Security Awareness for Developer Part 1: Tool

How to learn in the best way?

for me it is through example, luckily it is really easy to find example right now.

I would recommend to use owaspbwa (OWASP Broken Web Applications Project)

It is an VM file usable with VMWare Player (free and available on Linux and Windows) but for the VMWare allergic, you can easily convert to another format.

What is OWASP?

First a definition of OWASP quoted from there websites:

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.

What it really is to provide recommendation and highlights the biggest risks applications can meet.

You can use many of their project to raise security and risk awareness:

  • The Top Ten to identify the most critical risks in Web Applications.
  • WebGoat: an deliberately unsecured application to learn vulnerabilities exploitation
  • WebScarab: proxy to browse through exchanged data (and modify them on the fly if you wish)
  • OWASP Testing Guide: Document providing a methodology to evaluate the security level of a web application
  • OWASP Code Review Guide: Document providing a methodology to perform an efficient security code review

What is OWASP BWA?

It is an already configured VM with many unsecured applications installed (copied from their websites):

  • Training Applications
    Applications designed for learning which guide the user to specific, intentional vulnerabilities.

    • OWASP WebGoat version 5.4+SVN (Java)
    • OWASP WebGoat.NET version 2012-07-05+GIT (ASP.NET)
    • OWASP ESAPI Java SwingSet Interactive version 1.0.1+SVN (Java)
    • OWASP Mutillidae II version 2.6.24+SVN (PHP)
    • OWASP RailsGoat (Ruby on Rails)
    • OWASP Bricks version 2.2+SVN (PHP)
    • OWASP Security Shepherd version 2.4+GIT (Java)
    • Ghost (PHP)
    • Magical Code Injection Rainbow version 2014-08-20+GIT (PHP)
    • bWAPP version 1.9+GIT (PHP)
    • Damn Vulnerable Web Application version 1.8+GIT (PHP)
  • Realistic, Intentionally Vulnerable Applications
    Applications that have a wide variety of intentional security vulnerabilities, but are designed to look and work like a real application.

    • OWASP Vicnum version 1.5 (PHP/Perl)
    • OWASP 1-Liner (Java/JavaScript)
    • Google Gruyere version 2010-07-15 (Python)
    • Hackxor version 2011-04-06 (Java JSP)
    • WackoPicko version 2011-07-12+GIT (PHP)
    • BodgeIt version 1.3+SVN (Java JSP)
    • Cyclone Transfers (Ruby on Rails)
    • Peruggia version 1.2 (PHP)
  • Old Versions of Real Applications
    Open source applications with one or more known security issues.

    • WordPress 2.0.0 (PHP, released December 31, 2005) with plugins:
      • myGallery version 1.2
      • Spreadsheet for WordPress version 0.6
    • OrangeHRM version 2.4.2 (PHP, released May 7, 2009)
    • GetBoo version 1.04 (PHP, released April 7, 2008)
    • gtd-php version 0.7 (PHP, released September 30, 2006)
    • Yazd version 1.0 (Java, released February 20, 2002)
    • WebCalendar version 1.03 (PHP, released April 11, 2006)
    • Gallery2 version 2.1 (PHP, released March 23, 2006)
    • TikiWiki version 1.9.5 (PHP, released September 5, 2006)
    • Joomla version 1.5.15 (PHP, released November 4, 2009)
    • AWStats version 6.4 (build 1.814, Perl, released February 25,2005)

More details about the project:

Files available here:

Next post on how to setup a security lab

Security Awareness for Developer Part 2: Setup a Security Lab

Posted in Security for Web Developpers Tagged with: , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *