OWASP_Academies_Meeting_GR_presented
Download
Report
Transcript OWASP_Academies_Meeting_GR_presented
OWASP at Universities:
From a lecture to an MSc
Konstantinos Papapanagiotou
Vasileios Vlachos
OWASP Greek Chapter
OWASP
5/1/2011
[email protected]
[email protected]
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
The Greek Academic OWASP landscape
OWASP
2
The Greek Academic AppSec landscape
University of Athens
AppSec lectures based on OWASP material in Undergrad and
Postgrad Infosec modules
Various student projects using OWASP material
Collaboration with FOSS community
Technological Institute of Larissa
Extensive use of OWASP material in Undergrad Infosec module
University of Piraeus
AppSec module based on OWASP material
University of the Peloponnese
Thesis projects using OWASP material
OWASP
3
OWASP in Greek Universities
2-3hour lectures
Undergrad InfoSec module
PostGrad InfoSec module
Seminar
AppSec course module
University of Piraeus postgrad
Projects for course modules
Mostly practical: e.g. use of WebGoat/WebScarab
Translation Projects (e.g. OWASP Top10)
BSc/MSc Thesis Projects
Comparison of Testing Frameworks (Testing Guide, OSSTMM, etc.)
Web Application Scanner
Translation Projects
OWASP
4
Single Lecture
Usually 2-3 hours
Focus mainly on OWASP Top10
Either demo using WebGoat or use of
screenshots
Focus on Injection and XSS
Intro to SAMM
OWASP
5
Entire Module: The UniPi Experience
Information Security MSc
The first (and only?) AppSec module in Greece
“Full” AppSec course
6 x 3-hour lectures
No exams (at least for this year)
No projects (yet)
Practical “lab” assignments
Decision to focus mostly on Web AppSec – use
material from OWASP
OWASP
6
AppSec Module Curriculum
Curriculum
1. Secure Development Lifecycle (based on OpenSAMM
and MS SDL)
2. Web Application Security and Risks (based on
OWASP Top 10)
3. Web Application Vulnerabilities (demo and lab –
based on OWASP WebGoat)
4. Web Application Vulnerabilities (lab based on
“hackademic” challenges)
5. Countermeasures – Intro to Threat Modeling and
Secure Development best practices
6. Malware and other topics
OWASP
7
Challenges
Introducing the attacker’s perspective in Academia
by
Andreas Venieris, Vasileios Vlachos, Anastasis
Stasinopoulos, Alexandros Papanikolaou and
Konstantinos Papapanagiotou
OWASP
8
Hackademic Challenges
Relatively simple challenges, mainly web exploits
that involve JavaScript, PHP, web server
misconfigurations, etc.
Attempt to address the general idea behind certain
network security issues, rather than providing a
detailed set-up.
Several real-world network attacks rely on the
exploitation of such concepts (usually
misconfigurations).
Some may seem simple and ‘old-fashioned’ (e.g.
XSS) but websites vulnerable to them exist to date!
Variety of topics covered, rather than go too deep
into one of them.
OWASP
9
Hackademic Challenges
A too focused course may not show how to ‘think like an
attacker’.
Several students, upon completion of the given
challenges, they attempted the next ones. Some did it
from home ⇒ They liked it!
For introductory, undergraduate courses, there is limited
time and students must get an idea of the wider area.
More ‘network-deep’ challenges in most cases require a
dedicated network
need special configuration, must not expose any
vulnerabilities/sensitive data.
OWASP
10
Hackademic Challenges
No preceding introductory course to
cryptography and/or network security exists (at
least, not in TEI of Larissa).
When students work in large teams/groups, the
most knowledgeable will most probably do the
most work, and ‘deprive’ the rest of the team
this experience.
Avoid set-up issues in many different
laboratories
“Hackademic Challenges” is a ‘treasure hunt’
type of game.
OWASP
11
Hackademic Challenges
http://www.attacks.s3cure.gr/
http://sourceforge.net/projects/challenges/
OWASP
12
Pros and Cons
Pros:
Practical demos always catch students’ attention
Students have a hands-on AppSec experience
Theoretical background is also provided
Cons:
Prerequisite knowledge of various CS topics
Usually such modules-lectures are given to last year students
Usually an optional module: many students cannot follow as
vast knowledge of CS is required: programming+SDL,
systems analysis, infosec, etc.
Practical exams = “difficult” exams
OWASP
13
Challenges
Students
different levels of knowledge-interests-expertise
Professors
“experts”
Often don’t like [non-university] people messing with
their curriculum-agenda
Universities
Limited budget
Hard to change curriculum
Prefer theoretic-time resistant approach
Different Countries - Cultures
OWASP
14
To Do
Define Target audience
Undergrad vs Postgrad vs [Optional] Seminar
InfoSec vs CS – Development
Specify Teaching material
Should be country-context independent
Baseline for curriculum (minimum or indicative)
Presentations (already have plenty of those – need
translation)
Reference material-books
Localization (translations)
Demo-workshops-labs
OWASP
15
To Do (Greece)
Establish OWASP-based courses in:
University of Piraeus
University of Athens
Technological Educational Institute of Larissa
Approach other universities:
Athens University of Economics and Business
National Technical University
University of the Peloponnese
University of Central Greece
Athens Information Technology University (private)
We Offer…
Seminar lecture for free
Free material-assistance for tutors
Assist in Thesis Projects supervision
OWASP
16
Useful OWASP Projects
Top10
WebGoat
WebScarab
OpenSAMM / CLASP
Secure Coding
Practices - Quick
Reference Guide
Live CD
Broken Web
Applications
Application Security
Skills Assessment
Live CD Education
OWASP Education
College Chapters
Program
OWASP
17
Why not?
An AppSec MSc
8-10 modules focused on AppSec + Thesis
Application Risk Management
SDLC
Threat Modeling
Threats and Vulnerabilities
Secure Coding Practices
Testing and Verifying
…
OWASP
18
Thank You
OWASP
19