steps release. <br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using the default password (Contained in readme.txt) to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p ) <br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source core.sql<br />
source exposedSchema.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the ROOT directory found in the temp folder, modify the /WEB-INF/coreDatabase.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT or Exposed folder in your temp folder, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password<br />
* Follow in application prompts for further configuration<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=195037OWASP Security Shepherd2015-05-19T23:08:24Z<p>Mark Denihan: Adding "Why Use Shepherd" Section</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
OWASP Security Shepherd is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
== Why use Security Shepherd? ==<br />
<br />
* '''Wide Topic Coverage: ''' Shepherd includes over sixty levels across the entire spectrum of Web and Mobile application security under a single project.<br />
* '''Gentle Learning Curve: ''' Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.<br />
* '''Layman Write Ups:''' Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.<br />
* '''Real World Examples: ''' The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.<br />
* '''Scalability:''' Shepherd can be used locally by a single user or easily as a server for a high amount of users. <br />
* '''Highly Customisable:''' Shepherd enables admins to set what levels are available to their users and in what way they are presentended (Open, CTF and Tournament Layouts)<br />
* '''Perfect for Classrooms:''' Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. <br />
* '''Scoreboard:''' Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. <br />
* '''User Management:''' Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.<br />
* '''Robust Service:''' Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. <br />
* '''Configurable Feedback:''' An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.<br />
* '''Granular Logging:''' The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. <br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
* [December 2015] Shepherd V2.2 Released<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Shepherd plans to include this in-app in version 2.4<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Ciaran Napier<br />
* Jason Flood<br />
* Patrick Hanily<br />
* Peter Dolan<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their stall at the [http://bit.ly/AppSecEu2014|OWASP AppSec EU 2015] conference as well as follow them on [http://bit.ly/bccRiskAdvisory Twitter]. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.3 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Make sure the VM has a bridged adapter (or a Host-Only adapter if you don't want anyone else to connect)<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address. Make note of this<br />
* On your host machine, open http://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Time to play!<br />
<br />
===Security Shepherd v2.3 Manual Pack:===<br />
The manual release is a single download, unrar, and follow the steps release. <br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using the default password (Contained in readme.txt) to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p ) <br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source core.sql<br />
source exposedSchema.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the ROOT directory found in the temp folder, modify the /WEB-INF/coreDatabase.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT or Exposed folder in your temp folder, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password<br />
* Follow in application prompts for further configuration<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=195023OWASP Security Shepherd2015-05-19T15:28:25Z<p>Mark Denihan: /* Related Projects */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
OWASP Security Shepherd is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project|OWASP Webgoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
* [December 2015] Shepherd V2.2 Released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Shepherd plans to include this in-app in version 2.4<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Ciaran Napier<br />
* Jason Flood<br />
* Patrick Hanily<br />
* Peter Dolan<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their stall at the [http://bit.ly/AppSecEu2014|OWASP AppSec EU 2015] conference as well as follow them on [http://bit.ly/bccRiskAdvisory Twitter]. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.3 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Make sure the VM has a bridged adapter (or a Host-Only adapter if you don't want anyone else to connect)<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address. Make note of this<br />
* On your host machine, open http://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Time to play!<br />
<br />
===Security Shepherd v2.3 Manual Pack:===<br />
The manual release is a single download, unrar, and follow the steps release. <br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using the default password (Contained in readme.txt) to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p ) <br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source core.sql<br />
source exposedSchema.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the ROOT directory found in the temp folder, modify the /WEB-INF/coreDatabase.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT or Exposed folder in your temp folder, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password<br />
* Follow in application prompts for further configuration<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=195022OWASP Security Shepherd2015-05-19T15:27:34Z<p>Mark Denihan: /* Related Projects */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
OWASP Security Shepherd is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project OWASP WebGoat Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
* [December 2015] Shepherd V2.2 Released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Shepherd plans to include this in-app in version 2.4<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Ciaran Napier<br />
* Jason Flood<br />
* Patrick Hanily<br />
* Peter Dolan<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their stall at the [http://bit.ly/AppSecEu2014|OWASP AppSec EU 2015] conference as well as follow them on [http://bit.ly/bccRiskAdvisory Twitter]. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.3 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Make sure the VM has a bridged adapter (or a Host-Only adapter if you don't want anyone else to connect)<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address. Make note of this<br />
* On your host machine, open http://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Time to play!<br />
<br />
===Security Shepherd v2.3 Manual Pack:===<br />
The manual release is a single download, unrar, and follow the steps release. <br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using the default password (Contained in readme.txt) to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p ) <br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source core.sql<br />
source exposedSchema.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the ROOT directory found in the temp folder, modify the /WEB-INF/coreDatabase.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT or Exposed folder in your temp folder, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password<br />
* Follow in application prompts for further configuration<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=195020OWASP Security Shepherd2015-05-19T15:22:28Z<p>Mark Denihan: Phrasing</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
OWASP Security Shepherd is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
The OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and helps them exploit a text book version of the issue. Challenges include poor security mitigations to vulnerabilities which have left room for users to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Shepherd's security risks are delivered through hardened real vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
* [December 2015] Shepherd V2.2 Released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Shepherd plans to include this in-app in version 2.4<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Ciaran Napier<br />
* Jason Flood<br />
* Patrick Hanily<br />
* Peter Dolan<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their stall at the [http://bit.ly/AppSecEu2014|OWASP AppSec EU 2015] conference as well as follow them on [http://bit.ly/bccRiskAdvisory Twitter]. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.3 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Make sure the VM has a bridged adapter (or a Host-Only adapter if you don't want anyone else to connect)<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address. Make note of this<br />
* On your host machine, open http://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Time to play!<br />
<br />
===Security Shepherd v2.3 Manual Pack:===<br />
The manual release is a single download, unrar, and follow the steps release. <br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using the default password (Contained in readme.txt) to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p ) <br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source core.sql<br />
source exposedSchema.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the ROOT directory found in the temp folder, modify the /WEB-INF/coreDatabase.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT or Exposed folder in your temp folder, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password<br />
* Follow in application prompts for further configuration<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=195018OWASP Security Shepherd2015-05-19T15:10:05Z<p>Mark Denihan: /* Topic Coverage */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
OWASP Security Shepherd is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take any user, from AppSec novice to experienced engineer, and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and help them exploit a text book version of the issue. Challenges include poor security mitigations to the security risk which have left room for user's to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Security Shepherd's security risks are delivered through hardened real security vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web and mobile application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
* [December 2015] Shepherd V2.2 Released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Shepherd plans to include this in-app in version 2.4<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Ciaran Napier<br />
* Jason Flood<br />
* Patrick Hanily<br />
* Peter Dolan<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their stall at the [http://bit.ly/AppSecEu2014|OWASP AppSec EU 2015] conference as well as follow them on [http://bit.ly/bccRiskAdvisory Twitter]. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.3 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Make sure the VM has a bridged adapter (or a Host-Only adapter if you don't want anyone else to connect)<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address. Make note of this<br />
* On your host machine, open http://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Time to play!<br />
<br />
===Security Shepherd v2.3 Manual Pack:===<br />
The manual release is a single download, unrar, and follow the steps release. <br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using the default password (Contained in readme.txt) to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p ) <br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source core.sql<br />
source exposedSchema.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the ROOT directory found in the temp folder, modify the /WEB-INF/coreDatabase.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT or Exposed folder in your temp folder, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password<br />
* Follow in application prompts for further configuration<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=195017OWASP Security Shepherd2015-05-19T15:09:29Z<p>Mark Denihan: Wiki Restruture</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Security Shepherd==<br />
<br />
OWASP Security Shepherd is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take any user, from AppSec novice to experienced engineer, and sharpen their penetration testing skillset to security expert status.<br />
<br />
==Description==<br />
<br />
OWASP Security Shepherd project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished by presenting security risk concepts to users in lessons followed by challenges. A lesson provides a user with help in layman terms about a specific security risk, and help them exploit a text book version of the issue. Challenges include poor security mitigations to the security risk which have left room for user's to exploit.<br />
<br />
Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Security Shepherd's security risks are delivered through hardened real security vulnerabilities that can not be abused to compromise the application or its environment. Shepherd does not simulate security risks so that all and any attack vectors will work, ensuring a real world response. <br />
<br />
Security Shepherd is highly configurable. System administrators can tune the project experience to present specific security risk topics or even specific Security Shepherd modules. The array of user and module configuration available allows Shepherd to be used by a single local user, by many in a competitive classroom environment or by hundreds in an online hacking competition. <br />
<br />
==Layout Options==<br />
<br />
An administrator user of Security Shepherd can change the layout in which the levels are presented to players. There are three options:<br />
<br />
'''CTF Mode'''<br />
<br />
When Shepherd has been deployed in the CTF mode, a user can only access one uncompleted module at a time. The first module presented to the user is the easiest in Security Shepherd, which has not been marked as closed by the administrator. The levels increase slowly in difficulty and jump from one topic to another. This layout is the recommended setting when using Security Shepherd for a competitive training scenario.<br />
<br />
'''Open Floor'''<br />
<br />
When Shepherd has been deployed in the Open Floor mode, a user can access any level that is marked as open by the admin. Modules are sorted into their Security Risk Categories, and the lessons are presented first. This layout is ideal for users wishing to explore security risks. <br />
<br />
'''Tournament Mode'''<br />
<br />
When Shepherd has been deployed in the Tournament Mode, a user can access any level that is marked as open by the admin. Modules are sorted into difficulty bands, from least to most difficult. This layout is ideal when Shepherd is being utilised as an open application security competition. <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:350px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is Security Shepherd? ==<br />
<br />
OWASP Security Shepherd provides:<br />
<br />
* Teaching Tool for All Application Security<br />
* Web Application Pen Testing Training<br />
* Mobile Application Pen Testing Training<br />
* Safe Playground to Practise AppSec Techniques<br />
* Real Security Risk Examples<br />
<br />
==Topic Coverage==<br />
The Security Shepherd project covers the following web application security topics;<br />
<br />
*[[Top_10_2013-A1|SQL Injection]]<br />
*[[Top_10_2013-A2|Broken Authentication and Session Management]]<br />
*[[Top_10_2013-A3|Cross Site Scripting]]<br />
*[[Top_10_2013-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2013-A6|Sensitive Data Exposure]]<br />
*[[Top_10_2013-A7|Missing Function Level Access Control]]<br />
*[[Top_10_2013-A8|Cross Site Request Forgery]]<br />
*[[Top 10 2013-A10|Unvalidated Redirects and Forwards]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M5|Poor Authentication and Authorisation]]<br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_WebGoat_Project]]<br />
<br />
==Licensing==<br />
The Security Shepherd project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.<br />
<br />
The Security Shepherd project is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License for more details. See http://www.gnu.org/licenses/ .<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:250px;" | <br />
<br />
== Download ==<br />
<br />
* [https://sourceforge.net/projects/owaspshepherd/files/ OWASP Security Shepherd SourceForge]<br />
<br />
== Presentation ==<br />
<br />
