Lixin Tao, Li-Chiou Chen & Chienting Lin Pace University

Slides:

Advertisements

Similar presentations

Advertisements

Faith Allington Program Manager Microsoft Corporation WSV322.

Chapter 17: WEB COMPONENTS

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

6/2/2015Page 1 SOA Development and Deployment B. Ramamurthy.

CISC 474 Spring 2008 Page 1 2/11/08 Introduction Syllabus Anatomy of a Web Request Questions Some Possible Projects Assignment Photos.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Cloud Computing Lecture #7 Introduction to Ajax Jimmy Lin The iSchool University of Maryland Wednesday, October 15, 2008 This work is licensed under a.

1 The World Wide Web Architectural Overview Static Web Documents Dynamic Web Documents HTTP – The HyperText Transfer Protocol Performance Enhancements.

Information Networking Security and Assurance Lab National Chung Cheng University WebGoat.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Browser Exploitation Framework (BeEF) Lab

Secure Coding Faculty Workshop, April 14-15, Orlando, FL 1 SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation Wenliang (Kevin)

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,

E-Commerce The technical side. LAMP Linux Linux Apache Apache MySQL MySQL PHP PHP All Open Source and free packages. Can be installed and run on most.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

Web Programming Language Dr. Ken Cosh Week 1 (Introduction)

WebQuilt and Mobile Devices: A Web Usability Testing and Analysis Tool for the Mobile Internet Tara Matthews Seattle University April 5, 2001 Faculty Mentor:

Chapter 1 Web Server Setup and Configuration. Contents A.What is web server B.Installing and Configuring Web Server C.Testing the Installation.

Team System Adoption Martin Woodward Teamprise. Visual Studio Editions Easy to use, easy to learn, easy to acquire tools for hobbyists, enthusiasts, and.

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Intelligent Tutoring System Mobile Communication Team Drew Boatwright Nakul Dureja Richard Liou.

SEEM4570: XAMPP, Eclipse, Summary of Html Kangfei Zhao Room 711,ERB

PHP and MySQL Week#1  Course Plan.  Introduction to Dynamic Web Content.  Setting Up Development Server Eng. Mohamed Ahmed Black 1.

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.

Developing an Undergraduate Distributed Development Course Gregory Conti John M. D. Hill Curtis A. Carver, Jr. United States Military Academy Department.

Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.

 2000 Deitel & Associates, Inc. All rights reserved. Chapter 24 – Web Servers (PWS, IIS, Apache, Jigsaw) Outline 24.1Introduction 24.2Microsoft Personal.

Workshop 3 Web Application Security Li Weichao March

April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

 Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack.

Course 6420A Fundamentals of Windows Server® 2008 Network and Applications Infrastructure.

Introduction to Internet Programming (Web Based Application)

Watchfire AppScan Web Application Security Software Omen Wild September 2007.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

The Open Source Virtual Lab: a Case Study Authors: E. Damiani, F. Frati, D. Rebeccani, M. Anisetti, V. Bellandi and U. Raimondi University of Milan Department.

SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.

Grid Chemistry System Architecture Overview Akylbek Zhumabayev.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.

Node.js & Windows Azure AZR326  JavaScript on the Server!  Event driven I/O server-side JavaScript  Not thread based, each connection uses only a.

Web Technologies Lecture 8 Server side web. Client Side vs. Server Side Web Client-side code executes on the end-user's computer, usually within a web.

OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.

Introducing Visual Studio 2010: What It Is and Why You Should Care

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.

Web Security. Introduction Webserver hacking refers to attackers taking advantage of vulnerabilities inherent to the web server software itself These.

(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)

1 Introduction to Web Application Review. 2 Five Layers Architecture HTML, CSS, Java Script ASP.net User ’ s.dll, Nunit, Web Services ADO.net SQL Server,

MIS Week 5 Site:

Inspirirani ljudima. Ugasite mobitele. Hvala.. Paolo Pialorsi Senior Consultant PiaSys ( Publishing apps for SharePoint 2013 on Microsoft.

Outline  XAMPP  XAMPP Install  Put php and HTML documents  Windows and Mac Version  Security.

Web Programming Language

Group 18: Chris Hood Brett Poche

Manuel Brugnoli, Elisa Heymann UAB

World Wide Web policy.

Web Portal Project.

Platform as a Service.

OWASP WebGoat v5 16 April 2010.

Kontrak Kuliah Web Service.

Li Yang, Carson Woods (University of Tennessee at Chattanooga

AppExchange Security Certification

Security at the Source.

