Integrating web application security into the IT curriculum

Quantified Score

Visualization

Abstract

Attackers are increasingly targeting web applications. Buffer overflows had been the most common vulnerability type since CERT began collecting statistics, but web application vulnerabilities like cross-site scripting have dominated vulnerability reports since 2005. Despite billions of dollars spent on network security, the amount lost to computer crime, much of it the result of the insecurity of web applications, grows every year. In part, this problems results from the fact that perimeter security techniques like firewalls do little to protect web applications. In order for students to be prepared for the current threat environment, we need to integrate web application security into the IT curriculum. Both information security and web programming classes need to cover this topic. This paper describes techniques, tools, and labs for integrating web application security into both types of classes. Some techniques, such as penetration testing using web proxies, are applicable to both types of classes. Other techniques, such as secure programming guidelines, are primarily useful in web programming classes, while some tools, like web application firewalls, are more important in information security classes. We use the open source web application security teaching tool WebGoat for introductory labs that teach the students about the nature of specific vulnerabilities like SQL injection. These labs also introduce students to open source web testing proxies, such as Burp Suite, which they use more deeply in later labs that focus on penetration testing of a complete web application. Students in security classes also learn how to use web vulnerability scanners and web application firewalls, while web programming classes focus on learning how to write code without common vulnerabilities.