Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Slides:



Advertisements
Similar presentations
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Advertisements

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Examples of Successful Collaborative Campus Critical Thinking Examples of Successful Collaborative Campus Projects in Critical Thinking n “Seeing Women.
New experiences with teaching Java as a second programming language Ioan Jurca “Politehnica” University of Timisoara/Romania
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
The 4-Year College Plan College Academic Vocabulary.
COURSE ADDITION CATALOG DESCRIPTION To include credit hours, type of course, term(s) offered, prerequisites and/or restrictions. (75 words maximum.) 4/1/091Course.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Learning Unit Documents and Examples. Learning Units - basic building block of a course For iGETT a Learning Unit consists of –Three parts Instructor.
The OWASP Foundation OWASP The Open Web Application Security Project Join the application security community for free, unbiased, open.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
1 Chapter Nine Engineering Your Career. 2 Engineering Careers  Electrical and computer engineers find employment in: 1.Private industry. 2.Government.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
The OWASP Foundation Where we are Where we are going Seba DeleersnyderEoin Keary OWASP Foundation Board.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The MSR-UR Curriculum Repository Tom Healy Lead Program Manager Microsoft Research University Relations.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
What’s Right with Undergraduate Statistics? Exciting Course Options.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
 Teaching With a Professor* *Or … “tips to help you survive the world’s most confusing working relationship”
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP AppSec India Aug 2008.
Center for Cybersecurity Research and Education (CCRE)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
 Course Overview Distributed Systems IT332. Course Description  The course introduces the main principles underlying distributed systems: processes,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CSCD 303 Essential Computer Security Lecture 1 - Course Details.
The OWASP Foundation OWASP Global Update Seba Deleersnyder OWASP Foundation Board Member.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Lecture 1 Page 1 CS 236 Online Introduction CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Public Tech Instruction: Internet Safety March 26, 2014.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Testing Methods
Purpose of Class To prepare students for research and advanced work in security topics To familiarize students working in other networking areas with important.
OWASP Charlotte What, Why, Where and How
Secure Coding: SDLC Integration Sixfold Path
Working Group European Statistical System – Learning and Development Framework (ess-ldf) & Human Resources Management (hrm) Item 8.b of the agenda Luxembourg,
Presentation transcript:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP OWASP at Universities: From a lecture to an MSc Konstantinos Papapanagiotou Vasileios Vlachos OWASP Greek Chapter 5/1/2011

OWASP The Greek Academic OWASP landscape 2

OWASP The Greek Academic AppSec landscape  University of Athens  AppSec lectures based on OWASP material in Undergrad and Postgrad Infosec modules  Various student projects using OWASP material  Collaboration with FOSS community  Technological Institute of Larissa  Extensive use of OWASP material in Undergrad Infosec module  University of Piraeus  AppSec module based on OWASP material  University of the Peloponnese  Thesis projects using OWASP material 3

OWASP 4 OWASP in Greek Universities  2-3hour lectures  Undergrad InfoSec module  PostGrad InfoSec module  Seminar  AppSec course module  University of Piraeus postgrad  Projects for course modules  Mostly practical: e.g. use of WebGoat/WebScarab  Translation Projects (e.g. OWASP Top10)  BSc/MSc Thesis Projects  Comparison of Testing Frameworks (Testing Guide, OSSTMM, etc.)  Web Application Scanner  Translation Projects

OWASP Single Lecture  Usually 2-3 hours  Focus mainly on OWASP Top10  Either demo using WebGoat or use of screenshots  Focus on Injection and XSS  Intro to SAMM 5

OWASP Entire Module: The UniPi Experience  Information Security MSc  The first (and only?) AppSec module in Greece  “Full” AppSec course  6 x 3-hour lectures  No exams (at least for this year)  No projects (yet)  Practical “lab” assignments  Decision to focus mostly on Web AppSec – use material from OWASP 6

