Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lixin Tao, Li-Chiou Chen & Chienting Lin Pace University

Published byCornelia Anderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Lixin Tao, Li-Chiou Chen & Chienting Lin Pace University"— Presentation transcript:

1 Improving Web Security Education with Virtual Labs and Shared Course Modules
Lixin Tao, Li-Chiou Chen & Chienting Lin Pace University Seidenberg School Research Day 05/07/2010

2 Outline Motivation Virtualization
SWEET – Secure Web Application Development SWEET teaching modules Examples HTTP & HTML Introduction Web Vulnerabilities © Li-Chiou Chen, Pace University

3 Motivation Lack of Undergraduate Web Security Teaching Modules
Current web vulnerabilities and secure programming literature were designed for practitioners Aimed to design a new teaching tool called SWEET (Secure WEb dEvelopment Teaching) For Undergraduate security curriculum Software stack packaged in VMware virtual appliance Installed in portable laboratories using laptops

4 What is virtualization
the virtualization of a computer means to run emulator software on a computer (host computer or physical computer) to emulate another desired computer (virtual computer). Emulator software : VMware Player or Microsoft Virtual PC © Li-Chiou Chen, Pace University

5 Types of virtualization technologies
Server side virtualization running the virtual computers on a remote server computer Client-side virtualization running the virtual computers on users’ own computers We uses client-side virtualization in our project © Li-Chiou Chen, Pace University

6 SWEET Project Pace University, Pleasantville & New York City, NY
Designated as a Centers of Academic Excellence in Information Assurance Education (CAEIAE) by the DOD and DHS (since 2004) DOD-Supported security labs Graduate IA Track in MS/IT and MS/IS Programs Undergraduate IA Minor in conjunction with Criminal Justice CUNY City College of Technology OWASP (Open Web Application Security Project) NY/NJ Chapter serving as Industry Advisor Project web site:

7 SWEET Architecture Application Layer: Paros, WebGoat, WebScarab
Virtual Machine Layer: Windows and Fedora Linux VMs Operation Systems Layer: Windows & Linux

8 Applications in SWEET Virtual Appliance
Web and application servers IIS, Apache, GlassFish Web Proxy Paros, WebScarab6 Web Security testing WebGoat7, .Net Security Toolkits8 Programming/scripting languages Java, C#, C/C++, VB.Net, Perl, Ruby, PHP Programming IDEs JDK, Eclipse, NetBeans, Visual Studio Tutorials and documentation MSDN library, Java EE service and XML tutorials and laboratory exercises.

9 SWEET Teaching Modules
[Module#1] Web Development Overview Content: HTML & HTTP, URL rewrite, session management with cookies, server session objects Lab: webserver setup, web proxy experiment [Module#2] Service-Oriented Architecture Content: Web Services, XML, WSDL, SOAP Lab: Configure & secure a web service application

10 SWEET Teaching Modules (cont’d)
[Module#3] Secure Web Communications Content: SSL, PKI/X.509, Online Certification Status Protocol (OCSP) Lab: Configure SSL on a webserver to create & sign a server certificate [Module#4] Secure Analysis & Design Content: Secure SDLC, CLASP, Abuse Case, Risk Analysis, Secure UML Lab: Design a secure requirement plan & conduct a risk analysis

11 SWEET Teaching Modules (cont’d)
[Module#5] Secure Implementation Content: SQL injection, buffer overflow, poor authentication; Code Review, Risk-Based Testing Lab: Hands-on testing on a vulnerable server [Module#6] Secure Deployment Content: cross site scripting (XSS) and e-shoplifting; architectural risk analysis - attack resistance/ambiguity/weakness analyses. Lab: Hands-on testing on a vulnerable server

12 SWEET Teaching Modules (cont’d)
[Module#7] Penetration & Stress Testing Content: Penetration testing, server load balancing, DDOS attacks Lab: Plan & conduct a pentest on a web app [Module#8] Securing AJAX Applications Content: client-side sandbox security, Java security policy management, securing AJAX applications Lab: Study the vulnerabilities of a sample AJAX application

