 Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack.

Slides:

Advertisements

Similar presentations

Configuration management

Advertisements

Suggested Course Outline Cloud Computing Bahga & Madisetti, © 2014Book website:

International Academy Design and Technology Technology Classes.

Understand Database Security Concepts

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

Vulnerability Analysis Borrowed from the CLICS group.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

Robofest 2001 Online Management System Jim Needham MCS 4833/01 Senior Project Dr. Chan-Jin Chung, Ph.D.

Maintaining and Updating Windows Server 2008

Presented by Sujit Tilak. Evolution of Client/Server Architecture Clients & Server on different computer systems Local Area Network for Server and Client.

Web-Enabling the Warehouse Chapter 16. Benefits of Web-Enabling a Data Warehouse Better-informed decision making Lower costs of deployment and management.

Promoting Learning Styles Through ICT By Miss T.Magi (E-learning Specialist: Butterworth)

Section 01Resources1 HSQ - DATABASES & SQL 01 Resources And Franchise Colleges Name :MANSHA NAWAZ room :G 0/32

Introduction to Databases Transparencies 1. ©Pearson Education 2009 Objectives Common uses of database systems. Meaning of the term database. Meaning.

Introducing Enterprise Technologies David Dischiave Syracuse University School of Information Studies “The original iSchool” June 3, 2013 Information School,

By Mihir Joshi Nikhil Dixit Limaye Pallavi Bhide Payal Godse.

Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over the Internet. Cloud is the metaphor for.

Instructional Plan Template | Slide 1 AET/515 Instructional Plan Advanced Enterprise Java Platform Class and Lab Mark K. Reha.

HTML5 Application Development Fundamentals

Microsoft Azure Introduction ISYS 512. Microsoft Azure Microsoft Azure is a cloud.

Computers Are Your Future Tenth Edition Chapter 12: Databases & Information Systems Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall1.

Introduction to VMware Virtualization

Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.

Implementing Update Management

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

Module 14: Configuring Server Security Compliance

Access The L Line The Express Line to Learning 2007 © Wiley Publishing All Rights Reserved. L Line.

Architecture Planning and designing a successful system Use tried and tested techniques Easy to maintain Robust and long lasting.

1 FlexTraining in a Nutshell Welcome to a brief introduction of the FlexTraining Total e- Learning Solution. This short sample course will outline the.

By: Ashish Gohel 8 th sem ISE.. Why Cloud Computing ? Cloud Computing platforms provides easy access to a company’s high-performance computing and storage.

SKU3033 / SKF3033 NETWORK & SYSTEM ADMINISTRATOR.

IT:Network:Microsoft Server Instructor: Michael J. Teske.

The Client/Server Database Environment Ployphan Sornsuwit KPRU Ref.

A Study of Wireless Virtual Network Computing Kiran Erra.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

We will cover in this lecture A first look at issues related to Security Maintenance Scalability Simple Three Tier Architecture Module Road Map Assignment.

Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.

NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.

Server Performance, Scaling, Reliability and Configuration Norman White.

{ Cloud computing. Exciting and relatively new technologies allow computing to be a part of our everyday lives. Cloud computing allows users to save their.

Introducing Virtualization via an OpenStack “Cloud” System to SUNY Orange Applied Technology Students SUNY Innovative Instruction Technology Grant Christopher.

Unit 9: Distributing Computing & Networking Kaplan University 1.

This is a personal evaluation that was carried out after the completion of my project one and two. The next slide shows the summary of the key points.

Instructional Plan Template | Slide 1 AET/515 Instructional Plan Advanced Enterprise Java Platform Training Presentation Tier Design using an Event Driven.

Web Browsing *TAKE NOTES*. Millions of people browse the Web every day for research, shopping, job duties and entertainment. Installing a web browser.

Microsoft Cloud Solution.  What is the cloud?  Windows Azure  What services does it offer?  How does it all work?  How to go about using it  Further.

Windows Azure poDRw_Xi3Aw.

Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.

© ExplorNet’s Centers for Quality Teaching and Learning 1 Describe applications and services. Objective Course Weight 5%

Stuff to memorise… "A method tells an object to perform an action. A property allows us to read or change the settings of the object."

SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.

© 2007 IBM Corporation IBM Software Strategy Group IBM Google Announcement on Internet-Scale Computing (“Cloud Computing Model”) Oct 8, 2007 IBM Confidential.

Stuff to memorise… "A method tells an object to perform an action. A property allows us to read or change the settings of the object."

9 Copyright © 2004, Oracle. All rights reserved. Getting Started with Oracle Migration Workbench.

Computer Science Infrastructure Security for Virtual Cloud Computing Peng Ning 04/08/111BITS/ Financial Services Roundtable Supported by the US National.

