OWASP_Academies_Meeting_GR_presented

Download Report

Transcript OWASP_Academies_Meeting_GR_presented

OWASP at Universities:
From a lecture to an MSc
Konstantinos Papapanagiotou
Vasileios Vlachos
OWASP Greek Chapter
OWASP
5/1/2011
[email protected]
[email protected]
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
The Greek Academic OWASP landscape
OWASP
2
The Greek Academic AppSec landscape
 University of Athens
 AppSec lectures based on OWASP material in Undergrad and
Postgrad Infosec modules
 Various student projects using OWASP material
 Collaboration with FOSS community
 Technological Institute of Larissa
 Extensive use of OWASP material in Undergrad Infosec module
 University of Piraeus
 AppSec module based on OWASP material
 University of the Peloponnese
 Thesis projects using OWASP material
OWASP
3
OWASP in Greek Universities
 2-3hour lectures
 Undergrad InfoSec module
 PostGrad InfoSec module
 Seminar
 AppSec course module
 University of Piraeus postgrad
 Projects for course modules
 Mostly practical: e.g. use of WebGoat/WebScarab
 Translation Projects (e.g. OWASP Top10)
 BSc/MSc Thesis Projects
 Comparison of Testing Frameworks (Testing Guide, OSSTMM, etc.)
 Web Application Scanner
 Translation Projects
OWASP
4
Single Lecture
Usually 2-3 hours
Focus mainly on OWASP Top10
Either demo using WebGoat or use of
screenshots
Focus on Injection and XSS
Intro to SAMM
OWASP
5
Entire Module: The UniPi Experience
Information Security MSc
The first (and only?) AppSec module in Greece
“Full” AppSec course
6 x 3-hour lectures
No exams (at least for this year)
No projects (yet)
Practical “lab” assignments
 Decision to focus mostly on Web AppSec – use
material from OWASP
OWASP
6
AppSec Module Curriculum
Curriculum
1. Secure Development Lifecycle (based on OpenSAMM
and MS SDL)
2. Web Application Security and Risks (based on
OWASP Top 10)
3. Web Application Vulnerabilities (demo and lab –
based on OWASP WebGoat)
4. Web Application Vulnerabilities (lab based on
“hackademic” challenges)
5. Countermeasures – Intro to Threat Modeling and
Secure Development best practices
6. Malware and other topics
OWASP
7
Challenges
Introducing the attacker’s perspective in Academia
by
Andreas Venieris, Vasileios Vlachos, Anastasis
Stasinopoulos, Alexandros Papanikolaou and
Konstantinos Papapanagiotou
OWASP
8
Hackademic Challenges
 Relatively simple challenges, mainly web exploits
that involve JavaScript, PHP, web server
misconfigurations, etc.
 Attempt to address the general idea behind certain
network security issues, rather than providing a
detailed set-up.
 Several real-world network attacks rely on the
exploitation of such concepts (usually
misconfigurations).
 Some may seem simple and ‘old-fashioned’ (e.g.
XSS) but websites vulnerable to them exist to date!
 Variety of topics covered, rather than go too deep
into one of them.
OWASP
9
Hackademic Challenges
 A too focused course may not show how to ‘think like an
attacker’.
 Several students, upon completion of the given
challenges, they attempted the next ones. Some did it
from home ⇒ They liked it!
 For introductory, undergraduate courses, there is limited
time and students must get an idea of the wider area.
 More ‘network-deep’ challenges in most cases require a
dedicated network
 need special configuration, must not expose any
vulnerabilities/sensitive data.
OWASP
10
Hackademic Challenges
No preceding introductory course to
cryptography and/or network security exists (at
least, not in TEI of Larissa).
When students work in large teams/groups, the
most knowledgeable will most probably do the
most work, and ‘deprive’ the rest of the team
this experience.
Avoid set-up issues in many different
laboratories
“Hackademic Challenges” is a ‘treasure hunt’
type of game.
OWASP
11
Hackademic Challenges
http://www.attacks.s3cure.gr/
http://sourceforge.net/projects/challenges/
OWASP
12
Pros and Cons
Pros:
Practical demos always catch students’ attention
Students have a hands-on AppSec experience
Theoretical background is also provided
Cons:
Prerequisite knowledge of various CS topics
 Usually such modules-lectures are given to last year students
 Usually an optional module: many students cannot follow as
vast knowledge of CS is required: programming+SDL,
systems analysis, infosec, etc.
Practical exams = “difficult” exams
OWASP
13
Challenges
Students
different levels of knowledge-interests-expertise
Professors
“experts”
Often don’t like [non-university] people messing with
their curriculum-agenda
Universities
Limited budget
Hard to change curriculum
Prefer theoretic-time resistant approach
Different Countries - Cultures
OWASP
14
To Do
Define Target audience
Undergrad vs Postgrad vs [Optional] Seminar
InfoSec vs CS – Development
Specify Teaching material
Should be country-context independent
Baseline for curriculum (minimum or indicative)
 Presentations (already have plenty of those – need
translation)
 Reference material-books
 Localization (translations)
 Demo-workshops-labs
OWASP
15
To Do (Greece)
 Establish OWASP-based courses in:
 University of Piraeus
 University of Athens
 Technological Educational Institute of Larissa
 Approach other universities:
 Athens University of Economics and Business
 National Technical University
 University of the Peloponnese
 University of Central Greece
 Athens Information Technology University (private)
 We Offer…
 Seminar lecture for free
 Free material-assistance for tutors
 Assist in Thesis Projects supervision
OWASP
16
Useful OWASP Projects
Top10
WebGoat
WebScarab
OpenSAMM / CLASP
Secure Coding
Practices - Quick
Reference Guide
Live CD
Broken Web
Applications
Application Security
Skills Assessment
Live CD Education
OWASP Education
College Chapters
Program
OWASP
17
Why not?
An AppSec MSc
8-10 modules focused on AppSec + Thesis
Application Risk Management
SDLC
Threat Modeling
Threats and Vulnerabilities
Secure Coding Practices
Testing and Verifying
…
OWASP
18
Thank You
OWASP
19