[https://www.youtube.com/watch?v=-brsnYrksAI AppSecEU 2014 Video]<br />
<br />
[http://2014.appsec.eu/wp-content/uploads/2014/07/Sean.Duggan-OWASP-Security-Shepherd-Mobile-Web-Security-Awareness-and-Education.pdf AppSecEU 2014 Presentation]<br />
<br />
== Project Leaders ==<br />
<br />
Mark Denihan - mark.denihan@owasp.org<br />
<br />
Sean Duggan - sean.duggan@owasp.org <br />
<br />
== Recent News and Events ==<br />
* [May 2015] Security Shepherd @ AppSecEU 2015 Project Summit<br />
* [May 2015] Shepherd v2.3 Released<br />
* [April 2015] Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
* [December 2015] Shepherd V2.2 Released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
; Q1 Can I Re-Skin Shepherd and then Train People With it?<br />
: A1 Yes! Shepherd plans to include this in-app in version 2.4<br />
<br />
; Q2 Where can I access Security Shepherd?<br />
: A2 You can Download it and run it yourself, ask your lecturer to, and we tend to have a public environment available at https://owasp.securityshepherd.eu/ . It operates on a Research Network in ITB's Security Research Lab, so it can be in a state of flux.<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
OWASP Security Shepherd is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Mark Denihan<br />
* Sean Duggan<br />
* Ciaran Napier<br />
* Jason Flood<br />
* Patrick Hanily<br />
* Peter Dolan<br />
<br />
The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please contact Mark.denihan@owasp.org<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org. The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education. Check out the project [http://bit.ly/securityShepherdGithub GitHub] and find some issues that you can help with right away.<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
==Other==<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to DIT for allowing those projects to be donated to the OWASP community.<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their stall at the [http://bit.ly/AppSecEu2014|OWASP AppSec EU 2015] conference as well as follow them on [http://bit.ly/bccRiskAdvisory Twitter]. <br />
<br />
[[File:BccRiskAdvisoryLogo.jpg]]<br />
<br />
[[File:EdgescanLogo.jpg]]<br />
<br />
=Setup Help=<br />
===Security Shepherd v2.3 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Make sure the VM has a bridged adapter (or a Host-Only adapter if you don't want anyone else to connect)<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address. Make note of this<br />
* On your host machine, open http://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Time to play!<br />
<br />
===Security Shepherd v2.3 Manual Pack:===<br />
The manual release is a single download, unrar, and follow the steps release. <br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using the default password (Contained in readme.txt) to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p ) <br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source core.sql<br />
source exposedSchema.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the ROOT directory found in the temp folder, modify the /WEB-INF/coreDatabase.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT or Exposed folder in your temp folder, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password<br />
* Follow in application prompts for further configuration<br />
<br />
=Screenshots=<br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|left|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|left|Competitive Learning Environment]] [[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|left|Easy configuration to suit every use]]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Tool]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=Category:OWASP_Project&diff=195003Category:OWASP Project2015-05-19T11:17:16Z<p>Mark Denihan: Removing OWASP Security Shepherd from Incubators</p>
<hr />
<div>__NOTOC__ <br />
{|<br />
|-<br />
! width="700" align="center" | <br> <br />
! width="500" align="center" | <br><br />
|-<br />
|<br />
| align="right" | <br />
<br />
|}<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
= Welcome =<br />
{| style="width: 100%;"<br />
|-<br />
| style="width: 100%; color: rgb(0, 0, 0);" | <br />
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"<br />
|-<br />
| style="width: 95%; color: rgb(0, 0, 0);" | <br />
<font size=2pt><br />
<br />
=== Welcome to the OWASP Global Projects Page ===<br />
<br />
An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. OWASP currently has over 142 active projects, and new project applications are submitted every week. <br />
<br />
This is one of the most popular divisions of OWASP as it gives members an opportunity to freely test theories and ideas with the professional advice and support of the OWASP community. Every project has an associated mail list. You can view all the lists, examine their archives, and subscribe to any project by visiting the [http://lists.owasp.org/mailman/listinfo OWASP Project Mailing Lists] page. A summary of recent project announcements is available on the [[OWASP Updates]] page. <br />
<br />
Download the '''[[Media:PROJECT_LEADER-HANDBOOK_2014.pdf|OWASP Project Handbook 2014]]'''<br />
<br />
'''[[OWASP_2014_Project_Handbook|OWASP Project Handbook Wiki 2014]]'''<br />
<br />
Download the '''[[Media:OWASP_Projects_Handbook_2013.pdf|OWASP Projects Handbook 2013]]'''<br />
<br />
'''[[Project_Online_Resources|Project Online Resources]]'''<br />
<br />
=== Who Should Start an OWASP Project? ===<br />
<br />
*Application Developers. <br />
*Software Architects. <br />
* Information Security Authors. <br />
*Those who would like the support of a world wide professional community to develop or test an idea.<br />
*Anyone wishing to take advantage of the professional body of knowledge OWASP has to offer.<br />
<br />
=== Contact Us===<br />
<br />
If you have any questions, please do not hesitate to [http://owasp4.owasp.org/contactus.html Contact Us] by using the form provided here. Please allow five working days for your question or comment to be answered. This is due to the large amount of queries the foundation staff receive every day. We thank you for your patience. <br />
<br />
=== OWASP Project Inventory ===<br />
<br />
All OWASP tools, document, and code library projects are organized into the following [[OWASP_Project_Stages|categories:]] <br />
<br />
* '''[[OWASP_Project_Inventory#Flagship_Projects|Flagship Projects:]]''' The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole. <br />
<br />
* '''[[OWASP_Project_Inventory#Labs_Projects|Lab Projects:]]''' OWASP Labs projects represent projects that have produced an OWASP reviewed deliverable of value. <br />
<br />
* '''[[OWASP_Project_Inventory#Incubator_Projects|Incubator Projects:]]''' OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway.<br />
<br />
=== Social Media ===<br />
<br />
We recommend using the links below to find our official OWASP social media channels. These are a great way to keep in touch with the different initiatives going on at OWASP throughout the world. They are all updated regularly by chapter leaders, project leaders, the OWASP Board Members, and our OWASP Staff. If you have any questions or concerns about any of these accounts, please drop us a line using our [http://www.tfaforms.com/308703 "Contact Us"] form found above. <br />
<br />
[[Image:Blogger-32x32.png|32px|link=http://owasp.blogspot.co.uk/]] [[Image:Twitter-32x32.png|32px|link=https://twitter.com/OWASP]] [[Image:Facebook-32x32.png|32px|link=https://www.facebook.com/groups/172892372831444/]] [[Image:Linkedin-32x32.png|32px|link=http://www.linkedin.com/groups/Global-OWASP-Foundation-36874]] [[Image:Google-32x32.png|32px|link=https://plus.google.com/u/0/communities/105181517914716500346?cfem=1]] [[Image:Ning-32x32.png|32px|link=http://myowasp.ning.com/]]<br />
<!-- Twitter Box --> <br />
</font><br />
<br />
|}<br />
<br />
| style="border: 3px solid rgb(204, 204, 204); vertical-align: top; width: 95%; font-size: 95%; color: rgb(0, 0, 0);" | <br />
<div style="padding:2em;padding-bottom:0px;"><!-- DON'T REMOVE ME, I'M STRUCTURAL; also 2 empty lines between images --><br />
<br />
<br />
[[Image:New_initiatives.png|center|300px| link=http://owasp.force.com/volunteers/GW_Volunteers__VolunteersJobListing]] <br />
<br />
<br />
[[Image:Donate_here_banner.png|center|300px| link=http://www.regonline.com/Register/Checkin.aspx?EventID=1044369]]<br />
</div><br />
<br />
{|<br />
<br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<!-- End Banner --> <br />
<br />
<br />
= Project Inventory =<br />
<font size=2pt><br />
<br />
The Project Dashboard lists the all project information at a glance, including release links, the current status of the project and project leader contact information. The Project Dashboard can be found here: https://www.owasp.org/index.php/OWASP_Project_Dashboard<br />
<br />
==Flagship Projects==<br />
[[File:Flagship_banner.jpg]]<br />
<br />
The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole.<br />
After a major review process [[https://www.owasp.org/index.php/LAB_Projects_Code_Analysis_Report More info here]] the following projects are considered to be flagship candidate projects. These project have been evaluated more deeply to confirm their flagship status:<br />
<br />
====Tools [Reviewed September 2014]====<br />
<br />
* [[OWASP_Zed_Attack_Proxy_Project|OWASP Zed Attack Proxy]]<br />
* [[OWASP_Web_Testing_Environment_Project|OWASP Web Testing Environment Project]]<br />
* [[OWASP_OWTF|OWASP OWTF]]<br />
* [[OWASP_Dependency_Check|OWASP Dependency Check]]<br />
<br />
====Code [Reviewed November 2014]====<br />
* [[:Category:OWASP_ModSecurity_Core_Rule_Set_Project|OWASP ModSecurity Core Rule Set Project]]<br />
* [[:Category:OWASP_CSRFGuard_Project|OWASP CSRFGuard Project]]<br />
* [[OWASP_AppSensor_Project|OWASP AppSensor Project]]<br />
<br />
====Documentation[Reviewed February 2015] in progress====<br />
* [[:Category:OWASP_Application_Security_Verification_Standard_Project|OWASP Application Security Verification Standard Project]]<br />
* [[:Category:Software_Assurance_Maturity_Model|OWASP Software Assurance Maturity Model (SAMM)]]<br />
* [[OWASP_AppSensor_Project|OWASP AppSensor Project]]<br />
* [[:Category:OWASP_Top_Ten_Project|OWASP Top Ten Project]]<br />
* [[OWASP_Testing_Project|OWASP Testing Guide Project]]<br />
<br />
==Labs Projects==<br />
[[File:Lab banner.jpg]]<br />
<br />
OWASP Labs projects represent projects that have produced a deliverable of value. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are at least ready for mainstream usage.<br />
<br />
===Thumbs up===<br />
Thumbs up are given to LAB projects showing a steady progress in their development, had very active and continuous releases and commits, regular update of information on their wiki page and have quite complete documentation. These projects are almost ready to become flagship<br />
<br />
====Tools [Reviewed February 2015]====<br />
* [[OWASP_WebGoat_Project|WebGoat]]<br />
* [[OWASP_Hackademic_Challenges_Project|OWASP Hackademic Challenges Project]]<br />
* [[OWASP_Security_Shepherd|OWASP Security Shepherd]]<br />
* [[OWASP_Mantra_-_Security_Framework|OWASP Mantra Security Framework]]<br />
* [[OWASP_O2_Platform|OWASP O2 Platform]]<br />
* [[OWASP_Dependency_Track_Project|OWASP Dependency Track Project]]<br />
* [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]] <br />
* [[O-Saft|O-Saft]]<br />
* [[:Category:OWASP_EnDe|OWASP EnDe Project]]<br />
* [[OWASP_Passfault|OWASP Passfault]] <br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security Project]]<br />
*[[OWASP_Xenotix_XSS_Exploit_Framework|OWASP Xenotix XSS Exploit Framework]]<br />
*[[OWASP_Code_Pulse_Project| OWASP Code Pulse]]<br />
<br />
====Documentation [In Progress-Results by February/March 2015] ====<br />
<br />
* [[OWASP_Podcast|OWASP Podcast Project]]<br />
* [[:Category:OWASP_Code_Review_Project|OWASP Code Review Guide Project]]<br />
* [[OWASP_Codes_of_Conduct|OWASP Codes of Conduct]]<br />
* [[:Category:OWASP_Guide_Project|OWASP Development Guide Project]]<br />
*[[OWASP_CISO_Survey|OWASP CISO Survey]] <br />
*[[OWASP_Application_Security_Guide_For_CISOs_Project|OWASP Application Security Guide For CISOs]]<br />
*[[OWASP_Cornucopia|OWASP Cornucopia]]<br />
*[[Cheat_Sheets|OWASP Cheat Sheets Project]] [[File:Thumbsup.png|15px]]<br />
<br />
====Contests====<br />
*[[OWASP_University_Challenge|OWASP University Challenge]] <br />
* [[:Category:OWASP_CTF_Project|OWASP CTF Project]]<br />
<br />
====Code [Reviewed February 2015]====<br />
* [[:Category:OWASP_Enterprise_Security_API|OWASP Enterprise Security API]]<br />
<br />
======Low Activity (LABS)[Reviewed February 2015] ======<br />
[[File:low_activity.jpg]]<br />
<br />
These projects had no releases in at least a year, however have shown to be valuable tools<br />
'''Code [Low Activity]'''<br />
* [[Project_Information:template_Vicnum_Project|OWASP Vicnum Project]]<br />
* [[OWASP_Broken_Web_Applications_Project|OWASP Broken Web Applications Project]]<br />
* [[OWASP_Joomla_Vulnerability_Scanner_Project]]<br />
<br />
'''Documentation [Low Activity]'''<br />
* [[OWASP_Appsec_Tutorial_Series|OWASP AppSec Tutorial Series]]<br />
* [[:Category:OWASP_Legal_Project|OWASP Legal Project]]<br />
* [[Virtual_Patching_Best_Practices|Virtual Patching Best Practices]]<br />
* [[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide|OWASP Secure Coding Practices - Quick Reference Guide]]<br />
<br />
==Incubator Projects==<br />
[[File:Incubator_banner.jpg]]<br />
<br />
OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity. The label also allows project leaders to leverage the OWASP name while their project is still maturing.<br />
<br />
===Thumbs up===<br />
Thumbs up are given to incubator projects showing a steady progress in their development, had continuous releases and commits or have delivered a complete product, including open source repository location, basic user guidelines and documentation<br />
<br />
<br />
====Code [Reviewed March 2015]====<br />
* [[OWASP_Java_Encoder_Project|OWASP Java Encoder Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_Java_File_I_O_Security_Project|OWASP Java File I/O Security Project]]<br />
* [[OWASP_iMAS_iOS_Mobile_Application_Security_Project|OWASP iMAS - iOS Mobile Application Security Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_PHP_Security_Project|OWASP PHP Security Project]]<br />
* [[OWASP_Node_js_Goat_Project|OWASP Node.js Goat Project]] [[File:Thumbsup.png|15px]<br />
* [[OWASP_File_Format_Validation_Project|OWASP File Format Validation Project]]<br />
* [[OWASP_Security_Logging_Project|OWASP Security Logging Project]]<br />
<br />
<br />
=====Code: Low Activity=====<br />
<br />
* [[OWASP_PHPRBAC_Project|OWASP PHPRBAC Project]]<br />
<br />
====Research====<br />
* [[OWASP_WASC_Distributed_Web_Honeypots_Project|OWASP WASC Distributed Web Honeypots Project]]<br />
* [[OWASP_Security_Research_and_Development_Framework|OWASP Security Research and Development Framework]]<br />
<br />
====Tools [Review in progress-April 2015]====<br />
* [[OWASP_Faux_Bank_Project|OWASP Faux Bank Project]]<br />
* [[OWASP_Droid10_Project|OWASP Droid]]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Wapiti_Project OWASP Wapiti Project]<br />
*[[Benchmark|OWASP WebGoat Benchmark]]<br />
*[[OWASP_WAP-Web_Application_Protection|WAP Web Application_Protection]]<br />
*[[OWASP_Java_HTML_Sanitizer|OWASP Java HTML Sanitizer Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Mantra_OS|OWASP Mantra OS]]<br />
*[[OWASP_iGoat_Project|OWASP iGoat Project]]<br />
*[[OWASP_Bricks|OWASP Bricks]]<br />
*[[OWASP_Bywaf_Project|OWASP Bywaf Project]]<br />
*[[OWASP_Mutillidae_2_Project|OWASP Mutillidae 2 Project]] <br />
*[[OWASP_SeraphimDroid_Project|OWASP SeraphimDroid Project]]<br />
*[[OWASP_Python_Security_Project|OWASP Python Security Project]]<br />
*[[OWASP_WebSpa_Project|OWASP WebSpa Project]]<br />
*[[OWASP_NINJA_PingU_Project|OWASP NINJA PingU Project]]<br />
*[[OWASP_Encoder_Comparison_Reference_Project|OWASP Encoder Comparison Reference Project]]<br />
*[[:Category:OWASP_SQLiX_Project|OWASP sqliX Project]]<br />
*[[OWASP_Secure_TDD_Project|OWASP Secure TDD Project]]<br />
*[[OWASP_XSecurity_Project|OWASP XSecurity Project]]<br />
*[[OWASP_Pyttacker_Project|OWASP Pyttacker Project]]<br />
*[[OWASP_HTTP_Post_Tool|OWASP HTTP POST Tool]]<br />
*[[Projects/OWASP_iOSForensic|OWASP iOSForensic]]<br />
*[[OWASP_SonarQube_Project|OWASP SonarQube Project]]<br />
*[[OWASP Rainbow Maker Project | OWASP Rainbow Maker Project]] <br />
*[[OWASP JSEC CVE Details | OWASP JSEC CVE Details]] <br />
* [[:Category:OWASP_WebGoat.NET|OWASP WebGoat.NET]] <br />
* [[OWASP_ASIDE_Project|OWASP ASIDE Project]]<br />
<br />
====Documentation[Review: May 2015]====<br />
*[[OWASP Automated Threats to Web Applications]]<br />
*[[OWASP_Data_Exchange_Format_Project|OWASP Data Exchange Format Project]]<br />
*[[OWASP_Proactive_Controls|OWASP Proactive Controls]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Enterprise_Application_Security_Project|OWASP Enterprise Application Security Project]]<br />
