1 / 26

Integrating Web Application Security into the IT Curriculum

This article explores the importance of teaching web application security and provides guidance on what material to cover and how to teach it. It discusses common vulnerabilities, client-side technologies, input-based attacks, authentication, and more. The article also includes practical labs and tools for assessing and securing web applications. Future directions, such as AJAX security and service-oriented architectures, are also discussed.

jasonf
Download Presentation

Integrating Web Application Security into the IT Curriculum

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University

  2. Topics • Why should we teach web application security? • What material do we need to cover? • How should we cover that material? • Where do we go from here?

  3. Is Web Hacking Really That Easy? “Exploits of a Mom”, XKCD

  4. Vulnerability Growth

  5. Web Vulnerabilities Dominate

  6. Reasons for Attacking Web Apps

  7. Firewalls Don’t Protect Web Apps telnet Firewall ftp Application DatabaseServer WebClient WebServer Application HTTP Traffic Port 80

  8. Browser Malware Bypasses Firewall

  9. Goals • Identify and explain common vulnerabilities. • Explain security implications of client-side technologies like Javascript and ActiveX. • Detect security vulnerabilities in web applications using appropriate tools. • Design and implement web applications that do not contain common vulnerabilities. • Deploy and configure a web application in a secure manner.

  10. Topic Outline • Web Application Input • Client-side Technologies • Input-based Attacks • Injection Attacks • Cross-site Attacks • Authentication • Secure Programming • Operational Security

  11. Web App Security in IT2005 Web Application Security IPT5 Software Security WS5 Web Security IAS11 Vulnerabilities IAS6 Security Domains

  12. Labs • WebGoat exercises on specific vulnerabilities. • Using a testing proxy to solve more advanced WebGoat exercises. • Assessing an application using a web vulnerability scanner. • Assessing a web application using a testing proxy. • Reviewing the code of an application using a static analysis tool. • Deploying a web application firewall. • Participating in the international CTF competition.

  13. WebGoat

  14. Tools Web Proxies Web Application Firewalls Vulnerability Scanners Static Analysis

  15. Web Proxies

  16. Altering Form Parameters

  17. Fuzz Testing Fuzz testing consists of • Sending unexpected input. • Monitoring for exceptions.

  18. Web Application Firewalls What is a WAF? • Web monitoring. • Access control. • Behind SSL endpoint. A/K/A • Deep packet inspection. • Web IDS/IPS. • Web App Proxy/Shield. mod_security • Open source. • Embeds in Apache. • Reverse proxy.

  19. Vulnerability Scanners • Spiders site. • Identifies inputs. • Sends list of malicious inputs to each input. • Monitors responses.

  20. Static Analysis Automated assistance for code auditing Speed: review code faster than humans can Accuracy: hundreds of secure coding rules Tools • Coverity • FindBugs • Fortify • Klocwork • Ounce Labs Results

  21. Labs • WebGoat exercises on specific vulnerabilities. • Using a testing proxy to solve more advanced WebGoat exercises. • Assessing an application using a web vulnerability scanner. • Assessing a web application using a testing proxy. • Reviewing the code of an application using a static analysis tool. • Deploying a web application firewall. • Participating in the international CTF competition.

  22. Approaches • Students evaluate and fix their own code. • Students learn about their own coding mistakes. • Scale of project limited to what students can write. • Students evaluate and fix your code. • Write a web application designed for teaching students. • Students evaluate and fix someone else’s code. • Use a web application designed for teaching. • Analyze an open source web application with known vulnerabilities reported in NVD or other bug db.

  23. Teaching Applications Hacme Bank, Books, Casino, Travel

  24. Future Directions: AJAX Security Asynchronous Javascript and XML • Expanded server side API. • Server API calls can be issued in any order by attacker; cannot assume calls issued in order by your client. • Larger amount of client state. • Client/server communication using data (XML/JSON) rather than presentation (HTML.)

  25. Future Directions: Web Sec Class • Web Application Input • Client-side Technologies • Service Oriented Architectures • AJAX • Input-based Attacks • Injection Attacks • Race Conditions • Cross-site Attacks • Authentication • Secure Programming • Operational Security

  26. Conclusions • Defense is shifting from network to application layer. Firewalls, anti-virus, SSL input validation, WAF • Students need to learn to identify vulnerabilities. • Static analysis of source code. • Web proxies and scanners for testing. • Students need to learn to remediate vulnerabiliites. • Web application firewalls for immediate short-term fixes. • Repairing source code for long term fixes.

More Related