OWASP Developer Guide

Security Shepherd

7.1.4 Security Shepherd

OWASP Security Shepherd is a web and mobile application security training platform that helps to foster and improve security awareness for development teams.

The Security Shepherd tool project is an OWASP Flagship Project and can be downloaded from the project’s github repository.

What is Security Shepherd?

Security Shepherd is a teaching tool that provides lessons and an environment to learn how to attack both web and mobile applications. This enables users to learn or to improve upon existing their manual penetration testing skills.

Security Shepherd is run on a web server such as Apache Tomcat and this can be installed manually. There is also a pre-built virtual machine available or a docker image can be composed to run as a container.

Why use it?

Security Shepherd can train inexperienced pen-testers to security expert level by sharpening their testing skill-set. Pen-testing is often included as a required stage in a organization’s secure software development lifecycle (SDLC).

How to use it

Security Shepherd can be run as a Docker container, as a Virtual Machine or manually on top of a web server.

The Security Shepherd wiki has step by step installation instructions:

Once installed and logged in, the lessons and vulnerable applications are available to use. Security Shepherd has modes which it can be used for different training goals:

  • CTF (Capture the Flag) Mode
  • Open Floor Mode
  • Tournament Mode

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.