OWASP AppSec Module Curriculum  Curriculum 1.Secure Development Lifecycle (based on OpenSAMM and MS SDL) 2.Web Application Security and Risks (based on OWASP Top 10) 3.Web Application Vulnerabilities (demo and lab – based on OWASP WebGoat) 4.Web Application Vulnerabilities (lab based on “hackademic” challenges) 5.Countermeasures – Intro to Threat Modeling and Secure Development best practices 6.Malware and other topics 7

OWASP Challenges 8 Introducing the attacker’s perspective in Academia by Andreas Venieris, Vasileios Vlachos, Anastasis Stasinopoulos, Alexandros Papanikolaou and Konstantinos Papapanagiotou

OWASP Hackademic Challenges  Relatively simple challenges, mainly web exploits that involve JavaScript, PHP, web server misconfigurations, etc.  Attempt to address the general idea behind certain network security issues, rather than providing a detailed set-up.  Several real-world network attacks rely on the exploitation of such concepts (usually misconfigurations).  Some may seem simple and ‘old-fashioned’ (e.g. XSS) but websites vulnerable to them exist to date!  Variety of topics covered, rather than go too deep into one of them. 9

OWASP Hackademic Challenges  A too focused course may not show how to ‘think like an attacker’.  Several students, upon completion of the given challenges, they attempted the next ones. Some did it from home ⇒ They liked it!  For introductory, undergraduate courses, there is limited time and students must get an idea of the wider area.  More ‘network-deep’ challenges in most cases require a dedicated network  need special configuration, must not expose any vulnerabilities/sensitive data. 10

OWASP Hackademic Challenges  No preceding introductory course to cryptography and/or network security exists (at least, not in TEI of Larissa).  When students work in large teams/groups, the most knowledgeable will most probably do the most work, and ‘deprive’ the rest of the team this experience.  Avoid set-up issues in many different laboratories  “Hackademic Challenges” is a ‘treasure hunt’ type of game. 11

OWASP Hackademic Challenges  

OWASP Pros and Cons  Pros:  Practical demos always catch students’ attention  Students have a hands-on AppSec experience  Theoretical background is also provided  Cons:  Prerequisite knowledge of various CS topics  Usually such modules-lectures are given to last year students  Usually an optional module: many students cannot follow as vast knowledge of CS is required: programming+SDL, systems analysis, infosec, etc.  Practical exams = “difficult” exams 13

OWASP Challenges  Students  different levels of knowledge-interests-expertise  Professors  “experts”  Often don’t like [non-university] people messing with their curriculum-agenda  Universities  Limited budget  Hard to change curriculum  Prefer theoretic-time resistant approach  Different Countries - Cultures 14

OWASP To Do  Define Target audience  Undergrad vs Postgrad vs [Optional] Seminar  InfoSec vs CS – Development  Specify Teaching material  Should be country-context independent  Baseline for curriculum (minimum or indicative)  Presentations (already have plenty of those – need translation)  Reference material-books  Localization (translations)  Demo-workshops-labs 15

OWASP To Do (Greece)  Establish OWASP-based courses in:  University of Piraeus  University of Athens  Technological Educational Institute of Larissa  Approach other universities:  Athens University of Economics and Business  National Technical University  University of the Peloponnese  University of Central Greece  Athens Information Technology University (private)  We Offer…  Seminar lecture for free  Free material-assistance for tutors  Assist in Thesis Projects supervision 16

OWASP Useful OWASP Projects  Top10  WebGoat  WebScarab  OpenSAMM / CLASP  Secure Coding Practices - Quick Reference Guide  Live CD  Broken Web Applications  Application Security Skills Assessment  Live CD Education  OWASP Education  College Chapters Program 17

OWASP Why not?  An AppSec MSc  8-10 modules focused on AppSec + Thesis  Application Risk Management  SDLC  Threat Modeling  Threats and Vulnerabilities  Secure Coding Practices  Testing and Verifying  … 18

OWASP Thank You 19