| title | layout | tab | order | tags |
|---|---|---|---|---|
Features |
true |
2 |
shepherd |
Security Shepherd provides;
- Teaching tool for application security
- Web application pen testing training
- Mobile application pen testing training
- Safe playground to practice AppSec techniques
- Real security risk examples
| Feature | Details |
|---|---|
| Wide Topic Coverage | Shepherd includes more than seventy levels across the entire spectrum of Web and mobile application security - within a single project. |
| Gentle Learning Curve | Shepherd is a perfect entry point for users completely new to security, with levels increasing in difficulty at a manageable pace. |
| Layman Write Ups | Each security concept, when first addressed in Shepherd, is presented using plain language, so it can be readily understood by beginners. |
| Real World Examples | The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world. |
| Scalability | Shepherd can be used locally by a single user or easily as a server for a high amount of users. |
| Highly Customisable | Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts) |
| Perfect for Classrooms | Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level. |
| Scoreboard | Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard. |
| User Management | Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience. |
| Localisation Support | Security Shepherd material is available in multiple languages from a single instance. Students with alternative language preferences can compete in the same Shepherd instance as others without issue. |
| Robust Service | Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no downtime, bar planned maintenance periods. |
| Configurable Feedback | An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students. |
| Granular Logging | The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know. |
The Security Shepherd project covers the following web and mobile application security topics;
- SQL Injection
- Broken Authentication and Session Management
- Cross Site Scripting
- Insecure Direct Object Reference
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross Site Request Forgery
- Unvalidated Redirects and Forwards
- Poor Data Validation
- Insecure Data Storage
- Unintended Data Leakage
- Poor Authentication and Authorisation
- Broken crypto
- Client Side Injection
- Lack Of Binary Protections