*[[OWASP_Secure_Application_Design_Project|OWASP Secure Application Design Project]]<br />
*[[OWASP_Top_10_Fuer_Entwickler_Project|OWASP Top 10 Fuer Entwickler Project]]<br />
*[[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP Vulnerable Web Applications Directory Project]]<br />
*[[OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project|OWASP Reverse Engineering and Code Modification Prevention Project]]<br />
*[[OWASP_Internet_of_Things_Top_Ten_Project|OWASP Internet of Things Top Ten Project]]<br />
*[[:Category:OWASP_.NET_Project|OWASP .NET Project]]<br />
*[[OWASP_Top_10_Privacy_Risks_Project|OWASP Top 10 Privacy Risks Project]]<br />
*[[OWASP_WASC_Web_Hacking_Incidents_Database_Project|OWASP WASC Web Hacking Incidents Database Project]]<br />
*[[OWASP_Security_Frameworks_Project|OWASP Security Frameworks Project]]<br />
*[[OWASP_Incident_Response_Project|OWASP Incident Response Project]]<br />
*[[OWASP_Periodic_Table_of_Vulnerabilities|OWASP Periodic Table of Vulnerabilities]]<br />
*[[OWASP_Top_Trumps_for_Projects|OWASP Top Trumps for Projects]]<br />
*[[OWASP KALP Mobile Project | OWASP KALP Mobile Project]]<br />
*[[OWASP Persian Translation Project | OWASP Persian Translation Project]]<br />
*[[OWASP_Security_Controls_in_Web_Application_Development_Lifecycle |OWASP Security Controls in Web Application Development Lifecycle Project]]<br />
*[[OWASP_Application_Security_Program_Quick_Start_Guide_Project|OWASP_Application_Security_Program_Quick_Start_Guide_Project]]<br />
*[[OWASP_Secure_Configuration_Guide|OWASP_Secure_Configuration_Guide]]<br />
*[[OWASP_Product_Requirement_Recommendations_Library|OWASP_Product_Requirement_Recommendations_Library]]<br />
*[[OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project|OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project]]<br />
* [[OWASP_RFP-Criteria|OWASP Request For Proposal]]<br />
<br />
==Educational Initiatives==<br />
*[[OWASP_Visual_Crime_Scene_and_Security_Incident_Education_Project#tab=Main | OWASP Visual Crime Scene and Security Incident Project]]<br />
*[[OWASP_Secure_Development_Training|OWASP Secure Development Training]]<br />
*[[OWASP_Student_Chapters_Program|OWASP Student Chapters Project]]<br />
*[[:Category:OWASP_Education_Project|OWASP Education Project]]<br />
*[[:Category:OWASP_Speakers_Project|OWASP Speakers Project]]<br />
*[[OWASP_Global_Chapter_Meetings_Project|OWASP Global Chapter Meetings Project]]<br />
*[[OWASP_Media_Project|OWASP Media Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Hacking_Lab|OWASP Hacking-Lab]]<br />
*[[OWASP_PHP_Security_Training_Project|OWASP PHP Security Training Project]]<br />
<br />
==Donated Projects==<br />
<br />
OWASP Donated Projects are inactive projects that have been donated to the OWASP Projects Infrastructure. <br />
<br />
====Tools====<br />
<br />
* [[OWASP_Excess_XSS_Project|OWASP Excess XSS Project]]<br />
* [[OWASP_JOTP_Project|OWASP jOTP Project]]<br />
<br />
==OWASP Archived Projects==<br />
OWASP Archived Projects are projects that have developed outside OWASP umbrella or have become inactive. If you are interested in pursuing any of the inactive projects (click hyperlink for list), please contact us and let us know of your interest.<br />
<br />
https://www.owasp.org/index.php/Category:OWASP_Project_Archived_Projects<br />
<br />
= Project Task Force =<br />
<br />
<br />
====OWASP Project Task Force====<br />
<br />
{{:Task_Force/OWASP_Projects}}<br />
<br />
= Online Resources =<br />
<br />
===Project Online Resources===<br />
<br />
{{:Project_Online_Resources}}<br />
<br />
<br />
= Starting a New Project =<br />
<font size=2pt><br />
== So you want to start a project... ==<br />
<br />
Starting an OWASP project is quite easy, and your desire to contribute and make it happen is essential.<br />
[[File:HowToStartProjectoWasp.png | 600px | right]]<br />
<br />
Here are some of the guidelines for running a successful OWASP project:<br />
<br />
-Start exploring the actual OWASP projects Inventory. Many projects handle specific areas of security it is a good idea to start looking how other successful projects do this (LABS/Flagship)<br />
<br />
-Place your idea or project on the [https://www.owasp.org/index.php/Project_Ideas_Board#From_Idea_to_Project_Incubator Project Ideas Board].This phase will help you to define the project goals and also explore and exchange with other OWASP leaders and volunteers how to develop the idea into a tangible project<br />
<br />
-Explore and research if your idea covers a unique segment in the Security arena.Think of your project as a product, if you really want people using it, think how this project will cover a necessity in the security area you are working on <br />
<br />
-Define what kind of project you would like to start. Is it a code, tool or documentation?<br />
<br />
-Communicate through the Project leader mailing list about your idea and get feedback and meet potential contributors<br />
<br />
-Develop your project based on the type of project. For example if you are willing to start a documentation project, begin by defining a Table of Content and work it through with potential contributors. First of all begin by creating a Road-map for your project. This is essential to submit your project. We highly recommend to read documentation such as "[http://www2.econ.iastate.edu/tesfatsi/ProducingOSS.KarlFogel2005.pdf How to start /run a successful Open Source Projects]". <br />
<br />
[[File:RoadmapIncubatorProjectExample2.PNG | 500px | left]]<br />
<br />
Some recommendations on how to start a documentation project<br />
[[https://www.owasp.org/index.php/File:Document_Guide_(1).png| Document Guide Project]]<br />
<br />
===Importance of a well thought out Road-map===<br />
Many Incubator project leaders struggle with creating a realistic planning, which should be based on their available resources and time. A well thought out plan makes a difference between a procrastinating project and a successful one. The important aspect of this is, that the project leader is able to create a plan based on his situation. The following is an example of a Roadmap, which has focused to produce a Documentation first release in a year and a basic outline how they plan to cover 4 essential aspects which are Research & Development, Marketing, Planning and Goals.<br />
<br />
<br />
<br />
"Your [project] roadmap should tell a coherent story about the likely growth of your product. Each release should build on the previous one and move you closer towards your vision. Your roadmap should be convincing and realistic: Don’t speculate or oversell your [project]. Be clear who your audience is: An internal roadmap talks to development, marketing, sales, service, and the other groups involved in making your [project] a success; and external one talks to existing and prospective customers."<br />
Extracted from : "[[http://www.romanpichler.com/blog/10-tips-creating-agile-product-roadmap/ 10 Tips for Creating an Agile Product Roadmap]]"<br />
<br />
* Start defining a development, documentation and marketing plan for your project. Set short , medium and long term plans. Include promotion of your project, this is very important in order to engage users and consumers of your project. Contact project coordinator and the Project Task Force to help you achieve this goal. You ''can'' run a single person project, but it's usually best to get the community involved. You should be prepared to support a mailing list, build a team, speak at conferences, and promote your project.<br />
<br />
* You can contribute existing documents or tools to OWASP! Assuming you have the intellectual property rights to a work, you can open it to the world as an OWASP Project. Please coordinate this with OWASP by contacting owasp(at)owasp.org.<br />
<br />
* Available Grants to consider if you need funding - [[Grants|Click Here]]<br />
<br />
* You should promote your project through the OWASP channels as well as by outside means. Get people to blog about it!<br />
<br />
== Creating a new project ==<br />
Once you have passed the Project Ideas phase, then you will be ready to start a new project<br />
To Submit your project please use the following form<br />
. [http://www.tfaforms.com/263506 Please submit a new project application here].<br />
<br />
<br />
* You will need to gather the following information together for your application:<br />
A - PROJECT<br />
# Project Name,<br />
# Project purpose / overview,<br />
# Project Roadmap,<br />
# Project links (if any) to external sites,<br />
# [[Guidelines_for_OWASP_Projects#Project_Licensing|Project License],]<br />
# Project Leader name,<br />
# Project Leader email address,<br />
# Project Leader wiki account - the username (you'll need this to edit the wiki),<br />
# Project Contributor(s) (if any) - name email and wiki account (if any),<br />
# Project Main Links (if any).<br />
# For Documentation: A table of Contents<br />
# For Code: A prototype hosted in an open source repository of your choice. Make sure it has read access.<br />
<br />
* Check out the '''[[Guidelines for OWASP Projects]]'''.<br />
* [[Grant_Spending_Policy|Grant Spending Policy]]<br />
* [[Project_Spending_Policy|Project Spending Policy]]<br />
* [[Project_Sponsorship_Operational_Guidelines|Project Sponsorship Operational Guidelines]]<br />
<br />
==OWASP Recommended Licenses==<br />
<br />
{{Recommended_Licenses}}<br />
<br />
==Funding your Project==<br />
An OWASP project does not receive any funding for development at project inception; however, a new project does have the opportunity to submit a request to receive funds if they are available for the year. Additionally, project leaders have the option of seeking sponsorship from outside organizations, but project leaders are required to seek funding through their own initiative. Please contact the OWASP Projects Manager for more information. <br />
<br />
== Project Release ==<br />
<br />
As your project reaches a point that you'd like OWASP to assist in its promotion, the will need the following information to help spread the word about your project:<br />
<br />
# Short 5 sentence paragraph outlining what your project is about, what you hope to accomplish with your project, what value your project brings to software security, and contributor and project leader names and contact information.<br />
# Link to your wiki page.<br />
# Link to your code repository or a link to where readers can download your project.<br />
# Latest Release description answering the following questions: What is it?, What does it do?, Where can I get it?, Who should I contact if something goes wrong?.<br />
<br />
==Project Process Forms==<br />
These forms were created to help project leaders, and those interested in a going through a process in the OWASP projects infrastructure. They facilitate the management of each query based on the specific task an applicant will need help with. The forms are described below, and they are linked with their designated online application form. <br />
<br />
* [http://www.tfaforms.com/264422 Project Transition Application]:The OWASP project transition form gives current project leaders an easy way of handing over project administration information to individuals wishing to take over a project. <br />
<br />
* [http://www.tfaforms.com/264413 Project Review Application]:This form is for current project leaders to request a review of their project based on OWASP graduation criteria. The aim is to designate an OWASP volunteer to review these projects within 3 months time. <br />
<br />
* [http://www.tfaforms.com/264418 Project Donation Application]:This form is for projects outside of the OWASP project infrastructure. Project Leaders for these open source projects can choose to partner or give their project to OWASP directly through this form.<br />
<br />
* [http://www.tfaforms.com/264428 Project Adoption Request]:This form is used when someone is interested in adopting an archived project. <br />
<br />
* [http://www.tfaforms.com/264426 Project Abandonment Request]:The OWASP project abandonment form gives current project leaders an easy way of letting the OWASP Foundation know that they wish to resign their project leader duties. This form should be used when no replacement project leader exists to take over these duties.<br />
<br />
* [http://www.tfaforms.com/264392 Incubator Project Graduation Application]:This application form is for Incubator Projects to apply for Labs Project status.<br />
<br />
* [https://www.owasp.org/index.php/OWASP_System_Vulnerable_Code_Project Project Request (Bangladesh)]:For Information Security Project contact with OWASP Bangladesh Project Leader [[S. M. Shezan]][http://www.facebook.com/smshezan]<br />
<br />
= Project Assessments =<br />
<font size=2pt><br />
==OWASP Project Lifecycle==<br />
The OWASP Projects Lifecycle represents a balance between keeping a very loose structure around OWASP projects, and ensuring that OWASP consumers are not confused about a project’s maturity and quality. The lifecycle stage allows consumers to easily identify mature projects, and projects that are proofs of concept, experimental, and classified as prototypes in their current state. The greater the maturity of the project, the greater the level of responsibility for the project leader. These responsibilities are not trivial as OWASP provides incentives and benefits (Section 7) for projects who take on these added responsibilities.<br />
<br />
<br />
====The OWASP Project Lifecycle is broken down into the following stages:====<br />
<br />
'''Incubator Projects''': OWASP Incubator projects represent the experimental playground where projects are still being designed, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity; moreover, the label allows project leaders to leverage the OWASP name while their project is still maturing. OWASP Incubator projects are given a place on the OWASP Projects Portal to leverage the organizations' infrastructure, and establish their presence and project history.<br />
<br />
'''Lab Projects''': OWASP Labs projects represent projects that have produced a deliverable of significant value. Leaders of OWASP Labs projects are expected to stand behind the quality of their projects as these projects have matured to the point where they are accepted by a significant portion of the OWASP community. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are ready for mainstream usage. OWASP Labs Projects are meant to be the collection of established projects that have gained community support and acclaim by undergoing the project review process. <br />
<br />
'''Flagship Projects''': The OWASP Flagship designation is given to projects that have demonstrated superior maturity, established quality, and strategic value to OWASP and application security as a whole. Eligible projects are selected from the OWASP Labs project pool. This selection process generally ensures that there is only one project of each type covering any particular security space. OWASP Flagship projects represent projects that are not only mature, but are also projects that OWASP as an organization provides direct support to maintaining. The core mission of OWASP is to make application security visible and so as an organization, OWASP has a vested interest in the success of its Flagship projects. Since Flagship projects have such high visibility, these projects are expected to uphold the most stringent requirements of all OWASP Projects.<br />
<br />
'''Code Projects''': OWASP code projects are very important for the cyber security solutions. Because these projects are used to find out the application security problems and try to solve those problems. Best code project is [[OWASP System Vulnerable Code Project]] and best project leader is [http://www.facebook.com/smshezan S. M. Shezan]<br />
<br />
== OWASP Project Stage Benefits==<br />
This section outlines the benefits of starting an OWASP project, and the benefits of being at each different stage in the projects lifecycle. In my short time here at OWASP as the PM, I have had several potential project leaders ask me what the benefits are of starting their project with OWASP. Below is my proposal for each Stage’s benefits.<br />
<br />
'''Incubator'''<br />
* Financial Donation Management Assistance <br />
* Project Review Support<br />
* WASPY Awards Nominations<br />
* OWASP OSS and OPT Participation<br />
* Opportunity to submit proposal: $500 for Development.<br />
* Community Engagement and Support<br />
* Recognition and visibility of being associated with the OWASP Brand.<br />
<br />
'''Labs'''<br />
* All benefits given to Incubator Projects <br />
* Technical Writing Support<br />
* Graphic Design Support<br />
* Project Promotion Support<br />
* OWASP OSS and OPT: Preference<br />
<br />
'''Flagship'''<br />
* All benefits given to Incubator & Labs Projects<br />
* Grant finding and proposal writing help<br />
* Yearly marketing plan development<br />
* OWASP OSS and OPT participation preference<br />
<br />
For more detailed information on OWASP Project Stage Benefits, please see the 2013 Project Handbook.<br />
