The *only* way to learn application security is to test applications
"hands on" and examine their source code. To encourage the next
generation of application security experts, the Open Web Application
Security Project (OWASP) has developed an extensive lesson-based
training environment called "WebGoat".
WebGoat is a lessons based, deliberately insecure web application
designed to teach web application security. Each of the 25 lessons
provides the user an opportunity to demonstrate their understanding by
exploiting a real vulnerability. WebGoat provides the ability to examine
the underlying code to gain a better understanding of the vulnerability
as well as provide runtime hints to assist in solving each lesson. V3.7
includes lessons covering most of the OWASP Top Ten vulnerabilities and
contains several new lessons on web services, SQL Injection, and
authentication.
WebGoat 3.7 is available for free download from:
http://www.owasp.org/software/webgoat.html
Simply unzip, run, and go to WebGoat in your browser to start learning.
The OWASP Foundation is dedicated to finding and fighting the causes of
insecure software. Find out more at http://www.owasp.org.
--Jeff
