The gist
The idea is to develop a server componet and lets say three webapps; one java, one .NET and let say Ruby on Rails. The three webapps use common frameworks, and all contain the same functionality, but they also contain the same vulnerabilities
The server components job is to attack these predefined vulnerabilities. Because the set of vulnerabilities is known, the server knows what and how to attack.
So as a developer I pick the flavor web I want to learn how to defend, and set it up to run on my laptop. I then setup the server component on the network, and register my webapp with the server. This allows the server to know where to send attacks.
The goal is for me as a developer to learn how to find and fix vulnerabilities in the environment I normally work in.
Potential issues
A developer unfamiliar with secure coding may attempt to block attacks the wrong way, e.g. blacklisting common sqli words like SELECT or 1=1. To avoid this the attacks should be varying encoding and attack form for each vulnerability. We could also provide a piece of code that fixes the problem for each vulnerability, so there is something to look at if you get stuck.
Another problem is maintenance. These apps woulf have to be maintained, kept up to date with common frameworks, and new attacks should be added when discovered.
What do you think? Good idea? Too far fetched? Too much work to build?
Jeremy
One thought, rather than have the "server" attack would be to create "test" cases with O2 that a developer can run against the code similar to a unit test. Dinis Cruz's has done some interesting things with the dynamic side of O2 and I could definately see this working.
Heck, I may start working on the idea in my spare time soon...