<br />
== Project Monitoring Incubator/Documentation ==<br />
Every 6 months, a project monitoring assessment takes place to evaluate if projects had any releases during this period.A warning will be sent to projects without any activity in 90 days and after 180 days, the project will be set automatically as inactive.<br />
You can set your project active at any time, as long as:<br />
* There has been commits to the project's open repository or<br />
* There has been a beta release of the documentation produced so far or<br />
* Provide a detailed Roadmap <br />
<br />
===Importance of a well thought out Roadmap===<br />
Many Incubator project leaders struggle with creating a realistic planning, which should be based on their available resources and time. A well thought out plan makes a difference between a procrastinating project and a successful one. The important aspect of this is, that the project leader is able to create a plan based on his situation. The following is an example of a Roadmap, which has focused to produce a Documentation first release in a year and a basic outline how they plan to cover 4 essential aspects which are Research & Development, Marketing, Planning and Goals.<br />
<br />
<br />
[[File:RoadmapIncubatorProjectExample2.PNG | 600px]]<br />
<br />
"Your [project] roadmap should tell a coherent story about the likely growth of your product. Each release should build on the previous one and move you closer towards your vision. Your roadmap should be convincing and realistic: Don’t speculate or oversell your [project]. Be clear who your audience is: An internal roadmap talks to development, marketing, sales, service, and the other groups involved in making your [project] a success; and external one talks to existing and prospective customers."<br />
Extracted from : "[[http://www.romanpichler.com/blog/10-tips-creating-agile-product-roadmap/ 10 Tips for Creating an Agile Product Roadmap]]"<br />
<br />
==Project Monitoring for LABS/Flagship==<br />
These project represent the best OWASP has to offer, therefore monitoring of these projects is closely supervised.<br />
===For Code and Tools===<br />
For projects holding Flagship status, we closely monitor their health every 6 months on the following, among other key indicators:<br />
*Can the project be built correctly?<br />
*Does the project has any activity(commits) in the last 6 months?<br />
*Does the project had any releases in the last 6 months?<br />
*Has the project leaders updated his wiki or website to reflect latest releases?<br />
===For Documentation===<br />
For this part, we are working on the development of an adequate assessment criteria<br />
The following is a draft of the new process proposal: [[https://www.owasp.org/index.php/File:Qualitative_and_Quantitative_Content_Audit.pdf Proposal for Reviewing OWASP Document projects]]<br />
<br />
== OWASP Project Graduation==<br />
The Project Graduation Process is an optional process undertaken at the request of a project leader using the Incubator Graduation Form. The purpose of this process is to move a project from the OWASP Incubator into the OWASP Labs. In order to be considered for OWASP Labs, an Incubator project must have submitted an OWASP reviewed deliverable, and obtained at least two (2) positive responses for each of the core criteria project health questions.<br />
<br />
The review centers around the following core questions. Each core question has three (3) specific questions made up of binary queries. A project must receive at least two (2) positive responses from each reviewer in two of the binary questions, to warrant a postive response for the core question. Each core question must receive a positive response from both project reviewers to pass the Project Health Assessment for Incubator Projects. <br />
<br />
* [https://docs.google.com/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE Project Graduation Criteria Checklist]<br />
<br />
==OWASP Project Health Assessment==<br />
The Project Health Assessment is an optional process undertaken at the request of a project leader when he/she applies for Project Graduation for projects going from Incubator to LAB and from LAB to Flagship. The purpose of this assessment is to determine whether a project meets the minimum criteria of an OWASP Project outlined in the [https://docs.google.com/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE Project Health Assessment Criteria Document]. If a project passes the assessment, it then becomes eligible to graduate into the OWASP Labs Project stage. In order to be considered for OWASP Labs, an Incubator project must have submitted an OWASP reviewed deliverable, and obtained at least two (2) positive responses for each of the core criteria project health questions.<br />
<br />
==OWASP Project Deliverable/Release Assessment==<br />
The Project Deliverable/Release Review is an optional process undertaken at the request of a project leader using the Project Deliverable Review Form. The purpose of this process is to review a project’s progress, and to make sure the project is heading in the right direction based on the roadmap they provided at project inception. <br />
<br />
Reviews must be performed by two (2) OWASP Chapter or Project Leaders, and their review must answer affirmatively to at least the first two (2) core Project Deliverable/Release Review questions. A project must pass the OWASP Project Deliverable/Release Assessment in order to graduate into the OWASP Labs Project stage. <br />
<br />
* [https://docs.google.com/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE Project Deliverable/Release Assessment Criteria Checklist]<br />
<br />
<br />
= Brand Resources =<br />
<font size=2pt><br />
<br />
==The Brand Usage Rules==<br />
See OWASP's [[Marketing/Resources#tab=BRAND_GUIDELINES|The Brand Usage Rules]] for details.<br />
<br />
==Project Icons & Templates==<br />
See OWASP'S [[Marketing/Resources#PROJECT_RESOURCES|Project Icons & Templates]] for details.<br />
<br />
(Following links and images are provided for a quick overview only, the primary page is [[Marketing/Resources#PROJECT_RESOURCES|Project Icons & Templates]]).<br />
<br />
If you require more assistance with these files and/or templates, please contact the OWASP staff for assistance <br />
<br />
'''[[OWASP_Operations_Project_Template|OWASP Operational Wiki Template]]'''<br />
<br />
'''[[OWASP_Documentation_Project_Template|OWASP Example Template: DO NOT EDIT]]'''<br />
<br />
[[Image:OWASP_Project_Header.jpg|Owasp logo|500px]]<br />
<br />
[[Image:Project_Type_Files_TOOL.jpg|Owasp logo|200px]] [[Image:Project_Type_Files_DOC.jpg||Owasp logo 1c|200px]] <br />
<br />
[[Image:Project_Type_Files_CODE.jpg|Owasp logo|200px]] [[Image:Owasp-defenders-small.png|Owasp logo|100px]] [[Image:Owasp-builders-small.png|Owasp logo|100px]] [[Image:Owasp-breakers-small.png|Owasp logo|100px]] <br />
<br />
[[Image:Owasp-incubator-trans-200.png|Owasp logo rev icon|100px]] [[Image:Owasp-labs-trans-85.png|Owasp logo flat|100px]] [[Image:Owasp-flagship-trans-85.png|Owasp logo icon|100px]]<br />
<br />
===OpenSAMM===<br />
'''[[Media:OpenSAMM_icons.zip|OpenSAMM Icons]]'''<br />
<br />
'''Construction:'''<br />
<br />
[[Image:Construction black.png| Construction black| 100px]] [[Image:Construction blue.png| Construction blue| 100px]] [[image:Construction olive.png |construction olive|100px]]<br />
<br />
'''Deployment:'''<br />
<br />
[[image:Deployment black.png| Deployment black| 100px]] [[image:Deployment blue.png| Deployment blue| 100px]] [[image:Deployment olive.png | Deployment olive| 100px]]<br />
<br />
'''Governance:'''<br />
<br />
[[image:Governance black.png| governance black| 100px]] [[image:Governance blue.png | governance blue | 100px]] [[image:Governance olive.png | governance olive| 100px]]<br />
<br />
'''Verification:'''<br />
<br />
[[image:Verification black.png | Verification black | 100px]] [[image:Verification blue.png | verification blue | 100px]] [[image: Verification olive.png | Verification olive | 100px]]<br />
<br />
==Book Cover Files==<br />
See OWASP's [[Marketing/Resources#PROJECT_RESOURCES|Project Icons & Templates]] for details.<br />
<br />
[[Media:Lulu-guide.pdf|Lulu Guide]]<br />
<br />
'''[https://www.dropbox.com/s/h27gsbe5m7idg0y/Finished%20Covers.zip Download the Book Cover Zip File]'''<br />
{|<br />
|-<br />
! width="500" align="center" | <br> <br />
! width="300" align="center" | <br><br />
|-<br />
| align="center" | [[Image:BookImage_01.jpg|500px| link=https://www.dropbox.com/s/h27gsbe5m7idg0y/Finished%20Covers.zip]] <br />
| align="center" | <br />
<br />
|}<br />
<br />
= Terminology =<br />
<font size=2pt><br />
== OWASP Project Infrastructure ==<br />
<br />
<br />
*'''OWASP Project Lifecycle:''' The OWASP Projects Lifecycle represents a balance between keeping a very loose structure around OWASP projects, and ensuring that OWASP consumers are not confused about a project’s maturity and quality. The lifecycle stage allows consumers to easily identify mature projects, and projects that are proofs of concept, experimental, and classified as prototypes in their current state.<br />
<br />
<br />
*'''Incubator Project:''' OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity. The label also allows project leaders to leverage the OWASP name while their project is still maturing.<br />
<br />
<br />
*'''Labs Project:''' OWASP Labs projects represent projects that have produced a deliverable of value. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are at least ready for mainstream usage.<br />
<br />
<br />
*'''Flagship Project:''' The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole. <br />
<br />
<br />
<br />
*'''Project Benefits:''' The standard list of resources and incentives made available to project leaders based on their project's current maturity level. <br />
<br />
<br />
<br />
== OWASP Project Reviews ==<br />
<br />
<br />
*'''Project Reviews:''' Project reviews are the method OWASP uses to establish a minimal baseline of project characteristics and release quality. Reviews are not mandatory, but they are necessary if a project leader wishes to graduate to the next level of maturity within the OWASP Global Projects infrastructure. Projects can be reviewed when an Incubator project wishes to graduate into the OWASP Labs designation, and project releases can be reviewed if they want the quality of their deliverable to be vouched for by OWASP. <br />
<br />
<br />
*'''Project Reviewer Pool:''' The project reviewer pool is made up of veteran reviewers who have proven themselves dedicated to executing quality reviews of projects. <br />
<br />
<br />
*'''Project Graduation:''' The Project Graduation Process is an optional process undertaken at the request of a project leader using the Incubator Graduation Form. The purpose of this process is to move a project from the OWASP Incubator into the OWASP Labs.<br />
<br />
<br />
*'''Project Health Assessment:''' The Project Health Assessment is an optional process undertaken at the request of a project leader when he/she applies for Project Graduation The purpose of this assessment is to determine whether a project meets the minimum criteria of an OWASP Project outlined in the [https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE#gid=1 Project Health Assessment Criteria Document].<br />
<br />
<br />
*'''Project Release:''' A project release refers to the final deliverable a project produces. It is the final product of the project. <br />
<br />
<br />
*'''Project Deliverable/Release Review:''' The Project Deliverable/Release Review is an optional process undertaken at the request of a project leader using the Project Deliverable Review Form. The purpose of this process is to review a project’s progress, and to make sure the project is heading in the right direction based on the roadmap they provided at project inception.<br />
<br />
<br />
<br />
== OWASP Projects Processes == <br />
<br />
*'''Project Processes:''' The set of streamlined processes that exist to help projects move smoothly through the OWASP Project Lifecycle.<br />
<br />
<br />
*'''Project Inception Process:''' The Project Inception Process is how a brand new idea becomes an OWASP Project. Such projects are labeled as OWASP Incubator projects. The process involves submitting the proposed project name, project leader information, project description, project roadmap, and selecting an appropriate open-source license for the project using the New Project Form on the Projects Portal.<br />
<br />
<br />
*'''Project Donation Process:''' The Project Donation Process is used for a project that has an existing functional release, but is not currently associated with OWASP. This process is the primary mechanism by which individuals or organizations can transfer the ownership of their project’s copyright to OWASP.<br />
<br />
<br />
*'''Project Transition Process:''' The Project Transition Process is used to transition leadership of a project to a new project leader. This is a simple automated process to transfer the relevant accounts, mailing lists, and other project resources to the new project leader.<br />
<br />
<br />
*'''Project Abandonment Process:''' The Project Abandonment Process was put in place for those occasions in which a project leader is no longer able to manage their project, and has not been able to find a suitable replacement for the leader role. Project Abandonment can also occur when the project leader feels his/her project has become obsolete. Under these circumstances, the acting project leader is encourage do submit the Project Abandonment Form found in the Projects Portal.<br />
<br />
<br />
*'''Incubator Graduation Process:''' The Incubator Graduation Process is an optional process undertaken at the request of a project leader using the Incubator Graduation Form. The purpose of this process is to move a project from the OWASP Incubator into the OWASP Labs.<br />
<br />
<br />
== Projects at Conferences == <br />
<br />
*'''AppSec Conferences:''' OWASP AppSec conferences bring together industry, government, security researchers, and practitioners to discuss the state of the art in application security. This series was launched in the United States in 2004 and Europe in 2005. Global AppSec conferences are held annually in North America, Latin America, Europe, and Asia Pacific.<br />
<br />
<br />
*'''Open Source Showcase:''' The Open Source Showcase is an OWASP AppSec Conference event module designed to give Open Source project leaders the opportunity to demo their projects.<br />
<br />
<br />
*'''OWASP Project Track:''' The OWASP Project Track is an OWASP AppSec Conference event module designed to give OWASP Project leaders the opportunity to showcase their projects as an official conference presenter. <br />
<br />
<br />
== OWASP Projects General == <br />
<br />
*'''OWASP Code of Ethics:''' The OWASP Code of Ethics are the set of guidelines and principles that the OWASP Foundation expects all of its members and conference attendees to abide by. A copy of the Code of Ethics can be found here in the [https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics OWASP About page]. <br />
<br />
<br />
= Sponsorships and Donations =<br />
<font size=2pt><br />
<br />
==Donate to OWASP Global Projects ==<br />
OWASP Projects, a global division of the OWASP Foundation, is run under the same world wide not-for-profit charitable status as all the foundation strategic groups. OWASP provides a platform for contributors to share their work while providing them with the project and community support they need throughout their project development. All OWASP Projects are run by volunteers and they rely on personal donations and sponsorship to continue their development. Donate to OWASP Projects, and we promise to spend your money wisely on open source initiatives.<br />
<br />
'''This is how your money can help:'''<br />
<br />
* $20 could help us spread the word on the importance of open source initiatives in the Application Security industry.<br />
* $100 could help fund OWASP project demos at major conferences.<br />
* $250 could help get our volunteer Project Leaders to speaking engagements.<br />
<br />
<br />
[[Image:Donate_Button.jpg | link=http://www.regonline.com/Register/Checkin.aspx?EventID=1044369]]<br />
<br />
<br />
<br />
= Contact US =<br />
<font size=2pt><br />
<br />
If you need any help with anything projects related, or if you simply need some more information, please do not hesitate to [http://owasp4.owasp.org/contactus.html Contact Us].<br />
</font><br />
<br />
<br />
<headertabs /></div>Mark Denihanhttps://wiki.owasp.org/index.php?title=Category:OWASP_Project&diff=195002Category:OWASP Project2015-05-19T11:16:28Z<p>Mark Denihan: Adding OWASP Security Shepherd to Labs</p>
<hr />
<div>__NOTOC__ <br />
{|<br />
|-<br />
! width="700" align="center" | <br> <br />
! width="500" align="center" | <br><br />
|-<br />
|<br />
| align="right" | <br />
<br />
|}<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
= Welcome =<br />
{| style="width: 100%;"<br />
|-<br />
