Presentation is loading. Please wait.

Presentation is loading. Please wait.

 Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack.

Published byJulian Clark Modified over 9 years ago

Similar presentations

Presentation on theme: " Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack."— Presentation transcript:

1  Prototype for Course on Web Security ETEC 550

2  Huge topic covering both system/network architecture and programming techniques.  Identified lack of courses being taught at post- secondary level.  IEEE recommends that security be a major component of undergrad computer science. Course Context

3 Problem Statement  Students have little knowledge of emerging online threats and do not know the correct procedures to secure applications from outside intrusion.  Students should know common attack techniques and how to prevent them. Students should be aware of tools used to counter online threats.  Potential areas for instruction: Web Servers, SQL Servers, Programming Languages, Network Management.

4 Diverse Environments  To effectively teach topic across many different operating systems we need a mechanism to give administrative access to students on different hardware.  Setup virtual teaching lab with resources hosted in cloud. Microsoft Azure promotes their services to educational organizations.

5 Virtual Labs  Virtual computers can be setup with different operating systems (Windows, Linux, OSX, etc.) and different software stacks (LAMP, WISA, etc.)  Administrative access, isolated from internet  Pre-configured for course  Connect from thin client

6 Needs Assessment  Determine whether students have a very basic awareness of software security.  Setup virtual environment that has a security vulnerability. In particular prototype describes code injection.  A lesson was presented to students using a combination of a pre-recorded video and a pre-configured virtual lab.  After presenting the flaw to a sample of students, all report being aware of the security threat prior to participating in the prototype lesson.  Secondary learning occurred when students observed the ability of SQL to further infiltrate a system.

7 Prototype Choose Common Problem  Learning Problem: Students are unaware of code injection techniques.  Learning Goal: Students will understand that certain coding techniques create code injection vulnerabilities. In particular they will develop an appreciation for SQL injection given the system level capabilities of database servers.  Learning Objective: Students will learn to use parameterized inputs.

8 Virtual Lab - Instructional Intervention  Created virtual machine containing Microsoft Windows Server 2012 (Operating System), IIS (Web Server), SQL Server.  Created sample website for rating movies. Contains SQL injection vulnerability.  Lesson involves using injections scripts to discover user passwords even when user passwords are encrypted.  Lesson presented to students in recorded video hosted online.

9 Injection Scripts  First injection script queries database to find password, writes password on screen.  Student discovers password is encrypted. Second injection script uses SQL server to read contents of file containing encryption keys.  Finally student uses encryption keys to decrypt password.

10 Prototype Format  Freeform video created in 4 steps, hosted on Google drive  Step 1 – Introduces student to virtual environment (Microsoft Azure)  Step 2 – Shows student how to login, shows locations of resources (sample project, injection scripts etc.)  Step 3- Actual lesson: shows how to perform injection attacks  Step 4- Conclusion: shows how to prevent injection attack  Video can be found here: https://drive.google.com/file/d/0B8MUj8MabjjxRlNJLW 9jbTU1Rms/view

11 Sample Lesson  3 students were recruited, 2 fourth year undergrads and one second year.  Students were asked to watch video, login into virtual computer and follow along with instruction in video.  Following instruction they were presented with a questionnaire to evaluate their experience.

12 Lessons Learned from Sample  Students were very excited about using pre- configured virtual environments. This setup allows them to concentrate more on instruction rather than system setup.  All students report being familiar with code injection prior to participating in lesson.  Secondary learning occurred in the use of SQL Server as a means to discover encryption keys located in the file system.

13 Future Corrections to Prototype  All students were able to complete the lesson without significant problems.  First lesson was designed to be somewhat easy. A future prototype could be designed to be more challenging. For example, injection scripts could be with-held until students attempt an exercise.  All students report that web security is a topic that is under-represented in post secondary education.

14 Future Direction for Course  From the sample responses it appears that students may also benefit from instruction in SQL. For example SQL performance tuning can be very subtle and is not taught in schools.  The course may benefit from becoming a ‘topics’ course where a variety of problems are tackled from different perspectives such as performance, security, scalability or a combination.

15 Conclusion  Hosting computer science course material in cloud based services has many advantages: reuse of content, ease of use, less expensive than supplying hardware, easy to customize, host variety of platforms.  Web security is under represented in post secondary education. Industry demands security skills. Students eager to learn more and don’t feel they are properly exposed.

Download ppt " Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack."

Similar presentations

Configuration management

Configuration management
Suggested Course Outline Cloud Computing Bahga & Madisetti, © 2014Book website: www.cloudcomputingbook.info.

Suggested Course Outline Cloud Computing Bahga & Madisetti, © 2014Book website:
International Academy Design and Technology Technology Classes.

International Academy Design and Technology Technology Classes.
Understand Database Security Concepts

Understand Database Security Concepts
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Vulnerability Analysis Borrowed from the CLICS group.

Vulnerability Analysis Borrowed from the CLICS group.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Robofest 2001 Online Management System Jim Needham MCS 4833/01 Senior Project Dr. Chan-Jin Chung, Ph.D.

Robofest 2001 Online Management System Jim Needham MCS 4833/01 Senior Project Dr. Chan-Jin Chung, Ph.D.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Presented by Sujit Tilak. Evolution of Client/Server Architecture Clients & Server on different computer systems Local Area Network for Server and Client.

Presented by Sujit Tilak. Evolution of Client/Server Architecture Clients & Server on different computer systems Local Area Network for Server and Client.
Web-Enabling the Warehouse Chapter 16. Benefits of Web-Enabling a Data Warehouse Better-informed decision making Lower costs of deployment and management.

Web-Enabling the Warehouse Chapter 16. Benefits of Web-Enabling a Data Warehouse Better-informed decision making Lower costs of deployment and management.
Promoting Learning Styles Through ICT By Miss T.Magi (E-learning Specialist: Butterworth)

Promoting Learning Styles Through ICT By Miss T.Magi (E-learning Specialist: Butterworth)
Section 01Resources1 HSQ - DATABASES & SQL 01 Resources And Franchise Colleges Name :MANSHA NAWAZ room :G 0/32

Section 01Resources1 HSQ - DATABASES & SQL 01 Resources And Franchise Colleges Name :MANSHA NAWAZ room :G 0/32
Introduction to Databases Transparencies 1. ©Pearson Education 2009 Objectives Common uses of database systems. Meaning of the term database. Meaning.

Introduction to Databases Transparencies 1. ©Pearson Education 2009 Objectives Common uses of database systems. Meaning of the term database. Meaning.
Introducing Enterprise Technologies David Dischiave Syracuse University School of Information Studies “The original iSchool” June 3, 2013 Information School,

Introducing Enterprise Technologies David Dischiave Syracuse University School of Information Studies “The original iSchool” June 3, 2013 Information School,
By Mihir Joshi Nikhil Dixit Limaye Pallavi Bhide Payal Godse.

By Mihir Joshi Nikhil Dixit Limaye Pallavi Bhide Payal Godse.
Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over the Internet. Cloud is the metaphor for.

Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over the Internet. Cloud is the metaphor for.
Instructional Plan Template | Slide 1 AET/515 Instructional Plan Advanced Enterprise Java Platform Class and Lab Mark K. Reha.

Instructional Plan Template | Slide 1 AET/515 Instructional Plan Advanced Enterprise Java Platform Class and Lab Mark K. Reha.
HTML5 Application Development Fundamentals

HTML5 Application Development Fundamentals

Similar presentations

Ads by Google