This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Project Information:template Securing WebGoat using ModSecurity - Final Review - Self Evaluation - B

From OWASP
Jump to: navigation, search

Clik here to return to the previous page.

FINAL REVIEW
PART I

Project Deliveries & Objectives

OWASP Securing WebGoat using ModSecurity Project's Deliveries & Objectives

QUESTIONS ANSWERS

1. At what extent have the project deliveries & objectives been accomplished? Having in consideration the assumed ones, please exemplify writing down those of them that haven't been realised.

Two deliverables have not been realised: (1) Configuration of ModSecurity as a reverse proxy (embedded mode was used for the entirety of the project); and (2) Test final rulesets and ModSecurity Reverse Proxy on two other Linux distros (only Kubuntu 7.10 was used).

2. At what extent have the project deliveries & objectives been accomplished? Having in consideration the assumed ones, please quantify in terms of percentage.

In my opinion, 100% of the project deliverables and objectives have been achieved: (1) In the Background section of Section 1: Introduction, "The lessons in WebGoat 5.2 detail over 30 different types of attacks". The goal of solving 90% of the WebGoat lessons was set at the same time, but actually there are 47 sublessons... 40 out of 47 of the WebGoat sublessons were solved, or 85%. The original goal was 90%, or 42 lessons. Of the 7 unsolved lessons, ideas for solutions are given for 6 of them; in some cases, there is more than one idea since the reviewer comments are shared on the wiki (see 'Section 4.3: Sublessons that do not count or were not solved (and why)')... So, I believe the goal - and its intent - was fully achieved; (2) The 2 points in the previous section - project deliverables not realised - are not really earth-shattering since we know that the reverse proxy configuration works and on many different Linux distributions. I believe this is more than offset by the research that was done on Lua scripting in ModSecurity, especially adding functionality to the Lua engine and rebuilding it from source with the added functionality (see 'Appendix C: Building the Lua library and standalone executable').

3. What kind of help is required either from the Reviewers or from the OWASP Community?

(1) That the reviewers finish reviewing my 2nd half solutions (see 'Section 4.2: Project metrics at 100% completion'); (2) While not required, it would be nice to get some feedback on my entries in 'Section 1.5: Future development and long-term vision'.
PART II

Assessment Criteria

OWASP Project Assessment Criteria

QUESTIONS ANSWERS

1. Having into consideration the OWASP Project Assessment Methodology which criteria, if any, haven’t been fulfilled in terms of Alpha Quality status?

N/A

2. Having into consideration the OWASP Project Assessment Methodology which criteria, if any, haven’t been fulfilled in terms of Beta Quality status?

Perhaps "all wiki content has been reviewed by a technical editor". Please see my comments in #4.

3. Having into consideration the OWASP Project Assessment Methodology which criteria, if any, haven’t been fulfilled in terms of Release Quality status?

N/A

4. What kind of help is required either from the Reviewers or from the OWASP Community?

To fulfill Beta Quality requirement of: "All wiki content has been reviewed by a technical editor to ensure that English grammar is correct, understandable, and the content flows well." I believe that wiki content is more than acceptable but it might be nice to have another set of eyes on it and review it. It is not clear whether I, as the only project member, can be the technical editor.