A Tool for Teaching Web Application Security - PDF

Please download to get full document.

View again

of 8
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information Report



Views: 57 | Pages: 8

Extension: PDF | Download: 0

Related documents
A Tool for Teaching Web Application Security Li-Chiou Chen, Seidenberg School of Computer Science and Information Systems, Pace University, Lixin Tao, Seidenberg School of Computer Science and Information
A Tool for Teaching Web Application Security Li-Chiou Chen, Seidenberg School of Computer Science and Information Systems, Pace University, Lixin Tao, Seidenberg School of Computer Science and Information Systems, Pace University, Xiangdong Li, New York City College of Technology, City University of New York, Chienting Lin, Seidenberg School of Computer Science and Information Systems, Pace University Abstract Web application security has been an emerging topic while an increasing number of commercial applications are web-based. We are developing a new secure web development teaching tool, called SWEET (Secure WEb development Teaching), to teach the students about web application security based on the life cycle of the application development. This paper describes the development of SWEET and provides an example of laboratory exercises on secure web communications. Experiences of incorporating SWEET in Information Assurance courses are also discussed. Index terms web security, virtual machine, Information Assurance curriculum, and hands-on exercise. I. INTRODUCTION We are developing a new secure web development teaching tool, called SWEET (Secure WEb development Teaching), for undergraduate and graduate computing courses. The purpose of the project is to enhance the students learning experience in computing through a standardized computing environment and teaching modules in secure web development. Web application security has been an emerging topic while an increasing number of commercial applications are designed based on Extensible Makeup Language (XML) and using Hypertext Transfer Protocol (HTTP) for communications. For example, recently, social networking software has been used intensively, especially among the college students, and integrated with various marketing or gaming software. The security of new web applications has been widely discussed but it has not been fully resolved [1, 2]. The teaching materials in this area are also very limited. There is a need for developing new teaching materials that can address the emerging security issues in web application development. The materials should also be able to attract the students interests and provide them with the hands-on experience in learning these new concepts. Author affiliation information goes here in 9-point, italic, Times New Roman. This footnote should use a nonprinting symbol as its reference so that it does not interfere with the numbering of regular footnotes. 17 SWEET features virtualized web servers and a development platform that allows instructors to teach the security issues in web application development using regular computer laboratories. It includes eight three-hour teaching modules that are composed of the lecture materials, hands-on exercises and project ideas. The goals of developing SWEET is to 1) train a new generation of computing professionals who would understand and be able to solve security problems occurring in web development, 2) introduce a new knowledge area in information assurance, 3) enrich the current computing curriculum and attract more students studying in computing, and 4) bridge the gap between the current computing curriculum and the industry expectation by introducing an emerging knowledge area, secure web development. II. BACKGROUND A. Narrow the gap between the demand and supply in IT professionals The enrollment of the undergraduate computing programs in the US has dropped significantly in the recent years. According to Computer Research Association, the enrollment in Computer Science (CS) has declined since its peak in 2000 and had dropped 18 percent between 2005/2006 and 2006/2007. In the meantime, the demand for the IT professionals is still increasing and they have earned more on average than other professions. Bureau of Labor Statistics predicted that the professional-level IT positions would be paid higher salaries and more than twice the growth rate of the overall workforce from 2006 to 2016, with a growth rate of 24.1% [3]. In the 2006 National Survey of Recent College Graduates (NSRCG), National Science Foundation [4] reported that CS tied for second with health majors for the highest median salary ($45,000) at the baccalaureate level. These statistics have shown that the US education at the undergraduate level will not produce enough IT professionals to meet the demand of the job market if the trend continues. There are many reasons that contribute to the gap between the demand for IT professionals and the enrollment of computing undergraduates. One of them is the lag between the knowledge scope of our current computing curricula and the expectations of the IT industry. It is critical to broaden the scope of student knowledge by using the teaching materials that would provide them with both the solid background in computing principles and the hands-on experiences in practice. B. Broaden the knowledge scope of computing undergraduates SWEET covers two emerging knowledge areas in computing: web application development and information security. As a generalization of the web technologies, the Internet business services are typically implemented by integrating existing services. The XML technology is the foundation of data integration across heterogeneous IT systems. The web service is a particular implementation technology of the Internet business services, and serviceoriented architecture (SOA) specifies the software architecture based on the service integration. The information security has become an importance issue for Internet business services in different disciplines, such as banking, finance, and telecommunications. The annual CSI/FBI computer crime and security survey [5] had shown that information security has continuously been a top priority for many organizations. This trend brings a great demand for the qualified Information Assurance (IA) professionals. Frost & Sullivan [6] estimated that the number of information security professionals worldwide in 2007 were approximately 1.66 million. This figure was expected to increase to almost 2.7 million professionals by This demand has provided a great opportunity for the computing programs. To meet the current trend, we need innovative courseware to train qualified security professionals. C. Provide innovative and practical teaching materials in secure