04 | Apps and SharePoint Chris Johnson | SharePoint Guru

0. Overview of 2-Day Academic .NET Workshop

Web Servers (IIS and Apache)

Web Application Development Using PHP

Presentation transcript:

Improving Web Security Education with Virtual Labs and Shared Course Modules Lixin Tao, Li-Chiou Chen & Chienting Lin Pace University Seidenberg School Research Day 05/07/2010

Outline Motivation Virtualization SWEET – Secure Web Application Development SWEET teaching modules Examples HTTP & HTML Introduction Web Vulnerabilities © Li-Chiou Chen, Pace University

Motivation Lack of Undergraduate Web Security Teaching Modules Current web vulnerabilities and secure programming literature were designed for practitioners Aimed to design a new teaching tool called SWEET (Secure WEb dEvelopment Teaching) For Undergraduate security curriculum Software stack packaged in VMware virtual appliance Installed in portable laboratories using laptops

What is virtualization the virtualization of a computer means to run emulator software on a computer (host computer or physical computer) to emulate another desired computer (virtual computer). Emulator software : VMware Player or Microsoft Virtual PC © Li-Chiou Chen, Pace University

Types of virtualization technologies Server side virtualization running the virtual computers on a remote server computer Client-side virtualization running the virtual computers on users’ own computers We uses client-side virtualization in our project © Li-Chiou Chen, Pace University

SWEET Project Pace University, Pleasantville & New York City, NY Designated as a Centers of Academic Excellence in Information Assurance Education (CAEIAE) by the DOD and DHS (since 2004) DOD-Supported security labs Graduate IA Track in MS/IT and MS/IS Programs Undergraduate IA Minor in conjunction with Criminal Justice CUNY City College of Technology OWASP (Open Web Application Security Project) NY/NJ Chapter serving as Industry Advisor Project web site: http://csis.pace.edu/~lchen/sweet

SWEET Architecture Application Layer: Paros, WebGoat, WebScarab Virtual Machine Layer: Windows and Fedora Linux VMs Operation Systems Layer: Windows & Linux

Applications in SWEET Virtual Appliance Web and application servers IIS, Apache, GlassFish Web Proxy Paros, WebScarab6 Web Security testing WebGoat7, .Net Security Toolkits8 Programming/scripting languages Java, C#, C/C++, VB.Net, Perl, Ruby, PHP Programming IDEs JDK, Eclipse, NetBeans, Visual Studio Tutorials and documentation MSDN library, Java EE service and XML tutorials and laboratory exercises.

SWEET Teaching Modules [Module#1] Web Development Overview Content: HTML & HTTP, URL rewrite, session management with cookies, server session objects Lab: webserver setup, web proxy experiment [Module#2] Service-Oriented Architecture Content: Web Services, XML, WSDL, SOAP Lab: Configure & secure a web service application

SWEET Teaching Modules (cont’d) [Module#3] Secure Web Communications Content: SSL, PKI/X.509, Online Certification Status Protocol (OCSP) Lab: Configure SSL on a webserver to create & sign a server certificate [Module#4] Secure Analysis & Design Content: Secure SDLC, CLASP, Abuse Case, Risk Analysis, Secure UML Lab: Design a secure requirement plan & conduct a risk analysis

SWEET Teaching Modules (cont’d) [Module#5] Secure Implementation Content: SQL injection, buffer overflow, poor authentication; Code Review, Risk-Based Testing Lab: Hands-on testing on a vulnerable server [Module#6] Secure Deployment Content: cross site scripting (XSS) and e-shoplifting; architectural risk analysis - attack resistance/ambiguity/weakness analyses. Lab: Hands-on testing on a vulnerable server

SWEET Teaching Modules (cont’d) [Module#7] Penetration & Stress Testing Content: Penetration testing, server load balancing, DDOS attacks Lab: Plan & conduct a pentest on a web app [Module#8] Securing AJAX Applications Content: client-side sandbox security, Java security policy management, securing AJAX applications Lab: Study the vulnerabilities of a sample AJAX application

Project Evaluation: Goals Document the conditions and practices that support the successful development and implementation of the secure web development teaching modules Examine the extent to which teaching, learning and laboratory materials and the portable laboratory promote positive learning outcomes from students Examine the extent to which faculty and industry collaboration can be affected

Project Evaluation: Questions To what extent are the learning, teaching and laboratory materials developed and adapted? Quantitative: # of courses/students Qualitative: lab observations, faculty interview To what extent do the teaching modules & portable lab improve or enhance students’ learning? Quantitative: standardized assessment & course evaluation Qualitative: students’ project reports & feedback What is the impact of the project on facilitating the collaboration between faculty and industry partners? Quantitative: standardized survey instrument Qualitative: interviews

Demo Example 1: web application overview Ubuntu & Firefox Observe HTTP commands Example 2: Web server vulnerability testing Ubuntu, Firefox, Paros, Badstore.net web site Crawl and Scan Badstore.net for vulnerabilities through a proxy server © Li-Chiou Chen, Pace University

Acknowledgement This project is supported by NSF CCLI 0837549. © Li-Chiou Chen, Pace University