Presented at <a href="http://www.dodcybercrime.com/10CC/">DoD Cyber Crime</a> in Saint Louis, MO on January 27, 2010.
The idea of creating web applications with intentional vulnerabilities is nothing new. It seems that everyone created at least one such application around the turn of the millennium. The problem is, most of those applications haven’t been updated since then. In addition to being dated, these applications are largely closed source, can be complicated to set up, and often conflict with one another. In an effort to address these issues, this talk will describe a new infrastructure for creating and running a variety of open source, vulnerable web applications that all co-exist on a single virtual machine. This system can be used by anyone looking for an environment to learn about and experiment with vulnerable web applications, including system and network administrators, developers, penetration testers, and incident responders.
Chuck Willis is a Technical Director with Mandiant and an industry-recognized expert in computer security with over 10 years experience in web application security, investigations, computer forensics and information security. Mr. Willis received his Master of Science in Computer Science from the University of Illinois at Urbana-Champaign. During graduate school, he worked on the Cherubim active security system where he defined, implemented, and documented security interfaces, including key negotiation and encryption. Mr. Willis is a Certified Information Systems Security Professional and a Certified Forensic Computer Examiner and he holds an active Top Secret U.S. government security clearance.