Hack your way to a degree: a new direction in teaching application security at universities presented at AppSecUSA 2012

by Konsantinos Papapanagiotou,

Tags: Security

Summary : Teachers of Application Security in higher education institutions and universities are presented with some unique challenges, especially when compared to other scientific or even computer science fields. This is mainly because students have to learn how to design, implement and protect applications against both known and unknown attacks. Moreover, the so far established stereotypes present the potential intruders as being ingenious and able to penetrate almost every system. The OWASP Hackademic Challenges Project introduces the "attacker\'s perspective" in higher education by implementing realistic scenarios with known vulnerabilities in a safe, controllable environment. Students can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker\'s perspective. Its main difference from other projects that implement vulnerable applications for educational purposes, is that it is has been created mainly for use in a classroom environment, while most other solutions take a more self-learning approach. The OWASP Hackademic Challenges were created two years ago in order to be used for teaching application security in a class of more than 200 students at the Technical Educational Institution of Larissa, Greece. Currently, they are used by more than a dozen universities around the world and are also part of the "Hacking Lab" and "OWASP University Challenge". In addition, we have received contributions to the project, mainly in terms of new challenges by several researchers, including the New Jersey Institute of Technology. In detail, the students involvement into practical pre-designed scenarios was attempted originally during the course of two university courses, in order for them to understand the way intruders think, the methodologies they follow and the liabilities one may face for the flawed security of applications and/or the supporting infrastructure. Based on the above, an educational software tool was developed which comprised a variety of realistic scenarios, where the student had to locate and exploit various vulnerabilities, in order to successfully complete the challenge. The OWASP Hackademic Challenges simulate real-world scenarios that application security consultants and penetration testers encounter during their day-to-day engagements, combined with the academic requirements of a related module. These exercises can be used to complement the respective theoretical lectures. Statistical analysis of the feedback we received from students through questionnaires, shows that the students embraced this approach and have benefited significantly from going through these exercises. In practice, the OWASP Hackademic Challenges help students become more enthusiastic about application security by gaining a realistic, hands-on experience on some real-world vulnerabilities. In this presentation we will give an overview of the Hackademic Challenges and analyze its scientific background. In addition, we will present the new interface that was developed during the Google Summer of Code 2012. This interface introduces significant capabilities and features mainly for teachers and administrators. A teacher is able to organize students into classes, monitor their progress as they solve the challenges and introduce new challenges to specific groups on a scheduled basis. Moreover, we will introduce an automated mechanism for adding new challenges to the system. A challenge can be automatically integrated to the system after it is tested by an administrator. The entire procedure is transparent to the user that submits the challenge and no changes to the server or the back-end are required. The OWASP Hackademic Challenges is the first project that supports automatic integration of new challenges, facilitating submission of new challenges by the community. A demo of the new Hackademic portal and challenges will also be delivered, emphasizing on how it can be used in a real classroom.