Securing WebGoat using ModSecurity

This year, the OWASP's Summer of Code event contains one project that's of particular interest to me (and possibly to you, consider that you're following this blog): Securing WebGoat Using ModSecurity. If you've even seen WebGoat (a learning sandbox that contains samples of many application security issues) then you know how difficult it might be to secure. It's true; it's probably the worst-case scenario for ModSecurity, because it's not your typical application, and it contains a number of problems that require the understanding of application state to exploit (and thus protect too). So we should all congratulate Stephen Evans for pulling through and reaching the end of the project.

I find the project interesting because it stretches the boundaries of what ModSecurity can do. For example, one of the features Stephen relied heavily on is the Lua scripting language, which is currently marked as experimental. As we are currently working on the design for ModSecurity 3, Stephen's feedback is going to be very useful to us.

If this sort of thing is indeed of interest to you then you need to know that Stephen will be sharing his experiences during the OWASP Summit in Portugal next week. If you'll be attending the summit (or even if you can schedule a trip on short notice) do consider attending.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.