web development The teaching materials in secure web development are very limited. While teaching information assurance courses, we found that it is difficult to combine appropriate laboratory exercises using the current available courseware to cover both the web technologies and the security topics. The existing courseware often needs to be specially re-designed in order to meet the specific learning objectives designed for the students in computing. Motivated by the lack of appropriate courseware to meet our demand, we decided to design our own hands-on teaching tool in secure web development. Many information security educators had designed courseware with hands-on laboratory exercises for information assurance courses [7] but none of them focused specifically on secure web development. The textbooks in web security that are suitable for undergraduate courses are also very limited. Most of the textbooks in computer security published in recent five years only keep a chapter or a section in web security with a limited overview of Secure Socket Layer (SSL) and certificate authority. While there are many books in web application vulnerabilities [8-13] and secure programming [14], but they are designed for the practitioners, not for the undergraduate students. III. SECURE WEB DEVELOPMENT TEACHING MODULES A. Design Criteria Portability and flexibility for easy adoption: To achieve the flexibility of adoption, we have designed SWEET teaching modules as self-contained units so that they can be taught together as a single web security course or adopted separately in the appropriate courses that cover some aspects of secure web development, such as web development courses or system analysis and design courses. Simplicity for students with limited background: The SWEET teaching modules target at the sophomore to junior undergraduate students who have only taken an introductory level of programming as well as some computer networking concepts. The modules are also suitable for the Information Systems/Information Technology Masters students who have only an introductory background in computing. The laboratory exercises have been designed to illustrate the principles taught in lectures. For example, when discussing web application vulnerabilities, the lecture materials introduce different types of attacks against the web applications, such as the SQL injection or Cross-Site Scripting. The hands-on exercises also contain a vulnerable web server so that the students can follow simple step-by-step instructions to see how these attacks are carried out and how the web developers can avoid these vulnerabilities or apply the ramifications. Structured hands-on laboratory exercises to attract students interests: Each SWEET teaching module is composed of the lecture materials and hands-on exercises that focus on the topics discussed in the lecture materials. These exercises will allow the students to review the contents of the lecture and to apply what they have learned to solve well-structured problems in a preconfigured virtualized environment. Semi-structured project ideas for building problem solving skills: Course projects can stimulate students to form new ideas and to develop their problem solving skills. SWEET incorporates the descriptions of potential 18 course projects that focus on the web security problems faced by the practitioners. These projects aim to encourage the students to think across all secure web development topics and to collect the relevant information to solve problems. Secure web development life cycle: We have incorporated the software assurance paradigm [15] in SWEET. The current network level defenses are not enough to solve the security problems embedded in the web application development. For example, a packet-level firewall does not examine the contents of web level traffic and therefore cannot identify any potential threat embedded in the application layer traffic. The fundamental solution to address the web application security is to identify the security vulnerabilities right from the development stage of the web application. Software assurance ensures the web applications to be as they are designed by examining each stage in the life cycle of the web application development. The Software Assurance Initiative promoted by the Department of Defense defines software assurance as the level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software [16]. We have applied this paradigm specifically on the web application development during the analysis, design, implementation and deployment. SWEET teaching modules are formatted based on the web application vulnerabilities in each phase of the life cycle of the web application development. B. Virtualization Platform SWEET utilizes the virtualization technology to configure a computing environment needed for the hands-on exercises. All exercises are built upon a pre-configured virtualized platform that has a virtualization layer and an application layer. The virtualization layer contains two pre-configured VMware virtual machines (VM) that allow the students to conduct the hands-on exercises on both the Windows and Linux environments. The application layer includes a web server, a database that connects to the web server, web applications, a proxy server for monitoring the web traffic, and other web security and programming tools. To run the virtual machine, the students only need to download the free VMware Player. The pre-configured virtual machines and the host machine can run concurrently. The virtual machines which support the SWEET include the following applications pre-installed and preconfigured: Web and application servers: IIS, Tomcat, Apache, GlassFish (Sun s Java EE 5 server reference implementation), Web Proxy: Paros, Web Scarab, 19 Web Security testing: Web Goat,.Net Security Toolkits, Programming/scripting languages: Java, C#, C/C++, VB.NET, Perl, PHP, Ruby, Programming IDEs: Eclipse, NetBeans, Visual Studio, Java Development Toolkit (JDK), Tutorials and documentation: MSDN library, Java EE 5 tutorial, Google Web Toolkit ; Web service and XML tutorials and Linux tutorials. C. Web Security Teaching Modules Each SWEET 1 teaching module will include the lecture materials and hands-on exercises. We have developed four modules and are currently developing another four modules. The eight teaching modules are described as below: 1) Web application development overview: The lecture will cover HTML form and its various supported GUI components; URL structure and URL rewrite; HTTP basic requests; the four-tiered web architecture and web server architecture and configuration; session management with cookies, hidden fields, and server session objects; CGI vs. Java servlet/jsp web applications. The laboratory exercises will guide the students to setup a web server and observe HTTP traffic via a web proxy. 