Security Shepherd
7.1.4 Security Shepherd
OWASP Security Shepherd is a web and mobile application security training platform that helps to foster and improve security awareness for development teams.
The Security Shepherd tool project is an OWASP Flagship Project and can be downloaded from the project’s github repository.
What is Security Shepherd?
Security Shepherd is a teaching tool that provides lessons and an environment to learn how to attack both web and mobile applications. This enables users to learn or to improve upon existing their manual penetration testing skills.
Security Shepherd is run on a web server such as Apache Tomcat and this can be installed manually. There is also a pre-built virtual machine available or a docker image can be composed to run as a container.
Why use it?
Security Shepherd can train inexperienced pen-testers to security expert level by sharpening their testing skill-set. Pen-testing is often included as a required stage in a organization’s secure software development lifecycle (SDLC).
How to use it
Security Shepherd can be run as a Docker container, as a Virtual Machine or manually on top of a web server.
The Security Shepherd wiki has step by step installation instructions:
- either compose the Docker image and run the container
- or download the virtual machine and run on a hypervisor such as Virtual Box
- or install on a Tomcat web server
- or install on windows using a Tomcat web server
Once installed and logged in, the lessons and vulnerable applications are available to use. Security Shepherd has modes which it can be used for different training goals:
- CTF (Capture the Flag) Mode
- Open Floor Mode
- Tournament Mode
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.
\newpage