13 Project Evaluation: Goals
Document the conditions and practices that support the successful development and implementation of the secure web development teaching modules Examine the extent to which teaching, learning and laboratory materials and the portable laboratory promote positive learning outcomes from students Examine the extent to which faculty and industry collaboration can be affected

14 Project Evaluation: Questions
To what extent are the learning, teaching and laboratory materials developed and adapted? Quantitative: # of courses/students Qualitative: lab observations, faculty interview To what extent do the teaching modules & portable lab improve or enhance students’ learning? Quantitative: standardized assessment & course evaluation Qualitative: students’ project reports & feedback What is the impact of the project on facilitating the collaboration between faculty and industry partners? Quantitative: standardized survey instrument Qualitative: interviews

15 Demo Example 1: web application overview
Ubuntu & Firefox Observe HTTP commands Example 2: Web server vulnerability testing Ubuntu, Firefox, Paros, Badstore.net web site Crawl and Scan Badstore.net for vulnerabilities through a proxy server © Li-Chiou Chen, Pace University

16 Acknowledgement This project is supported by NSF CCLI 0837549.
© Li-Chiou Chen, Pace University

Download ppt "Lixin Tao, Li-Chiou Chen & Chienting Lin Pace University"

Similar presentations

Webgoat.

Webgoat.
Faith Allington Program Manager Microsoft Corporation WSV322.

Faith Allington Program Manager Microsoft Corporation WSV322.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
6/2/2015Page 1 SOA Development and Deployment B. Ramamurthy.

6/2/2015Page 1 SOA Development and Deployment B. Ramamurthy.
CISC 474 Spring 2008 Page 1 2/11/08 Introduction Syllabus Anatomy of a Web Request Questions Some Possible Projects Assignment Photos.

CISC 474 Spring 2008 Page 1 2/11/08 Introduction Syllabus Anatomy of a Web Request Questions Some Possible Projects Assignment Photos.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Cloud Computing Lecture #7 Introduction to Ajax Jimmy Lin The iSchool University of Maryland Wednesday, October 15, 2008 This work is licensed under a.

Cloud Computing Lecture #7 Introduction to Ajax Jimmy Lin The iSchool University of Maryland Wednesday, October 15, 2008 This work is licensed under a.
1 The World Wide Web Architectural Overview Static Web Documents Dynamic Web Documents HTTP – The HyperText Transfer Protocol Performance Enhancements.

1 The World Wide Web Architectural Overview Static Web Documents Dynamic Web Documents HTTP – The HyperText Transfer Protocol Performance Enhancements.
Information Networking Security and Assurance Lab National Chung Cheng University WebGoat.

Information Networking Security and Assurance Lab National Chung Cheng University WebGoat.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
Secure Coding Faculty Workshop, April 14-15, Orlando, FL 1 SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation Wenliang (Kevin)

Secure Coding Faculty Workshop, April 14-15, Orlando, FL 1 SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation Wenliang (Kevin)
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,

IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,
E-Commerce The technical side. LAMP Linux Linux Apache Apache MySQL MySQL PHP PHP All Open Source and free packages. Can be installed and run on most.

E-Commerce The technical side. LAMP Linux Linux Apache Apache MySQL MySQL PHP PHP All Open Source and free packages. Can be installed and run on most.
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
269200 Web Programming Language Dr. Ken Cosh Week 1 (Introduction)

Web Programming Language Dr. Ken Cosh Week 1 (Introduction)
WebQuilt and Mobile Devices: A Web Usability Testing and Analysis Tool for the Mobile Internet Tara Matthews Seattle University April 5, 2001 Faculty Mentor:

WebQuilt and Mobile Devices: A Web Usability Testing and Analysis Tool for the Mobile Internet Tara Matthews Seattle University April 5, 2001 Faculty Mentor:

Similar presentations

Ads by Google