Hi everyone,

For years I've mostly been reading about network security, but now I feel I want to dive into application security some (a lot) more.

I've been chatting up with a friend of mine from a distant land, who does a lot of application security auditing, and who is quite active with OWASP.
He recommended WebGoat to me, as a good starting point.

It certainly seems an interesting piece of software to practice on, but just to make sure, I wanted to ask around here for opinions: did you do the lessons of WebGoat, and did you learn a thing or two from them?
Remember: I am a complete newbie in the field of appsec, however I have a fair bit of programming experience, which I hope will help to get in the right state of mind.

If it might be useful, I'm thinking of writing a little piece about my experiences with WebGoat once I'm going for it. As far as I can find, there is not such article on EHN yet?

Thanks in advance,

Dieter

Hi Anquilas,

Being a programmer too, I also think Webgoat is good for doing an one hour demo to the other developers. Once you have gone through the exercises and understood them, you can decide to put it on a laptop and and demonstrate the main attacks to the others. I found this very effective to make the other developers realize the importance of validating user input, etc.

I personally think Webgoat is a good learning tool.

I've bookmarked that site, and have just been waiting to have enough time to go through WebGoat myself. I would love to read a write up of your experiences going through it.

Seems like a very useful learning tool.

good info! is this the same as the OWASP liveCD? or does this contain extra functionality?

Thanks for the tip, I'll take a look at the virtual image option.

Kn15: same with the time-issue :-) But this week I finally have some, so I think I'll give it a shot.

Writing about the experience is certainly an extra motivation to do it properly. I'll keep you guys informed! Thanks!

I will take that to heart n1p, thanks!

I used this free evening to get starting with WebGoat, and I'm already getting hooked :-)
I'll write my first little piece, concerning the first steps and the first lessons, asap. This way I can get some guidelines from you guys early in the process.
InfoSecurity.be event tomorrow and the day after though, so not sure about the exact eta.

It's turning out to be a magnificent security-oriented week for me, with getting to know EHN and going to my first conference :-) I love it!