The Men Who Stare at Goats: Learn the Hack. Stop the Attack.

Author, Jeff Wayman

Jeff Wayman

“More of this is true than you believe” – The Men Who Stare at Goats

The quote above, was a tagline for the movie loosely based on a book by the same name. If you haven’t seen it, it’s an entertaining romp with heavy hitters like George Clooney, Ewan McGregor (Star Wars allusions intact), and Kevin Spacey.

The basic premise is about a top secret program within the US military aimed at exploring  a variety of “special powers”, and developing an elite group of warrior monk Jedis. To quote the movie, more of this is true than you believe.

Perhaps the most interesting of these is the claimed ability that a goat can be killed simply by staring at them… in just the right way of course. I’ll let you find the exciting conclusion to that premise on your own.

In the mean time, lets use this as a metaphor for solving application security vulnerabilities. It actually works better than you may think.

The Scenario

In most cases, even when a team knows an issue exists there isn’t much they can do beyond stare at it. That’s because the general expectation is that Engineers, QA, Support, or [insert team member title of your choice here], will simply have an inherent ability to detect, troubleshoot, and resolve these types of security issues.

In essence it’s like trying to kill a goat simply by staring at it. That friends, takes a special type of skill, and while it might work on goats, in the case of application security it takes some specialized training.

Needless to say, just as the army did, you’ll need goats to practice on. Luckily in the case of learning how to identify security vulnerabilities, you just need one, a WebGoat. Also, you won’t be endlessly staring at something. Instead, you will be interacting with customized training material developed by, and in partnership with, recognized experts in software security. A process we like to call, “Learn the Hack – Stop the Attack.”

About the WebGoat Project

For the uninitiated, WebGoat is a deliberately insecure JavaEE application – Provided by the OWASP Foundation.

That’s our tagline, and it really says what it is, but it doesn’t do justice to its purpose. It also doesn’t tell you anything about the recent overhaul it has had, and is still ongoing. Everything from modernizing its look and feel, to adding a host of new features.

WebGoat provides a teaching platform that assists development teams in learning how to improve software quality and reduce risk for their company. That directly translates to happier customers (read: all of us).

This isn’t new for WebGoat though. That’s something it’s been doing for awhile, and now it’s easier to use and more relevant than ever.

Just take a look at the latest improvements:

  • Overhaul of the UI (sleek new single page application, new graphics and style)
  • Initial migration to a backend based on REST services
  • Removed the need for an application server
  • New builds are built nightly.
  • Documentation and website updated and improved

Future Plans

We have exciting plans for the future! At it’s heart, WebGoat is a container and a set of shared services for hosting security lessons. In the near future, when you target your lesson to WebGoat you won’t have to worry about all the boilerplate. Just write your lesson, drop it in and let WebGoat do the rest. Our plans include:

  • New plugin architecture for lessons
  • Continue our modernization of the UI and REST based backend
  • Update existing lessons to include:
    • New and modern framework and component attacks
    • Security defense
    • Best practices (attack prevention)
    • References to other OWASP projects
  • Enhance WebGoat with new reporting and lesson management features

If you haven’t checked out WebGoat, and especially if this is your first time hearing about it, take a look at what we’re doing. Better yet, get involved, visit the “how to contribute” link on the WebGoat project page.  Because you know, you may be expected to stare at a lot of goats, but it’s not likely you accomplish much. That’s not impossible, just improbable.


Got Goat? The WebGoat Project


The following two tabs change content below.

Jeff Wayman

Add one part expounding the values of word-nerdiness with another part fulfilling the responsibilities of a Conduit of Goodness between Engineering and Marketing. Next mix in a healthy helping of leading the overall direction for product marketing, and then bake for about four-plus years.

Related posts