| style="width: 100%; color: rgb(0, 0, 0);" | <br />
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"<br />
|-<br />
| style="width: 95%; color: rgb(0, 0, 0);" | <br />
<font size=2pt><br />
<br />
=== Welcome to the OWASP Global Projects Page ===<br />
<br />
An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. OWASP currently has over 142 active projects, and new project applications are submitted every week. <br />
<br />
This is one of the most popular divisions of OWASP as it gives members an opportunity to freely test theories and ideas with the professional advice and support of the OWASP community. Every project has an associated mail list. You can view all the lists, examine their archives, and subscribe to any project by visiting the [http://lists.owasp.org/mailman/listinfo OWASP Project Mailing Lists] page. A summary of recent project announcements is available on the [[OWASP Updates]] page. <br />
<br />
Download the '''[[Media:PROJECT_LEADER-HANDBOOK_2014.pdf|OWASP Project Handbook 2014]]'''<br />
<br />
'''[[OWASP_2014_Project_Handbook|OWASP Project Handbook Wiki 2014]]'''<br />
<br />
Download the '''[[Media:OWASP_Projects_Handbook_2013.pdf|OWASP Projects Handbook 2013]]'''<br />
<br />
'''[[Project_Online_Resources|Project Online Resources]]'''<br />
<br />
=== Who Should Start an OWASP Project? ===<br />
<br />
*Application Developers. <br />
*Software Architects. <br />
* Information Security Authors. <br />
*Those who would like the support of a world wide professional community to develop or test an idea.<br />
*Anyone wishing to take advantage of the professional body of knowledge OWASP has to offer.<br />
<br />
=== Contact Us===<br />
<br />
If you have any questions, please do not hesitate to [http://owasp4.owasp.org/contactus.html Contact Us] by using the form provided here. Please allow five working days for your question or comment to be answered. This is due to the large amount of queries the foundation staff receive every day. We thank you for your patience. <br />
<br />
=== OWASP Project Inventory ===<br />
<br />
All OWASP tools, document, and code library projects are organized into the following [[OWASP_Project_Stages|categories:]] <br />
<br />
* '''[[OWASP_Project_Inventory#Flagship_Projects|Flagship Projects:]]''' The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole. <br />
<br />
* '''[[OWASP_Project_Inventory#Labs_Projects|Lab Projects:]]''' OWASP Labs projects represent projects that have produced an OWASP reviewed deliverable of value. <br />
<br />
* '''[[OWASP_Project_Inventory#Incubator_Projects|Incubator Projects:]]''' OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway.<br />
<br />
=== Social Media ===<br />
<br />
We recommend using the links below to find our official OWASP social media channels. These are a great way to keep in touch with the different initiatives going on at OWASP throughout the world. They are all updated regularly by chapter leaders, project leaders, the OWASP Board Members, and our OWASP Staff. If you have any questions or concerns about any of these accounts, please drop us a line using our [http://www.tfaforms.com/308703 "Contact Us"] form found above. <br />
<br />
[[Image:Blogger-32x32.png|32px|link=http://owasp.blogspot.co.uk/]] [[Image:Twitter-32x32.png|32px|link=https://twitter.com/OWASP]] [[Image:Facebook-32x32.png|32px|link=https://www.facebook.com/groups/172892372831444/]] [[Image:Linkedin-32x32.png|32px|link=http://www.linkedin.com/groups/Global-OWASP-Foundation-36874]] [[Image:Google-32x32.png|32px|link=https://plus.google.com/u/0/communities/105181517914716500346?cfem=1]] [[Image:Ning-32x32.png|32px|link=http://myowasp.ning.com/]]<br />
<!-- Twitter Box --> <br />
</font><br />
<br />
|}<br />
<br />
| style="border: 3px solid rgb(204, 204, 204); vertical-align: top; width: 95%; font-size: 95%; color: rgb(0, 0, 0);" | <br />
<div style="padding:2em;padding-bottom:0px;"><!-- DON'T REMOVE ME, I'M STRUCTURAL; also 2 empty lines between images --><br />
<br />
<br />
[[Image:New_initiatives.png|center|300px| link=http://owasp.force.com/volunteers/GW_Volunteers__VolunteersJobListing]] <br />
<br />
<br />
[[Image:Donate_here_banner.png|center|300px| link=http://www.regonline.com/Register/Checkin.aspx?EventID=1044369]]<br />
</div><br />
<br />
{|<br />
<br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<!-- End Banner --> <br />
<br />
<br />
= Project Inventory =<br />
<font size=2pt><br />
<br />
The Project Dashboard lists the all project information at a glance, including release links, the current status of the project and project leader contact information. The Project Dashboard can be found here: https://www.owasp.org/index.php/OWASP_Project_Dashboard<br />
<br />
==Flagship Projects==<br />
[[File:Flagship_banner.jpg]]<br />
<br />
The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole.<br />
After a major review process [[https://www.owasp.org/index.php/LAB_Projects_Code_Analysis_Report More info here]] the following projects are considered to be flagship candidate projects. These project have been evaluated more deeply to confirm their flagship status:<br />
<br />
====Tools [Reviewed September 2014]====<br />
<br />
* [[OWASP_Zed_Attack_Proxy_Project|OWASP Zed Attack Proxy]]<br />
* [[OWASP_Web_Testing_Environment_Project|OWASP Web Testing Environment Project]]<br />
* [[OWASP_OWTF|OWASP OWTF]]<br />
* [[OWASP_Dependency_Check|OWASP Dependency Check]]<br />
<br />
====Code [Reviewed November 2014]====<br />
* [[:Category:OWASP_ModSecurity_Core_Rule_Set_Project|OWASP ModSecurity Core Rule Set Project]]<br />
* [[:Category:OWASP_CSRFGuard_Project|OWASP CSRFGuard Project]]<br />
* [[OWASP_AppSensor_Project|OWASP AppSensor Project]]<br />
<br />
====Documentation[Reviewed February 2015] in progress====<br />
* [[:Category:OWASP_Application_Security_Verification_Standard_Project|OWASP Application Security Verification Standard Project]]<br />
* [[:Category:Software_Assurance_Maturity_Model|OWASP Software Assurance Maturity Model (SAMM)]]<br />
* [[OWASP_AppSensor_Project|OWASP AppSensor Project]]<br />
* [[:Category:OWASP_Top_Ten_Project|OWASP Top Ten Project]]<br />
* [[OWASP_Testing_Project|OWASP Testing Guide Project]]<br />
<br />
==Labs Projects==<br />
[[File:Lab banner.jpg]]<br />
<br />
OWASP Labs projects represent projects that have produced a deliverable of value. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are at least ready for mainstream usage.<br />
<br />
===Thumbs up===<br />
Thumbs up are given to LAB projects showing a steady progress in their development, had very active and continuous releases and commits, regular update of information on their wiki page and have quite complete documentation. These projects are almost ready to become flagship<br />
<br />
====Tools [Reviewed February 2015]====<br />
* [[OWASP_WebGoat_Project|WebGoat]]<br />
* [[OWASP_Hackademic_Challenges_Project|OWASP Hackademic Challenges Project]]<br />
* [[OWASP_Security_Shepherd|OWASP Security Shepherd]]<br />
* [[OWASP_Mantra_-_Security_Framework|OWASP Mantra Security Framework]]<br />
* [[OWASP_O2_Platform|OWASP O2 Platform]]<br />
* [[OWASP_Dependency_Track_Project|OWASP Dependency Track Project]]<br />
* [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]] <br />
* [[O-Saft|O-Saft]]<br />
* [[:Category:OWASP_EnDe|OWASP EnDe Project]]<br />
* [[OWASP_Passfault|OWASP Passfault]] <br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security Project]]<br />
*[[OWASP_Xenotix_XSS_Exploit_Framework|OWASP Xenotix XSS Exploit Framework]]<br />
*[[OWASP_Code_Pulse_Project| OWASP Code Pulse]]<br />
<br />
====Documentation [In Progress-Results by February/March 2015] ====<br />
<br />
* [[OWASP_Podcast|OWASP Podcast Project]]<br />
* [[:Category:OWASP_Code_Review_Project|OWASP Code Review Guide Project]]<br />
* [[OWASP_Codes_of_Conduct|OWASP Codes of Conduct]]<br />
* [[:Category:OWASP_Guide_Project|OWASP Development Guide Project]]<br />
*[[OWASP_CISO_Survey|OWASP CISO Survey]] <br />
*[[OWASP_Application_Security_Guide_For_CISOs_Project|OWASP Application Security Guide For CISOs]]<br />
*[[OWASP_Cornucopia|OWASP Cornucopia]]<br />
*[[Cheat_Sheets|OWASP Cheat Sheets Project]] [[File:Thumbsup.png|15px]]<br />
<br />
====Contests====<br />
*[[OWASP_University_Challenge|OWASP University Challenge]] <br />
* [[:Category:OWASP_CTF_Project|OWASP CTF Project]]<br />
<br />
====Code [Reviewed February 2015]====<br />
* [[:Category:OWASP_Enterprise_Security_API|OWASP Enterprise Security API]]<br />
<br />
======Low Activity (LABS)[Reviewed February 2015] ======<br />
[[File:low_activity.jpg]]<br />
<br />
These projects had no releases in at least a year, however have shown to be valuable tools<br />
'''Code [Low Activity]'''<br />
* [[Project_Information:template_Vicnum_Project|OWASP Vicnum Project]]<br />
* [[OWASP_Broken_Web_Applications_Project|OWASP Broken Web Applications Project]]<br />
* [[OWASP_Joomla_Vulnerability_Scanner_Project]]<br />
<br />
'''Documentation [Low Activity]'''<br />
* [[OWASP_Appsec_Tutorial_Series|OWASP AppSec Tutorial Series]]<br />
* [[:Category:OWASP_Legal_Project|OWASP Legal Project]]<br />
* [[Virtual_Patching_Best_Practices|Virtual Patching Best Practices]]<br />
* [[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide|OWASP Secure Coding Practices - Quick Reference Guide]]<br />
<br />
==Incubator Projects==<br />
[[File:Incubator_banner.jpg]]<br />
<br />
OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity. The label also allows project leaders to leverage the OWASP name while their project is still maturing.<br />
<br />
===Thumbs up===<br />
Thumbs up are given to incubator projects showing a steady progress in their development, had continuous releases and commits or have delivered a complete product, including open source repository location, basic user guidelines and documentation<br />
<br />
<br />
====Code [Reviewed March 2015]====<br />
* [[OWASP_Java_Encoder_Project|OWASP Java Encoder Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_Java_File_I_O_Security_Project|OWASP Java File I/O Security Project]]<br />
* [[OWASP_iMAS_iOS_Mobile_Application_Security_Project|OWASP iMAS - iOS Mobile Application Security Project]] [[File:Thumbsup.png|15px]]<br />
* [[OWASP_PHP_Security_Project|OWASP PHP Security Project]]<br />
* [[OWASP_Node_js_Goat_Project|OWASP Node.js Goat Project]] [[File:Thumbsup.png|15px]<br />
* [[OWASP_File_Format_Validation_Project|OWASP File Format Validation Project]]<br />
* [[OWASP_Security_Logging_Project|OWASP Security Logging Project]]<br />
<br />
<br />
=====Code: Low Activity=====<br />
<br />
* [[OWASP_PHPRBAC_Project|OWASP PHPRBAC Project]]<br />
<br />
====Research====<br />
* [[OWASP_WASC_Distributed_Web_Honeypots_Project|OWASP WASC Distributed Web Honeypots Project]]<br />
* [[OWASP_Security_Research_and_Development_Framework|OWASP Security Research and Development Framework]]<br />
<br />
====Tools [Review in progress-April 2015]====<br />
* [[OWASP_Faux_Bank_Project|OWASP Faux Bank Project]]<br />
* [[OWASP_Droid10_Project|OWASP Droid]]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Wapiti_Project OWASP Wapiti Project]<br />
*[[Benchmark|OWASP WebGoat Benchmark]]<br />
*[[OWASP_WAP-Web_Application_Protection|WAP Web Application_Protection]]<br />
*[[OWASP_Java_HTML_Sanitizer|OWASP Java HTML Sanitizer Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Security_Shepherd|OWASP Security Shepherd]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Mantra_OS|OWASP Mantra OS]]<br />
*[[OWASP_iGoat_Project|OWASP iGoat Project]]<br />
*[[OWASP_Bricks|OWASP Bricks]]<br />
*[[OWASP_Bywaf_Project|OWASP Bywaf Project]]<br />
*[[OWASP_Mutillidae_2_Project|OWASP Mutillidae 2 Project]] <br />
*[[OWASP_SeraphimDroid_Project|OWASP SeraphimDroid Project]]<br />
*[[OWASP_Python_Security_Project|OWASP Python Security Project]]<br />
*[[OWASP_WebSpa_Project|OWASP WebSpa Project]]<br />
*[[OWASP_NINJA_PingU_Project|OWASP NINJA PingU Project]]<br />
*[[OWASP_Encoder_Comparison_Reference_Project|OWASP Encoder Comparison Reference Project]]<br />
*[[:Category:OWASP_SQLiX_Project|OWASP sqliX Project]]<br />
*[[OWASP_Secure_TDD_Project|OWASP Secure TDD Project]]<br />
*[[OWASP_XSecurity_Project|OWASP XSecurity Project]]<br />
*[[OWASP_Pyttacker_Project|OWASP Pyttacker Project]]<br />
*[[OWASP_HTTP_Post_Tool|OWASP HTTP POST Tool]]<br />
*[[Projects/OWASP_iOSForensic|OWASP iOSForensic]]<br />
*[[OWASP_SonarQube_Project|OWASP SonarQube Project]]<br />
*[[OWASP Rainbow Maker Project | OWASP Rainbow Maker Project]] <br />
*[[OWASP JSEC CVE Details | OWASP JSEC CVE Details]] <br />
* [[:Category:OWASP_WebGoat.NET|OWASP WebGoat.NET]] <br />
* [[OWASP_ASIDE_Project|OWASP ASIDE Project]]<br />
<br />
====Documentation[Review: May 2015]====<br />
*[[OWASP Automated Threats to Web Applications]]<br />
*[[OWASP_Data_Exchange_Format_Project|OWASP Data Exchange Format Project]]<br />
*[[OWASP_Proactive_Controls|OWASP Proactive Controls]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Enterprise_Application_Security_Project|OWASP Enterprise Application Security Project]]<br />
*[[OWASP_Secure_Application_Design_Project|OWASP Secure Application Design Project]]<br />
*[[OWASP_Top_10_Fuer_Entwickler_Project|OWASP Top 10 Fuer Entwickler Project]]<br />
*[[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP Vulnerable Web Applications Directory Project]]<br />
*[[OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project|OWASP Reverse Engineering and Code Modification Prevention Project]]<br />
*[[OWASP_Internet_of_Things_Top_Ten_Project|OWASP Internet of Things Top Ten Project]]<br />
*[[:Category:OWASP_.NET_Project|OWASP .NET Project]]<br />
*[[OWASP_Top_10_Privacy_Risks_Project|OWASP Top 10 Privacy Risks Project]]<br />
*[[OWASP_WASC_Web_Hacking_Incidents_Database_Project|OWASP WASC Web Hacking Incidents Database Project]]<br />
*[[OWASP_Security_Frameworks_Project|OWASP Security Frameworks Project]]<br />
*[[OWASP_Incident_Response_Project|OWASP Incident Response Project]]<br />
*[[OWASP_Periodic_Table_of_Vulnerabilities|OWASP Periodic Table of Vulnerabilities]]<br />
*[[OWASP_Top_Trumps_for_Projects|OWASP Top Trumps for Projects]]<br />
*[[OWASP KALP Mobile Project | OWASP KALP Mobile Project]]<br />
*[[OWASP Persian Translation Project | OWASP Persian Translation Project]]<br />
*[[OWASP_Security_Controls_in_Web_Application_Development_Lifecycle |OWASP Security Controls in Web Application Development Lifecycle Project]]<br />
*[[OWASP_Application_Security_Program_Quick_Start_Guide_Project|OWASP_Application_Security_Program_Quick_Start_Guide_Project]]<br />
*[[OWASP_Secure_Configuration_Guide|OWASP_Secure_Configuration_Guide]]<br />
*[[OWASP_Product_Requirement_Recommendations_Library|OWASP_Product_Requirement_Recommendations_Library]]<br />
*[[OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project|OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project]]<br />
* [[OWASP_RFP-Criteria|OWASP Request For Proposal]]<br />
<br />
==Educational Initiatives==<br />
*[[OWASP_Visual_Crime_Scene_and_Security_Incident_Education_Project#tab=Main | OWASP Visual Crime Scene and Security Incident Project]]<br />
*[[OWASP_Secure_Development_Training|OWASP Secure Development Training]]<br />
*[[OWASP_Student_Chapters_Program|OWASP Student Chapters Project]]<br />
*[[:Category:OWASP_Education_Project|OWASP Education Project]]<br />
*[[:Category:OWASP_Speakers_Project|OWASP Speakers Project]]<br />
*[[OWASP_Global_Chapter_Meetings_Project|OWASP Global Chapter Meetings Project]]<br />
*[[OWASP_Media_Project|OWASP Media Project]] [[File:Thumbsup.png|15px]]<br />
*[[OWASP_Hacking_Lab|OWASP Hacking-Lab]]<br />
*[[OWASP_PHP_Security_Training_Project|OWASP PHP Security Training Project]]<br />
<br />
==Donated Projects==<br />
<br />
OWASP Donated Projects are inactive projects that have been donated to the OWASP Projects Infrastructure. <br />
<br />
====Tools====<br />
<br />
* [[OWASP_Excess_XSS_Project|OWASP Excess XSS Project]]<br />
* [[OWASP_JOTP_Project|OWASP jOTP Project]]<br />
<br />
==OWASP Archived Projects==<br />
OWASP Archived Projects are projects that have developed outside OWASP umbrella or have become inactive. If you are interested in pursuing any of the inactive projects (click hyperlink for list), please contact us and let us know of your interest.<br />
<br />
https://www.owasp.org/index.php/Category:OWASP_Project_Archived_Projects<br />
<br />
= Project Task Force =<br />
<br />
<br />
====OWASP Project Task Force====<br />
<br />
{{:Task_Force/OWASP_Projects}}<br />
<br />
= Online Resources =<br />
<br />
===Project Online Resources===<br />
<br />
{{:Project_Online_Resources}}<br />
<br />
<br />
= Starting a New Project =<br />
<font size=2pt><br />
== So you want to start a project... ==<br />
<br />
Starting an OWASP project is quite easy, and your desire to contribute and make it happen is essential.<br />
[[File:HowToStartProjectoWasp.png | 600px | right]]<br />
<br />
Here are some of the guidelines for running a successful OWASP project:<br />
<br />