Advanced Higher Computing Science

Unit 3 Virtualization.

Chapter 6: Securing the Cloud

Group 18: Chris Hood Brett Poche

Introduction to VMware Virtualization

A Study of Wireless Virtual Network Computing

The Client/Server Database Environment

The Improvement of PaaS Platform ZENG Shu-Qing, Xu Jie-Bin 2010 First International Conference on Networking and Distributed Computing SQUARE.

Microsoft Exam Barindumps Study Matrial

Introduction to Databases Transparencies

Serpil TOK, Zeki BAYRAM. Eastern MediterraneanUniversity Famagusta

Automated Infrastructure as a Service

Client/Server and Peer to Peer

Best Practices for Using LogicalLABS in the Classroom

Presentation transcript:

 Prototype for Course on Web Security ETEC 550

 Huge topic covering both system/network architecture and programming techniques.  Identified lack of courses being taught at post- secondary level.  IEEE recommends that security be a major component of undergrad computer science. Course Context

Problem Statement  Students have little knowledge of emerging online threats and do not know the correct procedures to secure applications from outside intrusion.  Students should know common attack techniques and how to prevent them. Students should be aware of tools used to counter online threats.  Potential areas for instruction: Web Servers, SQL Servers, Programming Languages, Network Management.

Diverse Environments  To effectively teach topic across many different operating systems we need a mechanism to give administrative access to students on different hardware.  Setup virtual teaching lab with resources hosted in cloud. Microsoft Azure promotes their services to educational organizations.

Virtual Labs  Virtual computers can be setup with different operating systems (Windows, Linux, OSX, etc.) and different software stacks (LAMP, WISA, etc.)  Administrative access, isolated from internet  Pre-configured for course  Connect from thin client

Needs Assessment  Determine whether students have a very basic awareness of software security.  Setup virtual environment that has a security vulnerability. In particular prototype describes code injection.  A lesson was presented to students using a combination of a pre-recorded video and a pre-configured virtual lab.  After presenting the flaw to a sample of students, all report being aware of the security threat prior to participating in the prototype lesson.  Secondary learning occurred when students observed the ability of SQL to further infiltrate a system.

Prototype Choose Common Problem  Learning Problem: Students are unaware of code injection techniques.  Learning Goal: Students will understand that certain coding techniques create code injection vulnerabilities. In particular they will develop an appreciation for SQL injection given the system level capabilities of database servers.  Learning Objective: Students will learn to use parameterized inputs.

Virtual Lab - Instructional Intervention  Created virtual machine containing Microsoft Windows Server 2012 (Operating System), IIS (Web Server), SQL Server.  Created sample website for rating movies. Contains SQL injection vulnerability.  Lesson involves using injections scripts to discover user passwords even when user passwords are encrypted.  Lesson presented to students in recorded video hosted online.

Injection Scripts  First injection script queries database to find password, writes password on screen.  Student discovers password is encrypted. Second injection script uses SQL server to read contents of file containing encryption keys.  Finally student uses encryption keys to decrypt password.

Prototype Format  Freeform video created in 4 steps, hosted on Google drive  Step 1 – Introduces student to virtual environment (Microsoft Azure)  Step 2 – Shows student how to login, shows locations of resources (sample project, injection scripts etc.)  Step 3- Actual lesson: shows how to perform injection attacks  Step 4- Conclusion: shows how to prevent injection attack  Video can be found here: 9jbTU1Rms/view

Sample Lesson  3 students were recruited, 2 fourth year undergrads and one second year.  Students were asked to watch video, login into virtual computer and follow along with instruction in video.  Following instruction they were presented with a questionnaire to evaluate their experience.

Lessons Learned from Sample  Students were very excited about using pre- configured virtual environments. This setup allows them to concentrate more on instruction rather than system setup.  All students report being familiar with code injection prior to participating in lesson.  Secondary learning occurred in the use of SQL Server as a means to discover encryption keys located in the file system.

Future Corrections to Prototype  All students were able to complete the lesson without significant problems.  First lesson was designed to be somewhat easy. A future prototype could be designed to be more challenging. For example, injection scripts could be with-held until students attempt an exercise.  All students report that web security is a topic that is under-represented in post secondary education.

Future Direction for Course  From the sample responses it appears that students may also benefit from instruction in SQL. For example SQL performance tuning can be very subtle and is not taught in schools.  The course may benefit from becoming a ‘topics’ course where a variety of problems are tackled from different perspectives such as performance, security, scalability or a combination.

Conclusion  Hosting computer science course material in cloud based services has many advantages: reuse of content, ease of use, less expensive than supplying hardware, easy to customize, host variety of platforms.  Web security is under represented in post secondary education. Industry demands security skills. Students eager to learn more and don’t feel they are properly exposed.