2) Service oriented architecture overview: The lecture will cover the service-oriented computing and architecture; web service for integrating heterogeneous information systems across the networks; service interface methods and method invocation data with XML dialects WSDL and SOAP. The laboratory exercises will guide the students to configure and secure a simple web service application. 3) Secure Web Communications: The lecture will cover Secure Socket Layer (SSL) protocols; public key infrastructure, certificate authority and X.509; digital certificates; certification validation and revocation; online certification status protocol. The laboratory exercises will guide the students to configure SSL on a web server and to create and sign server certificates. 4) Security issues and countermeasures in the analysis and design phases of web development: The lecture will cover the life cycle of web application development; abuse cases analysis; risk analysis, secure requirements; and Secure UML. The laboratory exercises will guide the students to design a secure requirement plan and conduct the risk analysis for a web service application. 1 SWEET teaching modules and virtual machines can be downloaded from 5) Security issues and countermeasures in the implementation phase of web development: The lecture will cover the attacks exploiting vulnerabilities occurred during the implementation, such as buffer overflow, SQL injection, and poor authentication. Code review and riskbased testing will be discussed. The laboratory exercises will guide the students to understand the various vulnerabilities and countermeasures via a pre-configured vulnerable web server. 6) Security issues and countermeasures in the deployment phase of web development: The lecture will cover the attacks exploiting vulnerabilities occurred during the deployment, such as cross-site scripting (XSS) and e- shoplifting. The architectural risk analysis will be introduced, which include the attack resistance analysis, ambiguity analysis and weakness analysis. The laboratory exercises will guide the students to understand XSS and e-shoplifting and countermeasures via a pre-configured vulnerable web server. 7) Web application stress testing: The lecture will cover the application penetration testing; web server load balancing; and distributed denial of service attacks. The laboratory exercises will guide the students to conduct a penetration testing to a pre-configured vulnerable web server. 8) Securing Ajax application: The lecture will cover the client-side sandbox security; Java security policy management; Ajax technology overview; securing Ajax applications; tradeoff of client-side and server-side computing with Ajax. The laboratory exercises will guide the students to study the security vulnerabilities of a sample Ajax application. IV. AN EXAMPLE OF HANDS-ON EXERCISES: SECURE WEB COMMUNICATIONS Each exercise contains a step-by-step instruction to show the students how to accomplish a laboratory assignment. All software tools needed and the laboratory instructions are pre-configured on the SWEET virtual machines. Figure 1 shows a part of the laboratory exercises for introducing the secure web communications. These exercises guide the students to examine the root certificates and web server certificates in the browsers and to create a self-signed certificate for a web server. The web server for this exercise is pre-configured in a VMware virtual machine. Ubuntu 2 Linux, Apache 3, and OpenSSL 4 are pre-installed in a virtual machine although the students are provided with a clean slate Ubuntu virtual machine and the instructions to install Apache and OpenSSL from scratch. For creating a self-signed web server certificate, the exercise guides the students to create a public and private key pair, a Secure Socket Layer (SSL) certificate and a certificate signing request (CSR). The students will then play the role of a Certificate Authority (CA) to sign the certificate signing request for the pre-configured virtual web server. In the lecture materials, we have introduced the concept of public key encryption, digital certificates, and vulnerability in SSL implementation. We have also cautioned the students of the risk in using self-signed certificates and explained why a commercial server would ask a trusted third party, such as VeriSign or RSA, to sign the certificate. The step-by-step instructions guide the students to create a certificate for a pre-installed virtual web server using OpenSSL, to run the server and to communicate with the server using HTTPS. The students are also asked to examine the HTTPS handshaking transactions. We have also designed review questions in the step-by-step instructions to verify the students progress and to ensure the students understanding of the results. The virtualization technology provides various advantages of running the exercises. First, the exercises are portable regardless the underlying operating systems so that the students can run it either in a general-purpose computer laboratory or on their home computers. Second, the exercises can be repeated multiple times as needed. As long as the students start from the virtual machine provided for the exercise, they are able to practice the same configuration steps as many times as they would like to. Third, the experimental environment is confined within a virtual machine without interrupting the actual computing environment. Finally, a vulnerable virtual web server can be configured, investigated, exploited and fixed within the virtual machine without exposing the vulnerabilities to the actual networking environment. 2 Ubuntu is a variant of Linux which is available at 3 Apache is an open source web server program which is available at OpenSSL is a set of open source SSL libraries which are available at Laboratory Exercises Topic: Secure Web Communications I. Certificate Management in a Web Browser This exercise guides the students to examine the root certificates pre-installed in browsers and web server certificates sent by HTTPS sessions...(instructions).. II. Create certificates using OpenSSL on Linux Virtual Machine We have established a web site called Pace Bank on a preconfigured Linux virtual machine and the web site is not secure. We will secure it by creating a SSL certificate for the web server before we can run the server securely with HTTPS. 1. Access the Terminal window by navigating to Applications Accessories Terminal. 2. Point the terminal shell to the ssl directory by running command: cd /etc/apache2/ssl The ssl directory is where all the private keys, certificate s
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks