OWASP Hackademic: a practical environment for teaching application security - Konstantinos Papapanagiotou
Teachers of Application Security in higher education institutions and universities are presented with some unique challenges, especially when compared to other scientific or even computer science fields. This is mainly because students have to learn how to design, implement and protect applications against both known and unknown attacks. Moreover, the so far established stereotypes present the potential intruders as being ingenious and able to penetrate almost every system.
The OWASP Hackademic Challenges Project introduces the "attacker's perspective" in higher education by implementing realistic scenarios with known vulnerabilities in a safe, controllable environment. Students can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective.
Its main difference from other projects that implement vulnerable applications for educational purposes, is that it is has been created mainly for use in a classroom environment, while most other solutions take a more self-learning approach. The OWASP Hackademic Challenges are currently used by more than a dozen universities around the world and are also part of the "Hacking Lab" and "OWASP University Challenge". In addition, we have received contributions to the project by several researchers, including the New Jersey Institute of Technology.
The OWASP Hackademic Challenges simulate real-world scenarios that application security consultants and penetration testers encounter during their day-to-day engagements, combined with the academic requirements of a related module. These exercises can be used to complement the respective theoretical lectures. Statistical analysis of the feedback we received from students through questionnaires, shows that the students embraced this approach and have benefited significantly from going through these exercises. In practice, the OWASP Hackademic Challenges help students become more enthusiastic about application security by gaining a realistic, hands-on experience on some real-world vulnerabilities.
In this presentation we will give an overview of the Hackademic Challenges and analyze its scientific background. In addition, we will present new features introduced to the interface that was developed during the Google Summer of Code 2012 and more importantly security improvements that were made possible by using OWASP ESAPI. The new interface introduces significant capabilities and features mainly for teachers and administrators. Moreover, as the project is still under development, we expect a bunch of new features to be ready by the conference dates. For example we are expanding the use cases of Hackademic in order for it to be used in a corporate environment to either train, assess or raise awareness among employees.
Moreover, we will introduce a new scoring mechanism. CTF-type challenges usually follow a binary scoring system (solved/not solved), which is not sufficient for university classes. We have implemented a much more complex scoring system, that takes into account various parameters in order to depict how easy it was for the student to solve the challenge and how much time was required. Using this system, students can be graded according to their performance. Furthermore, we have introduced a randomization algorithm that produces slightly different answers for each try. Thus, it is much more difficult for students to cheat.
A demo of the new Hackademic portal and challenges will also be delivered, emphasizing on how it can be used in a real classroom and giving the chance to attendees to get their hands on it.
Speaker
Konstantinos Papapanagiotou
Information Security Services Team Lead, OTE
Dr Konstantinos Papapanagiotou has more than 10 years of experience in the field of Information Security both as a corporate consultant and as a researcher. Currently he is leading the information security services practice at OTE, the largest telco in Greece. In the past he has provided information security services to large organizations in Greece, Cyprus, Balkans and the Middle East. He has been involved with OWASP for several years now, leading the OWASP Greek Chapter and lately the...
-
Managed by the official OWASP Media Project owasp.org/index.php/OWASP_Media_Project
- OWASP Hackademic - Konstantinos Papapanagiotou ( Download)
- OWASP Hackademic Konstantinos Papapanagiotou ( Download)
- OWASP AppSec EU 2013: OWASP Hackademic Challenges ( Download)
- OWASP AppSecUSA 2012: Hack your way to a degree: a new direction in teaching ( Download)
- Your application, in Azure, Secure! - Konstantinos Papapanagiotou ( Download)
- Hackademic ver 0.9 - Challenge 09 Backdoor ( Download)
- Hackademic Challenge 001 - Password in Source Code & Directory Traversal - Web Application Security ( Download)
- 2013 AppSec Guide and CISO Survey - Marco Morana, Tobias Gondrom ( Download)
- Desafio 3 Hackademic ( Download)
- Hackademic Challenge 010 Login Bypass Web Developer Decode ( Download)
- Hackademic Challenges 004 - XSS (Cross Site Scripting) & fromcharcode function ( Download)
- Hackademic ver 0.9 - Installation ( Download)
- Hackademic Challenges 002 - Password in Source Code, Using Firebug ( Download)
- Hackademic RTB1 ((OSCPREP)) ( Download)
- Hackademic Challenge 1,2,5,6,10 ( Download)