skip to main content
10.1145/1414558.1414607acmconferencesArticle/Chapter ViewAbstractPublication PagesiteConference Proceedingsconference-collections
research-article

Integrating web application security into the IT curriculum

Published:16 October 2008Publication History

ABSTRACT

Attackers are increasingly targeting web applications. Buffer overflows had been the most common vulnerability type since CERT began collecting statistics, but web application vulnerabilities like cross-site scripting have dominated vulnerability reports since 2005. Despite billions of dollars spent on network security, the amount lost to computer crime, much of it the result of the insecurity of web applications, grows every year. In part, this problems results from the fact that perimeter security techniques like firewalls do little to protect web applications.

In order for students to be prepared for the current threat environment, we need to integrate web application security into the IT curriculum. Both information security and web programming classes need to cover this topic. This paper describes techniques, tools, and labs for integrating web application security into both types of classes. Some techniques, such as penetration testing using web proxies, are applicable to both types of classes. Other techniques, such as secure programming guidelines, are primarily useful in web programming classes, while some tools, like web application firewalls, are more important in information security classes.

We use the open source web application security teaching tool WebGoat for introductory labs that teach the students about the nature of specific vulnerabilities like SQL injection. These labs also introduce students to open source web testing proxies, such as Burp Suite, which they use more deeply in later labs that focus on penetration testing of a complete web application. Students in security classes also learn how to use web vulnerability scanners and web application firewalls, while web programming classes focus on learning how to write code without common vulnerabilities.

References

  1. SIGITE Curriculum Committee (2005). Computing curriculum 2005, IT volume. http://sigite.acm.org/activities/curriculum/, 2005.Google ScholarGoogle Scholar
  2. CERT. Vulnerability remediation statistics. http://www.cert.org/stats/vulnerability remediation.html, 2007.Google ScholarGoogle Scholar
  3. M. P. Dafydd Stuttard. The Web Application Hacker's Handbook. Wiley, 2007.Google ScholarGoogle Scholar
  4. J. Gregoire, K. Buyens, B. D. Win, R. Scandariato, and W. Joosen. On the secure software development process: CLASP and SDL compared. In SESS '07: Proceedings of the Third International Workshop on Software Engineering for Secure Systems, page 1, Washington, DC, USA, 2007. IEEE Computer Society. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. A. Judson. Tamper data. https://addons.mozilla.org/en-US/firefox/addon/966, 2008.Google ScholarGoogle Scholar
  6. R. A. Mark Curphey. Hacme bank. http://www.foundstone.com/us/resources/proddesc/hacmebank.htm, 2006.Google ScholarGoogle Scholar
  7. B. Mayhew. Webgoat. http://www.owasp.org/index.php/Category:OWASP WebGoat Project, 2008.Google ScholarGoogle Scholar
  8. G. McGraw. Software Security: Building Security In. Addison-Wesley, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. NetContinuum. Bad store. http://www.badstore.net/, 2008.Google ScholarGoogle Scholar
  10. OWASP. OWASP top 10. http://www.owasp.org/index.php/Top 10 2007, 2007.Google ScholarGoogle Scholar
  11. OWASP. Web scarab. http://www.owasp.org/index.php/Category:OWASP WebScarab Project, 2008.Google ScholarGoogle Scholar
  12. Paros. Paros proxy. http://www.parosproxy.org/, 2008.Google ScholarGoogle Scholar
  13. PortSwigger. Burp suite. http://portswigger.net/suite/, 2008.Google ScholarGoogle Scholar
  14. I. Ristic. mod security. http://www.modsecurity.org/, 2008.Google ScholarGoogle Scholar
  15. R. S.Christey. Vulnerability type distributions in CVE. http://cve.mitre.org/docs/vuln-trends/index.html, 2007.Google ScholarGoogle Scholar
  16. N. Surribas. Wapiti. http://wapiti.sourceforge.net/, 2008.Google ScholarGoogle Scholar
  17. A. van der Stock (ed). OWASP guide to building secure web applications. http://www.owasp.org/index.php/OWASP_Guide_Project, 2008.Google ScholarGoogle Scholar
  18. Websense. Research highlights q3-q4: 2007. http://www.websense.com/securitylabs/docs/SecurityLabsReport_Q4_011808.pdf, 2007.Google ScholarGoogle Scholar
  19. M. Zitser, R. Lippmann, and T. Leek. Testing static analysis tools using exploitable buffer overflows from open source code. 29(6):97--106, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Integrating web application security into the IT curriculum

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in
          • Published in

            cover image ACM Conferences
            SIGITE '08: Proceedings of the 9th ACM SIGITE conference on Information technology education
            October 2008
            280 pages
            ISBN:9781605583297
            DOI:10.1145/1414558

            Copyright © 2008 ACM

            Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

            Publisher

            Association for Computing Machinery

            New York, NY, United States

            Publication History

            • Published: 16 October 2008

            Permissions

            Request permissions about this article.

            Request Permissions

            Check for updates

            Qualifiers

            • research-article

            Acceptance Rates

            Overall Acceptance Rate176of429submissions,41%

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader