David A. Wheeler
The OWASP Juice Shop project has (after some time) gotten a badge, and I plan to let their application stand:
This is an odd project for the badging application, because it is an *intentionally* insecure webapp, designed for security training. You could certainly argue that it shouldn’t have a badge *because* it has known vulnerabilities that won’t be fixed (since that is its purpose). They certainly had to provide extra text for some of the project justifications J.
However, in *context* I think it’s fine. The project badge entry, and the project page itself, make it immediately clear that this is an "intentionally insecure webapp” – and thus the security expectations are different for it. I understand from the description that they intend to leave vulnerabilities that are supposed to be there, and fix vulnerabilities that are not supposed to be there (or document them so that they're supposed to be there too). That means they still have to deal with vulnerability reports.. it’s just that what they count as a vulnerability is a little different J.
In a broad sense this project helps our mission too, because we're all trying to help develop more secure software. It’s very unlikely someone would field this project for “real” work (since it’s known to be vulnerable), so these vulnerabilities are unlikely to cause serious harm. Indeed, the presence of these vulnerabilities should help train people. Most industries have a variety of test objects & training materials that help people meet various objectives, and I think this project fits into that category.
I didn’t want people to think I’d ignored this issue, though. If you have very strong objections, please let me know.
--- David A. Wheeler