(From Ken van Wyk)
Yesterday, we put out the first public release of the OWASP iGoat project. This message is a brief description and call for participants in the project.
The iGoat tool is a learning tool, primarily meant for iOS developers (but also useful to IT security practitioners, security architects, and others who simply want to learn about iOS security). It takes its name and inspiration from the venerable OWASP WebGoat tool. Like WebGoat, iGoat users explore a number of security weaknesses in iOS by exploiting them first. Then, once each weakness has been explored, the iGoat user must implement a remediation to protect against each weakness and validate that the remediation was successful--similar to the WebGoat Developer Edition. Hints and other background information are provided, right down to commented solutions in the source code, so that developers can use iGoat as a self-study learning tool to explore and understand iOS weaknesses and how to avoid them. Further, the iGoat platform was specifically designed and built to be as easily extensible as possible, so that new exercises can be easily built and integrated over time. iGoat was sponsored and initially developed by KRvW Associates, LLC (www.krvw.com), and is being released under GPLv3 licensing to the community.
With the first public release, we've included several initial exercises and exercise categories. These include such well known topics as SQL Injection, secure communications, etc. We plan to further integrate another handful of exercises in the short term, as well as make several improvements to the user interface. In the short term, we'll also be adding more documentation in the form of HOWTO documents that will cover how to install and use iGoat, as well as how to add new exercises to it. No doubt, further improvements will quickly surface as the community starts using the tool...
iGoat can be found at: https://www.owasp.org/index.php/OWASP_iGoat_Project
All releases and source code are on Google Code. See the project home page above for further details. Call for Participation The iGoat team would like to invite anyone interested to participate and contribute to iGoat's further development. Please contact the project leader, Ken van Wyk (firstname.lastname@example.org) if you wish to contribute to the project.
An open, unmoderated forum has been set up for the iGoat project. To subscribe, see https://lists.owasp.org/mailman/listinfo/owasp-igoat-project