-Start exploring the actual OWASP projects Inventory. Many projects handle specific areas of security it is a good idea to start looking how other successful projects do this (LABS/Flagship)<br />
<br />
-Place your idea or project on the [https://www.owasp.org/index.php/Project_Ideas_Board#From_Idea_to_Project_Incubator Project Ideas Board].This phase will help you to define the project goals and also explore and exchange with other OWASP leaders and volunteers how to develop the idea into a tangible project<br />
<br />
-Explore and research if your idea covers a unique segment in the Security arena.Think of your project as a product, if you really want people using it, think how this project will cover a necessity in the security area you are working on <br />
<br />
-Define what kind of project you would like to start. Is it a code, tool or documentation?<br />
<br />
-Communicate through the Project leader mailing list about your idea and get feedback and meet potential contributors<br />
<br />
-Develop your project based on the type of project. For example if you are willing to start a documentation project, begin by defining a Table of Content and work it through with potential contributors. First of all begin by creating a Road-map for your project. This is essential to submit your project. We highly recommend to read documentation such as "[http://www2.econ.iastate.edu/tesfatsi/ProducingOSS.KarlFogel2005.pdf How to start /run a successful Open Source Projects]". <br />
<br />
[[File:RoadmapIncubatorProjectExample2.PNG | 500px | left]]<br />
<br />
Some recommendations on how to start a documentation project<br />
[[https://www.owasp.org/index.php/File:Document_Guide_(1).png| Document Guide Project]]<br />
<br />
===Importance of a well thought out Road-map===<br />
Many Incubator project leaders struggle with creating a realistic planning, which should be based on their available resources and time. A well thought out plan makes a difference between a procrastinating project and a successful one. The important aspect of this is, that the project leader is able to create a plan based on his situation. The following is an example of a Roadmap, which has focused to produce a Documentation first release in a year and a basic outline how they plan to cover 4 essential aspects which are Research & Development, Marketing, Planning and Goals.<br />
<br />
<br />
<br />
"Your [project] roadmap should tell a coherent story about the likely growth of your product. Each release should build on the previous one and move you closer towards your vision. Your roadmap should be convincing and realistic: Don’t speculate or oversell your [project]. Be clear who your audience is: An internal roadmap talks to development, marketing, sales, service, and the other groups involved in making your [project] a success; and external one talks to existing and prospective customers."<br />
Extracted from : "[[http://www.romanpichler.com/blog/10-tips-creating-agile-product-roadmap/ 10 Tips for Creating an Agile Product Roadmap]]"<br />
<br />
* Start defining a development, documentation and marketing plan for your project. Set short , medium and long term plans. Include promotion of your project, this is very important in order to engage users and consumers of your project. Contact project coordinator and the Project Task Force to help you achieve this goal. You ''can'' run a single person project, but it's usually best to get the community involved. You should be prepared to support a mailing list, build a team, speak at conferences, and promote your project.<br />
<br />
* You can contribute existing documents or tools to OWASP! Assuming you have the intellectual property rights to a work, you can open it to the world as an OWASP Project. Please coordinate this with OWASP by contacting owasp(at)owasp.org.<br />
<br />
* Available Grants to consider if you need funding - [[Grants|Click Here]]<br />
<br />
* You should promote your project through the OWASP channels as well as by outside means. Get people to blog about it!<br />
<br />
== Creating a new project ==<br />
Once you have passed the Project Ideas phase, then you will be ready to start a new project<br />
To Submit your project please use the following form<br />
. [http://www.tfaforms.com/263506 Please submit a new project application here].<br />
<br />
<br />
* You will need to gather the following information together for your application:<br />
A - PROJECT<br />
# Project Name,<br />
# Project purpose / overview,<br />
# Project Roadmap,<br />
# Project links (if any) to external sites,<br />
# [[Guidelines_for_OWASP_Projects#Project_Licensing|Project License],]<br />
# Project Leader name,<br />
# Project Leader email address,<br />
# Project Leader wiki account - the username (you'll need this to edit the wiki),<br />
# Project Contributor(s) (if any) - name email and wiki account (if any),<br />
# Project Main Links (if any).<br />
# For Documentation: A table of Contents<br />
# For Code: A prototype hosted in an open source repository of your choice. Make sure it has read access.<br />
<br />
* Check out the '''[[Guidelines for OWASP Projects]]'''.<br />
* [[Grant_Spending_Policy|Grant Spending Policy]]<br />
* [[Project_Spending_Policy|Project Spending Policy]]<br />
* [[Project_Sponsorship_Operational_Guidelines|Project Sponsorship Operational Guidelines]]<br />
<br />
==OWASP Recommended Licenses==<br />
<br />
{{Recommended_Licenses}}<br />
<br />
==Funding your Project==<br />
An OWASP project does not receive any funding for development at project inception; however, a new project does have the opportunity to submit a request to receive funds if they are available for the year. Additionally, project leaders have the option of seeking sponsorship from outside organizations, but project leaders are required to seek funding through their own initiative. Please contact the OWASP Projects Manager for more information. <br />
<br />
== Project Release ==<br />
<br />
As your project reaches a point that you'd like OWASP to assist in its promotion, the will need the following information to help spread the word about your project:<br />
<br />
# Short 5 sentence paragraph outlining what your project is about, what you hope to accomplish with your project, what value your project brings to software security, and contributor and project leader names and contact information.<br />
# Link to your wiki page.<br />
# Link to your code repository or a link to where readers can download your project.<br />
# Latest Release description answering the following questions: What is it?, What does it do?, Where can I get it?, Who should I contact if something goes wrong?.<br />
<br />
==Project Process Forms==<br />
These forms were created to help project leaders, and those interested in a going through a process in the OWASP projects infrastructure. They facilitate the management of each query based on the specific task an applicant will need help with. The forms are described below, and they are linked with their designated online application form. <br />
<br />
* [http://www.tfaforms.com/264422 Project Transition Application]:The OWASP project transition form gives current project leaders an easy way of handing over project administration information to individuals wishing to take over a project. <br />
<br />
* [http://www.tfaforms.com/264413 Project Review Application]:This form is for current project leaders to request a review of their project based on OWASP graduation criteria. The aim is to designate an OWASP volunteer to review these projects within 3 months time. <br />
<br />
* [http://www.tfaforms.com/264418 Project Donation Application]:This form is for projects outside of the OWASP project infrastructure. Project Leaders for these open source projects can choose to partner or give their project to OWASP directly through this form.<br />
<br />
* [http://www.tfaforms.com/264428 Project Adoption Request]:This form is used when someone is interested in adopting an archived project. <br />
<br />
* [http://www.tfaforms.com/264426 Project Abandonment Request]:The OWASP project abandonment form gives current project leaders an easy way of letting the OWASP Foundation know that they wish to resign their project leader duties. This form should be used when no replacement project leader exists to take over these duties.<br />
<br />
* [http://www.tfaforms.com/264392 Incubator Project Graduation Application]:This application form is for Incubator Projects to apply for Labs Project status.<br />
<br />
* [https://www.owasp.org/index.php/OWASP_System_Vulnerable_Code_Project Project Request (Bangladesh)]:For Information Security Project contact with OWASP Bangladesh Project Leader [[S. M. Shezan]][http://www.facebook.com/smshezan]<br />
<br />
= Project Assessments =<br />
<font size=2pt><br />
==OWASP Project Lifecycle==<br />
The OWASP Projects Lifecycle represents a balance between keeping a very loose structure around OWASP projects, and ensuring that OWASP consumers are not confused about a project’s maturity and quality. The lifecycle stage allows consumers to easily identify mature projects, and projects that are proofs of concept, experimental, and classified as prototypes in their current state. The greater the maturity of the project, the greater the level of responsibility for the project leader. These responsibilities are not trivial as OWASP provides incentives and benefits (Section 7) for projects who take on these added responsibilities.<br />
<br />
<br />
====The OWASP Project Lifecycle is broken down into the following stages:====<br />
<br />
'''Incubator Projects''': OWASP Incubator projects represent the experimental playground where projects are still being designed, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity; moreover, the label allows project leaders to leverage the OWASP name while their project is still maturing. OWASP Incubator projects are given a place on the OWASP Projects Portal to leverage the organizations' infrastructure, and establish their presence and project history.<br />
<br />
'''Lab Projects''': OWASP Labs projects represent projects that have produced a deliverable of significant value. Leaders of OWASP Labs projects are expected to stand behind the quality of their projects as these projects have matured to the point where they are accepted by a significant portion of the OWASP community. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are ready for mainstream usage. OWASP Labs Projects are meant to be the collection of established projects that have gained community support and acclaim by undergoing the project review process. <br />
<br />
'''Flagship Projects''': The OWASP Flagship designation is given to projects that have demonstrated superior maturity, established quality, and strategic value to OWASP and application security as a whole. Eligible projects are selected from the OWASP Labs project pool. This selection process generally ensures that there is only one project of each type covering any particular security space. OWASP Flagship projects represent projects that are not only mature, but are also projects that OWASP as an organization provides direct support to maintaining. The core mission of OWASP is to make application security visible and so as an organization, OWASP has a vested interest in the success of its Flagship projects. Since Flagship projects have such high visibility, these projects are expected to uphold the most stringent requirements of all OWASP Projects.<br />
<br />
'''Code Projects''': OWASP code projects are very important for the cyber security solutions. Because these projects are used to find out the application security problems and try to solve those problems. Best code project is [[OWASP System Vulnerable Code Project]] and best project leader is [http://www.facebook.com/smshezan S. M. Shezan]<br />
<br />
== OWASP Project Stage Benefits==<br />
This section outlines the benefits of starting an OWASP project, and the benefits of being at each different stage in the projects lifecycle. In my short time here at OWASP as the PM, I have had several potential project leaders ask me what the benefits are of starting their project with OWASP. Below is my proposal for each Stage’s benefits.<br />
<br />
'''Incubator'''<br />
* Financial Donation Management Assistance <br />
* Project Review Support<br />
* WASPY Awards Nominations<br />
* OWASP OSS and OPT Participation<br />
* Opportunity to submit proposal: $500 for Development.<br />
* Community Engagement and Support<br />
* Recognition and visibility of being associated with the OWASP Brand.<br />
<br />
'''Labs'''<br />
* All benefits given to Incubator Projects <br />
* Technical Writing Support<br />
* Graphic Design Support<br />
* Project Promotion Support<br />
* OWASP OSS and OPT: Preference<br />
<br />
'''Flagship'''<br />
* All benefits given to Incubator & Labs Projects<br />
* Grant finding and proposal writing help<br />
* Yearly marketing plan development<br />
* OWASP OSS and OPT participation preference<br />
<br />
For more detailed information on OWASP Project Stage Benefits, please see the 2013 Project Handbook.<br />
<br />
== Project Monitoring Incubator/Documentation ==<br />
Every 6 months, a project monitoring assessment takes place to evaluate if projects had any releases during this period.A warning will be sent to projects without any activity in 90 days and after 180 days, the project will be set automatically as inactive.<br />
You can set your project active at any time, as long as:<br />
* There has been commits to the project's open repository or<br />
* There has been a beta release of the documentation produced so far or<br />
* Provide a detailed Roadmap <br />
<br />
===Importance of a well thought out Roadmap===<br />
Many Incubator project leaders struggle with creating a realistic planning, which should be based on their available resources and time. A well thought out plan makes a difference between a procrastinating project and a successful one. The important aspect of this is, that the project leader is able to create a plan based on his situation. The following is an example of a Roadmap, which has focused to produce a Documentation first release in a year and a basic outline how they plan to cover 4 essential aspects which are Research & Development, Marketing, Planning and Goals.<br />
<br />
<br />
[[File:RoadmapIncubatorProjectExample2.PNG | 600px]]<br />
<br />
"Your [project] roadmap should tell a coherent story about the likely growth of your product. Each release should build on the previous one and move you closer towards your vision. Your roadmap should be convincing and realistic: Don’t speculate or oversell your [project]. Be clear who your audience is: An internal roadmap talks to development, marketing, sales, service, and the other groups involved in making your [project] a success; and external one talks to existing and prospective customers."<br />
Extracted from : "[[http://www.romanpichler.com/blog/10-tips-creating-agile-product-roadmap/ 10 Tips for Creating an Agile Product Roadmap]]"<br />
<br />
==Project Monitoring for LABS/Flagship==<br />
These project represent the best OWASP has to offer, therefore monitoring of these projects is closely supervised.<br />
===For Code and Tools===<br />
For projects holding Flagship status, we closely monitor their health every 6 months on the following, among other key indicators:<br />
*Can the project be built correctly?<br />
*Does the project has any activity(commits) in the last 6 months?<br />
*Does the project had any releases in the last 6 months?<br />
*Has the project leaders updated his wiki or website to reflect latest releases?<br />
===For Documentation===<br />
For this part, we are working on the development of an adequate assessment criteria<br />
The following is a draft of the new process proposal: [[https://www.owasp.org/index.php/File:Qualitative_and_Quantitative_Content_Audit.pdf Proposal for Reviewing OWASP Document projects]]<br />
<br />
== OWASP Project Graduation==<br />
The Project Graduation Process is an optional process undertaken at the request of a project leader using the Incubator Graduation Form. The purpose of this process is to move a project from the OWASP Incubator into the OWASP Labs. In order to be considered for OWASP Labs, an Incubator project must have submitted an OWASP reviewed deliverable, and obtained at least two (2) positive responses for each of the core criteria project health questions.<br />
<br />
The review centers around the following core questions. Each core question has three (3) specific questions made up of binary queries. A project must receive at least two (2) positive responses from each reviewer in two of the binary questions, to warrant a postive response for the core question. Each core question must receive a positive response from both project reviewers to pass the Project Health Assessment for Incubator Projects. <br />
<br />
* [https://docs.google.com/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE Project Graduation Criteria Checklist]<br />
<br />
==OWASP Project Health Assessment==<br />
