What is this all about?
The OWASP Security Shepherd project has been designed and implemented with the aim of fostering and improving security awareness among a varied skillset demographic.This project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished through lesson and challenge techniques. A lesson provides a user with a lot of help in completing that module, where a challenge puts what the user learned in the lesson to use.
Security Shepherd covers the OWASP Top Ten web app risks and has recently been injected with totally new content to cover the OWASP Top Ten Mobile risks as well. Using these risks as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. Many of these levels include insufficient mitigations and protections to these risks, such as blacklist filters, atrocious encoding schemes, barbaric security mechanisms and poor security configuration. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.
Over the last year the OWASP Security Shepherd has proven itself to be a resilient platform in which CTF (Capture the Flag) events can be deployed upon. Examples include
The OWASP Global CTF 2013
IRISScon 2013 Cyber Security Challenge
The OWASP EU Tour 2013 Online CTF
Source Conference CTF
The OWASP LATAM 2013 Tour Online CTF
The OWASP Ireland AppSec 2012 CTF
One of the biggest concerns that organisers of CTF competitions have is that their system or scoreboard may be compromised. There are few open source projects that offer a secure CTF platform to utilise. With the Shepherd platform been subject to the playful prods and less playful assaults from five continents, it is a candidate to fill this gap. The OWASP Security Shepherd is in the process of been forked to provide the OWASP Shepherd CTF Platform.