Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP OWASP at Universities: From a lecture to an MSc Konstantinos Papapanagiotou Vasileios Vlachos OWASP Greek Chapter 5/1/2011

OWASP The Greek Academic OWASP landscape 2

OWASP The Greek Academic AppSec landscape  University of Athens  AppSec lectures based on OWASP material in Undergrad and Postgrad Infosec modules  Various student projects using OWASP material  Collaboration with FOSS community  Technological Institute of Larissa  Extensive use of OWASP material in Undergrad Infosec module  University of Piraeus  AppSec module based on OWASP material  University of the Peloponnese  Thesis projects using OWASP material 3

OWASP 4 OWASP in Greek Universities  2-3hour lectures  Undergrad InfoSec module  PostGrad InfoSec module  Seminar  AppSec course module  University of Piraeus postgrad  Projects for course modules  Mostly practical: e.g. use of WebGoat/WebScarab  Translation Projects (e.g. OWASP Top10)  BSc/MSc Thesis Projects  Comparison of Testing Frameworks (Testing Guide, OSSTMM, etc.)  Web Application Scanner  Translation Projects

OWASP Single Lecture  Usually 2-3 hours  Focus mainly on OWASP Top10  Either demo using WebGoat or use of screenshots  Focus on Injection and XSS  Intro to SAMM 5

OWASP Entire Module: The UniPi Experience  Information Security MSc  The first (and only?) AppSec module in Greece  “Full” AppSec course  6 x 3-hour lectures  No exams (at least for this year)  No projects (yet)  Practical “lab” assignments  Decision to focus mostly on Web AppSec – use material from OWASP 6

OWASP AppSec Module Curriculum  Curriculum 1.Secure Development Lifecycle (based on OpenSAMM and MS SDL) 2.Web Application Security and Risks (based on OWASP Top 10) 3.Web Application Vulnerabilities (demo and lab – based on OWASP WebGoat) 4.Web Application Vulnerabilities (lab based on “hackademic” challenges) 5.Countermeasures – Intro to Threat Modeling and Secure Development best practices 6.Malware and other topics 7

OWASP Challenges 8 Introducing the attacker’s perspective in Academia by Andreas Venieris, Vasileios Vlachos, Anastasis Stasinopoulos, Alexandros Papanikolaou and Konstantinos Papapanagiotou

OWASP Hackademic Challenges  Relatively simple challenges, mainly web exploits that involve JavaScript, PHP, web server misconfigurations, etc.  Attempt to address the general idea behind certain network security issues, rather than providing a detailed set-up.  Several real-world network attacks rely on the exploitation of such concepts (usually misconfigurations).  Some may seem simple and ‘old-fashioned’ (e.g. XSS) but websites vulnerable to them exist to date!  Variety of topics covered, rather than go too deep into one of them. 9

OWASP Hackademic Challenges  A too focused course may not show how to ‘think like an attacker’.  Several students, upon completion of the given challenges, they attempted the next ones. Some did it from home ⇒ They liked it!  For introductory, undergraduate courses, there is limited time and students must get an idea of the wider area.  More ‘network-deep’ challenges in most cases require a dedicated network  need special configuration, must not expose any vulnerabilities/sensitive data. 10

OWASP Hackademic Challenges  No preceding introductory course to cryptography and/or network security exists (at least, not in TEI of Larissa).  When students work in large teams/groups, the most knowledgeable will most probably do the most work, and ‘deprive’ the rest of the team this experience.  Avoid set-up issues in many different laboratories  “Hackademic Challenges” is a ‘treasure hunt’ type of game. 11

OWASP Hackademic Challenges  

OWASP Pros and Cons  Pros:  Practical demos always catch students’ attention  Students have a hands-on AppSec experience  Theoretical background is also provided  Cons:  Prerequisite knowledge of various CS topics  Usually such modules-lectures are given to last year students  Usually an optional module: many students cannot follow as vast knowledge of CS is required: programming+SDL, systems analysis, infosec, etc.  Practical exams = “difficult” exams 13

OWASP Challenges  Students  different levels of knowledge-interests-expertise  Professors  “experts”  Often don’t like [non-university] people messing with their curriculum-agenda  Universities  Limited budget  Hard to change curriculum  Prefer theoretic-time resistant approach  Different Countries - Cultures 14

OWASP To Do  Define Target audience  Undergrad vs Postgrad vs [Optional] Seminar  InfoSec vs CS – Development  Specify Teaching material  Should be country-context independent  Baseline for curriculum (minimum or indicative)  Presentations (already have plenty of those – need translation)  Reference material-books  Localization (translations)  Demo-workshops-labs 15

OWASP To Do (Greece)  Establish OWASP-based courses in:  University of Piraeus  University of Athens  Technological Educational Institute of Larissa  Approach other universities:  Athens University of Economics and Business  National Technical University  University of the Peloponnese  University of Central Greece  Athens Information Technology University (private)  We Offer…  Seminar lecture for free  Free material-assistance for tutors  Assist in Thesis Projects supervision 16

OWASP Useful OWASP Projects  Top10  WebGoat  WebScarab  OpenSAMM / CLASP  Secure Coding Practices - Quick Reference Guide  Live CD  Broken Web Applications  Application Security Skills Assessment  Live CD Education  OWASP Education  College Chapters Program 17

OWASP Why not?  An AppSec MSc  8-10 modules focused on AppSec + Thesis  Application Risk Management  SDLC  Threat Modeling  Threats and Vulnerabilities  Secure Coding Practices  Testing and Verifying  … 18

OWASP Thank You 19