The Project Health Assessment is an optional process undertaken at the request of a project leader when he/she applies for Project Graduation for projects going from Incubator to LAB and from LAB to Flagship. The purpose of this assessment is to determine whether a project meets the minimum criteria of an OWASP Project outlined in the [https://docs.google.com/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE Project Health Assessment Criteria Document]. If a project passes the assessment, it then becomes eligible to graduate into the OWASP Labs Project stage. In order to be considered for OWASP Labs, an Incubator project must have submitted an OWASP reviewed deliverable, and obtained at least two (2) positive responses for each of the core criteria project health questions.<br />
<br />
==OWASP Project Deliverable/Release Assessment==<br />
The Project Deliverable/Release Review is an optional process undertaken at the request of a project leader using the Project Deliverable Review Form. The purpose of this process is to review a project’s progress, and to make sure the project is heading in the right direction based on the roadmap they provided at project inception. <br />
<br />
Reviews must be performed by two (2) OWASP Chapter or Project Leaders, and their review must answer affirmatively to at least the first two (2) core Project Deliverable/Release Review questions. A project must pass the OWASP Project Deliverable/Release Assessment in order to graduate into the OWASP Labs Project stage. <br />
<br />
* [https://docs.google.com/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE Project Deliverable/Release Assessment Criteria Checklist]<br />
<br />
<br />
= Brand Resources =<br />
<font size=2pt><br />
<br />
==The Brand Usage Rules==<br />
See OWASP's [[Marketing/Resources#tab=BRAND_GUIDELINES|The Brand Usage Rules]] for details.<br />
<br />
==Project Icons & Templates==<br />
See OWASP'S [[Marketing/Resources#PROJECT_RESOURCES|Project Icons & Templates]] for details.<br />
<br />
(Following links and images are provided for a quick overview only, the primary page is [[Marketing/Resources#PROJECT_RESOURCES|Project Icons & Templates]]).<br />
<br />
If you require more assistance with these files and/or templates, please contact the OWASP staff for assistance <br />
<br />
'''[[OWASP_Operations_Project_Template|OWASP Operational Wiki Template]]'''<br />
<br />
'''[[OWASP_Documentation_Project_Template|OWASP Example Template: DO NOT EDIT]]'''<br />
<br />
[[Image:OWASP_Project_Header.jpg|Owasp logo|500px]]<br />
<br />
[[Image:Project_Type_Files_TOOL.jpg|Owasp logo|200px]] [[Image:Project_Type_Files_DOC.jpg||Owasp logo 1c|200px]] <br />
<br />
[[Image:Project_Type_Files_CODE.jpg|Owasp logo|200px]] [[Image:Owasp-defenders-small.png|Owasp logo|100px]] [[Image:Owasp-builders-small.png|Owasp logo|100px]] [[Image:Owasp-breakers-small.png|Owasp logo|100px]] <br />
<br />
[[Image:Owasp-incubator-trans-200.png|Owasp logo rev icon|100px]] [[Image:Owasp-labs-trans-85.png|Owasp logo flat|100px]] [[Image:Owasp-flagship-trans-85.png|Owasp logo icon|100px]]<br />
<br />
===OpenSAMM===<br />
'''[[Media:OpenSAMM_icons.zip|OpenSAMM Icons]]'''<br />
<br />
'''Construction:'''<br />
<br />
[[Image:Construction black.png| Construction black| 100px]] [[Image:Construction blue.png| Construction blue| 100px]] [[image:Construction olive.png |construction olive|100px]]<br />
<br />
'''Deployment:'''<br />
<br />
[[image:Deployment black.png| Deployment black| 100px]] [[image:Deployment blue.png| Deployment blue| 100px]] [[image:Deployment olive.png | Deployment olive| 100px]]<br />
<br />
'''Governance:'''<br />
<br />
[[image:Governance black.png| governance black| 100px]] [[image:Governance blue.png | governance blue | 100px]] [[image:Governance olive.png | governance olive| 100px]]<br />
<br />
'''Verification:'''<br />
<br />
[[image:Verification black.png | Verification black | 100px]] [[image:Verification blue.png | verification blue | 100px]] [[image: Verification olive.png | Verification olive | 100px]]<br />
<br />
==Book Cover Files==<br />
See OWASP's [[Marketing/Resources#PROJECT_RESOURCES|Project Icons & Templates]] for details.<br />
<br />
[[Media:Lulu-guide.pdf|Lulu Guide]]<br />
<br />
'''[https://www.dropbox.com/s/h27gsbe5m7idg0y/Finished%20Covers.zip Download the Book Cover Zip File]'''<br />
{|<br />
|-<br />
! width="500" align="center" | <br> <br />
! width="300" align="center" | <br><br />
|-<br />
| align="center" | [[Image:BookImage_01.jpg|500px| link=https://www.dropbox.com/s/h27gsbe5m7idg0y/Finished%20Covers.zip]] <br />
| align="center" | <br />
<br />
|}<br />
<br />
= Terminology =<br />
<font size=2pt><br />
== OWASP Project Infrastructure ==<br />
<br />
<br />
*'''OWASP Project Lifecycle:''' The OWASP Projects Lifecycle represents a balance between keeping a very loose structure around OWASP projects, and ensuring that OWASP consumers are not confused about a project’s maturity and quality. The lifecycle stage allows consumers to easily identify mature projects, and projects that are proofs of concept, experimental, and classified as prototypes in their current state.<br />
<br />
<br />
*'''Incubator Project:''' OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity. The label also allows project leaders to leverage the OWASP name while their project is still maturing.<br />
<br />
<br />
*'''Labs Project:''' OWASP Labs projects represent projects that have produced a deliverable of value. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are at least ready for mainstream usage.<br />
<br />
<br />
*'''Flagship Project:''' The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole. <br />
<br />
<br />
<br />
*'''Project Benefits:''' The standard list of resources and incentives made available to project leaders based on their project's current maturity level. <br />
<br />
<br />
<br />
== OWASP Project Reviews ==<br />
<br />
<br />
*'''Project Reviews:''' Project reviews are the method OWASP uses to establish a minimal baseline of project characteristics and release quality. Reviews are not mandatory, but they are necessary if a project leader wishes to graduate to the next level of maturity within the OWASP Global Projects infrastructure. Projects can be reviewed when an Incubator project wishes to graduate into the OWASP Labs designation, and project releases can be reviewed if they want the quality of their deliverable to be vouched for by OWASP. <br />
<br />
<br />
*'''Project Reviewer Pool:''' The project reviewer pool is made up of veteran reviewers who have proven themselves dedicated to executing quality reviews of projects. <br />
<br />
<br />
*'''Project Graduation:''' The Project Graduation Process is an optional process undertaken at the request of a project leader using the Incubator Graduation Form. The purpose of this process is to move a project from the OWASP Incubator into the OWASP Labs.<br />
<br />
<br />
*'''Project Health Assessment:''' The Project Health Assessment is an optional process undertaken at the request of a project leader when he/she applies for Project Graduation The purpose of this assessment is to determine whether a project meets the minimum criteria of an OWASP Project outlined in the [https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0AllOCxlYdf1AdG5NZGhzTjZpT1RDcnRibjd0aXhfOUE#gid=1 Project Health Assessment Criteria Document].<br />
<br />
<br />
*'''Project Release:''' A project release refers to the final deliverable a project produces. It is the final product of the project. <br />
<br />
<br />
*'''Project Deliverable/Release Review:''' The Project Deliverable/Release Review is an optional process undertaken at the request of a project leader using the Project Deliverable Review Form. The purpose of this process is to review a project’s progress, and to make sure the project is heading in the right direction based on the roadmap they provided at project inception.<br />
<br />
<br />
<br />
== OWASP Projects Processes == <br />
<br />
*'''Project Processes:''' The set of streamlined processes that exist to help projects move smoothly through the OWASP Project Lifecycle.<br />
<br />
<br />
*'''Project Inception Process:''' The Project Inception Process is how a brand new idea becomes an OWASP Project. Such projects are labeled as OWASP Incubator projects. The process involves submitting the proposed project name, project leader information, project description, project roadmap, and selecting an appropriate open-source license for the project using the New Project Form on the Projects Portal.<br />
<br />
<br />
*'''Project Donation Process:''' The Project Donation Process is used for a project that has an existing functional release, but is not currently associated with OWASP. This process is the primary mechanism by which individuals or organizations can transfer the ownership of their project’s copyright to OWASP.<br />
<br />
<br />
*'''Project Transition Process:''' The Project Transition Process is used to transition leadership of a project to a new project leader. This is a simple automated process to transfer the relevant accounts, mailing lists, and other project resources to the new project leader.<br />
<br />
<br />
*'''Project Abandonment Process:''' The Project Abandonment Process was put in place for those occasions in which a project leader is no longer able to manage their project, and has not been able to find a suitable replacement for the leader role. Project Abandonment can also occur when the project leader feels his/her project has become obsolete. Under these circumstances, the acting project leader is encourage do submit the Project Abandonment Form found in the Projects Portal.<br />
<br />
<br />
*'''Incubator Graduation Process:''' The Incubator Graduation Process is an optional process undertaken at the request of a project leader using the Incubator Graduation Form. The purpose of this process is to move a project from the OWASP Incubator into the OWASP Labs.<br />
<br />
<br />
== Projects at Conferences == <br />
<br />
*'''AppSec Conferences:''' OWASP AppSec conferences bring together industry, government, security researchers, and practitioners to discuss the state of the art in application security. This series was launched in the United States in 2004 and Europe in 2005. Global AppSec conferences are held annually in North America, Latin America, Europe, and Asia Pacific.<br />
<br />
<br />
*'''Open Source Showcase:''' The Open Source Showcase is an OWASP AppSec Conference event module designed to give Open Source project leaders the opportunity to demo their projects.<br />
<br />
<br />
*'''OWASP Project Track:''' The OWASP Project Track is an OWASP AppSec Conference event module designed to give OWASP Project leaders the opportunity to showcase their projects as an official conference presenter. <br />
<br />
<br />
== OWASP Projects General == <br />
<br />
*'''OWASP Code of Ethics:''' The OWASP Code of Ethics are the set of guidelines and principles that the OWASP Foundation expects all of its members and conference attendees to abide by. A copy of the Code of Ethics can be found here in the [https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics OWASP About page]. <br />
<br />
<br />
= Sponsorships and Donations =<br />
<font size=2pt><br />
<br />
==Donate to OWASP Global Projects ==<br />
OWASP Projects, a global division of the OWASP Foundation, is run under the same world wide not-for-profit charitable status as all the foundation strategic groups. OWASP provides a platform for contributors to share their work while providing them with the project and community support they need throughout their project development. All OWASP Projects are run by volunteers and they rely on personal donations and sponsorship to continue their development. Donate to OWASP Projects, and we promise to spend your money wisely on open source initiatives.<br />
<br />
'''This is how your money can help:'''<br />
<br />
* $20 could help us spread the word on the importance of open source initiatives in the Application Security industry.<br />
* $100 could help fund OWASP project demos at major conferences.<br />
* $250 could help get our volunteer Project Leaders to speaking engagements.<br />
<br />
<br />
[[Image:Donate_Button.jpg | link=http://www.regonline.com/Register/Checkin.aspx?EventID=1044369]]<br />
<br />
<br />
<br />
= Contact US =<br />
<font size=2pt><br />
<br />
If you need any help with anything projects related, or if you simply need some more information, please do not hesitate to [http://owasp4.owasp.org/contactus.html Contact Us].<br />
</font><br />
<br />
<br />
<headertabs /></div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Project_Summit_2015/Project_Participation&diff=194890OWASP Project Summit 2015/Project Participation2015-05-15T16:02:43Z<p>Mark Denihan: /* OWASP Sheperd */</p>
<hr />
<div>==Projects Participating==<br />
<br />
===OWASP ZAP===<br />
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project<br />
<br />
===OWASP OWTF===<br />
https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
===OWASP Cornucopia===<br />
https://www.owasp.org/index.php/OWASP_Cornucopia<br />
<br />
===OWASP AppSensor===<br />
https://www.owasp.org/index.php/OWASP_AppSensor_Project<br />
<br />
===OWASP ASVS ===<br />
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project<br />
<br />
===OWASP Code Review ===<br />
https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project<br />
<br />
===OWASP Hackademics===<br />
https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project<br />
<br />
===OWASP Snakes and Ladders ===<br />
https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders<br />
<br />
===OWASP Knowledge Based Authentication Performance Metrics ===<br />
https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project<br />
<br />
===OWASP Automated Threats to Web Applications===<br />
https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications<br />
<br />
===OWASP Codes of Conduct===<br />
https://www.owasp.org/index.php/OWASP_Codes_of_Conduct<br />
<br />
===OWASP Security Shepherd===<br />
https://www.owasp.org/index.php/OWASP_Security_Shepherd<br />
<br />
===OWASP Open SAMM===<br />
https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=194879OWASP Security Shepherd2015-05-15T12:45:36Z<p>Mark Denihan: Updating Project Status Banner</p>
<hr />
<div><div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|right|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|right|Competitive Learning Environment]]<br />
'''Security Shepherd''' is a computer based training application for web and mobile application security vulnerabilities. This project strives to herd the lost sheep of the technological world back to the safe and sound ways of secure practices. Security Shepherd can be deployed as a CTF (Capture the Flag) game or as an open floor educational server.<br />
<br />
== Overview ==<br />
[[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|right|Easy configuration to suit every use]]<br />
Security Shepherd has been implemented with the aim of fostering and improving security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished through lesson and challenge techniques. A lesson provides a user with a lot of help in completing that module, where a challenge puts what the user learned in the lesson to use. Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Security Shepherd's vulnerabilities are not simulated, and are instead delivered through hardened real security vulnerabilities that can not be abused to compromise the application or its environment. Many of these levels include insufficient protections to these vulnerabilities, such as black list filters and poor security configuration.<br />
<br />
===CTF Mode===<br />
Security Shepherd can be morphed into a CTF server by an administrator with the click of a button. This presents users with one module at a time. They must complete their current level before they can continue. Administrators can also set a "Module Block" that prevents users from progressing past a certain level. It is also possible to run a CTF in a Tournament mode where a user can complete any module in any order they wish. When either of these modes are enabled, the scoreboard is then available. The scoreboard updates automatically and reflects the bonus points users achieve by completing a module first, second or third.<br />
<br />
===User Management===<br />
Security Shepherd includes a user friendly method of creating many users at a time for administrators, as well as an optional open registry system. Users' activities are logged allowing an administrator to gather real time data on who is connected to Security Shepherd and what their module progress is. This data can be mined to gather information on who was online, at what time and how much time has been actively spent on a challenge.<br />
<br />
===Topic Coverage===<br />
The Security Shepherd project covers the following web application security topics;<br />
<br />
*[[Top_10_2010-A1|SQL Injection]]<br />
*[[Top_10_2010-A2|Cross Site Scripting]]<br />
*[[Top_10_2010-A3|Broken Authetication and Session Management]]<br />
