Tuesday, April 26, 2011

Bringing Web Application Security to University Students

Over the weekend Mozilla led an open source boot camp at Stanford University with a great lineup of courses including a hands-on web security lab where students performed actual exploits against a vulnerable web application.

The goal of the web security workshop was to educate students about top security threats facing today’s web applications. By allowing students to perform exploits themselves, the students were able to fully grasp both the impact of these weaknesses and also the ease at which an attacker could compromise a vulnerable application. The combination of the lab actives and secure coding principles provided the next generation of computer scientists with the skills to better understand web application threats and the importance of building security into their applications.

Unlike a traditional presentation where there is one speaker and many listeners, the web security workshop leveraged a vulnerable web application platform created by OWASP that enabled students to perform actual exploits against a running web application.
The workshop addressed four prominent web application security issues:
  • cross site scripting
  • access control
  • SQL injection
  • cross site request forgery
The event was structured to provide each student with an understanding of the vulnerability, knowledge of the impacts and risks the vulnerability poses to users, the ability to exploit the vulnerability within a running application, and the secure design patterns necessary to avoid these weaknesses in their own applications.

The web security workshop was a great success and received very strong feedback from the students.  Students particularly enjoyed the lab element that allowed them to put the new skills they’d just learned into use.

The full slide deck and notes on how to setup the web security testing software are online for anyone that would like to work through the material on their own.  Mozilla is hoping to conduct similar open source workshops at other universities around the world.

Full List of Mozilla courses at the boot camp:
  • 7 Lessons from Mozilla – Pascal Finette & Todd Simpson, Mozilla Labs
  • Hacking the Firefox UI, Shawn Wilsher & Frank Yan
  • Managing Software at Internet Scale, Christian Legnitto
  • Web Security, Hands on Learning, Michael Coates
  • Frontend Development Foundations, Matthew Claypotch
  • Scaling a Web Application, Jeff Balogh

-Michael Coates - @_mwc