OWASP Hackademic: a practical environment for teaching application security presented at AppSec USA 2013

by Konstantinos Papapanagiotou,

Summary : Teachers of Application Security in higher education institutions and universities are presented with some unique challenges, especially when compared to other scientific or even computer science fields. This is mainly because students have to learn how to design, implement and protect applications against both known and unknown attacks. Moreover, the so far established stereotypes present the potential intruders as being ingenious and able to penetrate almost every system.
The OWASP Hackademic Challenges Project introduces the "attacker's perspective" in higher education by implementing realistic scenarios with known vulnerabilities in a safe, controllable environment. Students can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective.
Its main difference from other projects that implement vulnerable applications for educational purposes, is that it is has been created mainly for use in a classroom environment, while most other solutions take a more self-learning approach. The OWASP Hackademic Challenges are currently used by more than a dozen universities around the world and are also part of the "Hacking Lab" and "OWASP University Challenge". In addition, we have received contributions to the project by several researchers, including the New Jersey Institute of Technology.
The OWASP Hackademic Challenges simulate real-world scenarios that application security consultants and penetration testers encounter during their day-to-day engagements, combined with the academic requirements of a related module. These exercises can be used to complement the respective theoretical lectures. Statistical analysis of the feedback we received from students through questionnaires, shows that the students embraced this approach and have benefited significantly from going through these exercises. In practice, the OWASP Hackademic Challenges help students become more enthusiastic about application security by gaining a realistic, hands-on experience on some real-world vulnerabilities.
In this presentation we will give an overview of the Hackademic Challenges and analyze its scientific background. In addition, we will present new features introduced to the interface that was developed during the Google Summer of Code 2012 and more importantly security improvements that were made possible by using OWASP ESAPI. The new interface introduces significant capabilities and features mainly for teachers and administrators. Moreover, as the project is still under development, we expect a bunch of new features to be ready by the conference dates. For example we are expanding the use cases of Hackademic in order for it to be used in a corporate environment to either train, assess or raise awareness among employees.
Moreover, we will introduce a new scoring mechanism. CTF-type challenges usually follow a binary scoring system (solved/not solved), which is not sufficient for university classes. We have implemented a much more complex scoring system, that takes into account various parameters in order to depict how easy it was for the student to solve the challenge and how much time was required. Using this system, students can be graded according to their performance. Furthermore, we have introduced a randomization algorithm that produces slightly different answers for each try. Thus, it is much more difficult for students to cheat.
A demo of the new Hackademic portal and challenges will also be delivered, emphasizing on how it can be used in a real classroom and giving the chance to attendees to get their hands on it.