*[[Top_10_2010-A5|Cross Site Rrequest Forgery]]<br />
*[[Top_10_2010-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2010-A7|Insecure Cryptographic Storage]]<br />
*[[Top_10_2010-A8|Failure to Restrict URL Access]]<br />
*[[Top_10_2010-A10|Unvalidated Redirects and Forwards]]<br />
*[[Top_10_2010-A9|Insufficient Transport Layer Security]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
<br />
==Download==<br />
<br />
You can download the Security Shepherd VM or Manual Installation Pack from [https://sourceforge.net/projects/owaspshepherd/files/ Source Forge].<br />
<br />
==Releases==<br />
<br />
Security Shepherd has been designed with expansion in mind. The application's underlying architecture is composed of a secure core application and database server that depicts how the application runs. There is also an exposed application and database service that runs all of the server side vulnerability examples. If these services are compromised, the core service can continue to run unaffected.<br />
<br />
Security Shepherd is written in Java and is compiled in a web application archive (WAR) and therefore can be run on any platform with a Java virtual machine and a web application server like Tomcat. To eliminate tedious environment configuration; there is a Security Shepherd Virtual Machine. This environment includes Tomcat/MySQL servers pre-loaded with Security Shepherd. For those that prefer the path of higher resistance or want to build a dedicated Security Shepherd server, a manual pack is available for download as well.<br />
<br />
===Security Shepherd v2.3 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Make sure the VM has a bridged adapter (or a Host-Only adapter if you don't want anyone else to connect)<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address. Make note of this<br />
* On your host machine, open http://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Time to play!<br />
<br />
===Security Shepherd v2.3 Manual Pack:===<br />
The manual release is a single download, unrar, and follow the steps release. <br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using the default password (Contained in readme.txt) to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p ) <br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source core.sql<br />
source exposedSchema.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the ROOT directory found in the temp folder, modify the /WEB-INF/coreDatabase.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT or Exposed folder in your temp folder, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password<br />
* Follow in application prompts for further configuration<br />
<br />
== Future Development ==<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org.<br />
<br />
The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education.<br />
Check out the project [https://www.owasp.org/index.php/Projects/OWASP_Security_Shepherd/Roadmap roadmap] and find some tasks that you can help with right away..<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
== Events with Security Shepherd ==<br />
[[Image:Shepherd-CTF-In-Play.JPG|thumb|300px|right|Over 60 people playing the CTF at [[HackDub2012]]]]<br />
<br />
The Security Shepherd application has been tried and tested across a number of Beta runs in venues like Facebook and the IRISScon CTF. Since these events Security Shepherd has been knocking on security doors trying to be recognized as the new platform for web application security training. <br />
<br />
* Security Shepherd was used as the [[HackDub2012|OWASP Dublin Hackathon 2012]]<br />
* Security Shepherd's platform was used be used to manage the [[AppSecIreland2012| OWASP Ireland AppSec 2012]] CTF in September 2012<br />
* Security Shepherd's platform was used to administer the Traditional Style CTF at the IRISS security conference in October 2012 and 2013<br />
* Security Shepherd's platform was used to deliver the Traditional Style CTF at the 2013 SOURCE Conference CTF in Facebook<br />
* Security Shepherd's platform was used to govern the EU Tour 2013 and LATAM Tour 2013 Online CTF's<br />
* Security Shepherd's platform was used to conduct the 2013 OWASP Global CTF<br />
* Security Shepherd was used as the 2014 OWASP application security summer school CTF at the Faculty of Organization and Informatics in Varaždin<br />
* Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
<br />
== Project Contributors ==<br />
<br />
The Security Shepherd project was founded and is ran by Mark Denihan. The mobile wing of Security Shepherd is lead by Sean Duggan. If you wish to contribute to the OWASP Security Shepherd project please contact at mark.denihan@owasp.org, as help in any regard of the application is very much appreciated. Security Shepherd distributions are currently maintained on [http://bit.ly/shepherdSourceForge SourceForge]. The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the Security Shepherd [https://lists.owasp.org/mailman/listinfo/owasp_security_shepherd mailing list].<br />
<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to [http://www.dit.ie DIT] for allowing those projects to be donated to the OWASP community.<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their stall at the [http://bit.ly/AppSecEu2014|OWASP AppSec EU 2014] conference as well as follow them on [http://bit.ly/bccRiskAdvisory Twitter]. <br />
[[File:BccRiskAdvisoryLogo.jpg]][[File:EdgescanLogo.jpg]]<br />
<br />
[[Category:OWASP Project|Security Shepherd Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
[[Category:OWASP Release Quality Tool]]<br />
<br />
__NOTOC__<br />
<br />
[[Category:OWASP Project]]</div>Mark Denihanhttps://wiki.owasp.org/index.php?title=OWASP_Security_Shepherd&diff=194878OWASP Security Shepherd2015-05-15T12:43:51Z<p>Mark Denihan: </p>
<hr />
<div><div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Incubator_Projects]]</div><br />
[[Image:Shepherd-Injection-Lesson.JPG|thumb|300px|right|Detailed vulnerability explainations]][[Image:Shepherd-Scoreboard.JPG|thumb|300px|right|Competitive Learning Environment]]<br />
'''Security Shepherd''' is a computer based training application for web and mobile application security vulnerabilities. This project strives to herd the lost sheep of the technological world back to the safe and sound ways of secure practices. Security Shepherd can be deployed as a CTF (Capture the Flag) game or as an open floor educational server.<br />
<br />
== Overview ==<br />
[[Image:Shepherd-CTF-Level-One.JPG|thumb|300px|right|Easy configuration to suit every use]]<br />
Security Shepherd has been implemented with the aim of fostering and improving security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished through lesson and challenge techniques. A lesson provides a user with a lot of help in completing that module, where a challenge puts what the user learned in the lesson to use. Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The by-product of this challenge game is the acquired skill to harden a player's own environment from OWASP top ten security risks. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.<br />
<br />
Security Shepherd's vulnerabilities are not simulated, and are instead delivered through hardened real security vulnerabilities that can not be abused to compromise the application or its environment. Many of these levels include insufficient protections to these vulnerabilities, such as black list filters and poor security configuration.<br />
<br />
===CTF Mode===<br />
Security Shepherd can be morphed into a CTF server by an administrator with the click of a button. This presents users with one module at a time. They must complete their current level before they can continue. Administrators can also set a "Module Block" that prevents users from progressing past a certain level. It is also possible to run a CTF in a Tournament mode where a user can complete any module in any order they wish. When either of these modes are enabled, the scoreboard is then available. The scoreboard updates automatically and reflects the bonus points users achieve by completing a module first, second or third.<br />
<br />
===User Management===<br />
Security Shepherd includes a user friendly method of creating many users at a time for administrators, as well as an optional open registry system. Users' activities are logged allowing an administrator to gather real time data on who is connected to Security Shepherd and what their module progress is. This data can be mined to gather information on who was online, at what time and how much time has been actively spent on a challenge.<br />
<br />
===Topic Coverage===<br />
The Security Shepherd project covers the following web application security topics;<br />
<br />
*[[Top_10_2010-A1|SQL Injection]]<br />
*[[Top_10_2010-A2|Cross Site Scripting]]<br />
*[[Top_10_2010-A3|Broken Authetication and Session Management]]<br />
*[[Top_10_2010-A5|Cross Site Rrequest Forgery]]<br />
*[[Top_10_2010-A4|Insecure Direct Object Reference]]<br />
*[[Top_10_2010-A7|Insecure Cryptographic Storage]]<br />
*[[Top_10_2010-A8|Failure to Restrict URL Access]]<br />
*[[Top_10_2010-A10|Unvalidated Redirects and Forwards]]<br />
*[[Top_10_2010-A9|Insufficient Transport Layer Security]]<br />
*[[Mobile_Top_10_2014-M2|Insecure Data Storage]]<br />
*[[Mobile_Top_10_2014-M7|Client Side Injection]]<br />
*[[Mobile_Top_10_2014-M10|Lack Of Binary Protections]]<br />
*[[Mobile_Top_10_2014-M4|Unintended Data Leakage]] <br />
*[[Mobile_Top_10_2014-M6|Broken crypto]]<br />
<br />
==Download==<br />
<br />
You can download the Security Shepherd VM or Manual Installation Pack from [https://sourceforge.net/projects/owaspshepherd/files/ Source Forge].<br />
<br />
==Releases==<br />
<br />
Security Shepherd has been designed with expansion in mind. The application's underlying architecture is composed of a secure core application and database server that depicts how the application runs. There is also an exposed application and database service that runs all of the server side vulnerability examples. If these services are compromised, the core service can continue to run unaffected.<br />
<br />
Security Shepherd is written in Java and is compiled in a web application archive (WAR) and therefore can be run on any platform with a Java virtual machine and a web application server like Tomcat. To eliminate tedious environment configuration; there is a Security Shepherd Virtual Machine. This environment includes Tomcat/MySQL servers pre-loaded with Security Shepherd. For those that prefer the path of higher resistance or want to build a dedicated Security Shepherd server, a manual pack is available for download as well.<br />
<br />
===Security Shepherd v2.3 VM Setup:===<br />
To get a Security Shepherd VM ready to rock, follow these steps;<br />
<br />
Setting up your instance of Security Shepherd with the VM: In Steps!<br />
<br />
* Import the VM to your hyper visor (Eg: Virtual Box)<br />
* Make sure the VM has a bridged adapter (or a Host-Only adapter if you don't want anyone else to connect)<br />
* Boot the VM<br />
* Sign in with securityshepherd / owaspSecurityShepherd<br />
* Change the user password with the passwd command<br />
* In the VM, run "ifconfig" to find the IP address. Make note of this<br />
* On your host machine, open http://<VM IP Address>/<br />
* Sign in with admin / password<br />
* Change the admin password (cannot be password again)<br />
* Time to play!<br />
<br />
===Security Shepherd v2.3 Manual Pack:===<br />
The manual release is a single download, unrar, and follow the steps release. <br />
* Download the Security Shepherd Manual Pack<br />
* Install Apache Tomcat 7<br />
* Install MySql, using the default password (Contained in readme.txt) to skip future steps, if you prefer your own password go ahead and set-up MySql with that instead!<br />
* Extract the Security Shepherd Manual Pack<br />
* Copy the sql files extracted from the pack to the bin directory of MySql<br />
* Open MySql from the command line (eg: mySqlBinDirectory/mysql -u root -p ) <br />
* Type the following commands to execute the Shepherd Manual Pack SQL files;<br />
<br />
source core.sql<br />
source exposedSchema.sql<br />
<br />
* Open the webapps directory of your Tomcat instance<br />
* Delete any directories that are there already<br />
* Move the WAR file from the Shepherd Manual Pack into the webapps folder of Tomcat<br />
* Start Tomcat<br />
* Open the temp directory of Tomcat<br />
* If you chose the default when configuring MySql as your DB password, you are running MySql on the same machine as Tomcat and you are using port 3306 for MySql, you can skip this step. Otherwise, in the ROOT directory found in the temp folder, modify the /WEB-INF/coreDatabase.properties to point at your local DB with your MySql settings. Leave the Driver alone!<br />
* If you have more than one ROOT or Exposed folder in your temp folder, visit your Tomcat instance with your browser and then check the Tomcat logs for a line that reads "Servlet root =" to find which directory is the correct one to modify the MySql settings of.<br />
* Open your the root context of your Tomcat server (eg: http://127.0.0.1:8080/ )<br />
* Sign into Security Shepherd with the default admin credentials (admin / password)<br />
* Change the admin password<br />
* Follow in application prompts for further configuration<br />
<br />
== Future Development ==<br />
<br />
New levels or level ideas are wanted in the highest degree and there is development is in progress to fork the Security Shepherd platform into a CTF framework. If you wish to contribute a level or even an idea; contact Mark Denihan on mark.denihan@owasp.org.<br />
<br />
The aim of Security Shepherd's future development is to create a comprehensive platform for web and mobile application pen testing training / security risk education.<br />
Check out the project [https://www.owasp.org/index.php/Projects/OWASP_Security_Shepherd/Roadmap roadmap] and find some tasks that you can help with right away..<br />
<br />
To contribute right away, pull the source from [http://bit.ly/securityShepherdGithub GitHub]<br />
<br />
== Events with Security Shepherd ==<br />
[[Image:Shepherd-CTF-In-Play.JPG|thumb|300px|right|Over 60 people playing the CTF at [[HackDub2012]]]]<br />
<br />
The Security Shepherd application has been tried and tested across a number of Beta runs in venues like Facebook and the IRISScon CTF. Since these events Security Shepherd has been knocking on security doors trying to be recognized as the new platform for web application security training. <br />
<br />
* Security Shepherd was used as the [[HackDub2012|OWASP Dublin Hackathon 2012]]<br />
* Security Shepherd's platform was used be used to manage the [[AppSecIreland2012| OWASP Ireland AppSec 2012]] CTF in September 2012<br />
* Security Shepherd's platform was used to administer the Traditional Style CTF at the IRISS security conference in October 2012 and 2013<br />
* Security Shepherd's platform was used to deliver the Traditional Style CTF at the 2013 SOURCE Conference CTF in Facebook<br />
* Security Shepherd's platform was used to govern the EU Tour 2013 and LATAM Tour 2013 Online CTF's<br />
* Security Shepherd's platform was used to conduct the 2013 OWASP Global CTF<br />
* Security Shepherd was used as the 2014 OWASP application security summer school CTF at the Faculty of Organization and Informatics in Varaždin<br />
* Security Shepherd's platform was used to run the LATAM Tour 2015 Online CTF<br />
<br />
== Project Contributors ==<br />
<br />
The Security Shepherd project was founded and is ran by Mark Denihan. The mobile wing of Security Shepherd is lead by Sean Duggan. If you wish to contribute to the OWASP Security Shepherd project please contact at mark.denihan@owasp.org, as help in any regard of the application is very much appreciated. Security Shepherd distributions are currently maintained on [http://bit.ly/shepherdSourceForge SourceForge]. The Security Shepherd template makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the Security Shepherd [https://lists.owasp.org/mailman/listinfo/owasp_security_shepherd mailing list].<br />
<br />
Both the Security Shepherd Platform and the Mobile Shepherd aspects of this project were initially created as part of BSc degrees in the Dublin Institute of Technology. Thanks to [http://www.dit.ie DIT] for allowing those projects to be donated to the OWASP community.<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Security Shepherd project would like to acknowledge and thank the generous support of our sponsors. Please be certain to visit their stall at the [http://bit.ly/AppSecEu2014|OWASP AppSec EU 2014] conference as well as follow them on [http://bit.ly/bccRiskAdvisory Twitter]. <br />
[[File:BccRiskAdvisoryLogo.jpg]][[File:EdgescanLogo.jpg]]<br />
<br />
[[Category:OWASP Project|Security Shepherd Project]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Tool]]<br />
[[Category:OWASP Release Quality Tool]]<br />
<br />
__NOTOC__<br />
<br />
[[Category:OWASP Project]]</div>Mark Denihan