WIXLIB

Proceedings of the 14th Colloquium for Information Systems Security EducationBaltimore Marriott Inner HarborBaltimore, Maryland June 7 - 9, 2010course projects that focus on the web security problemsfaced by the practitioners. These projects aim toencourage the students to think across all secure webdevelopment topics and to collect the relevant informationto solve problems. Secure web development life cycle: We have incorporatedthe software assurance paradigm [15] in SWEET. Thecurrent network level defenses are not enough to solve thesecurity problems embedded in the web applicationdevelopment. For example, a packet-level firewall doesnot examine the contents of web level traffic andtherefore cannot identify any potential threat embedded inthe application layer traffic. The fundamental solution toaddress the web application security is to identify thesecurity vulnerabilities right from the development stageof the web application. Software assurance ensures theweb applications to be as they are designed by examiningeach stage in the life cycle of the web applicationdevelopment. The Software Assurance Initiativepromoted by the Department of Defense defines softwareassurance as “ the level of confidence that softwarefunctions as intended and is free of vulnerabilities, eitherintentionally or unintentionally designed or inserted aspart of the software” [16]. We have applied this paradigmspecifically on the web application development duringthe analysis, design, implementation and deployment.SWEET teaching modules are formatted based on the webapplication vulnerabilities in each phase of the life cycleof the web application development. B. Virtualization PlatformSWEET utilizes the virtualization technology to configurea computing environment needed for the hands-onexercises. All exercises are built upon a pre-configuredvirtualized platform that has a virtualization layer and anapplication layer. The virtualization layer contains twopre-configured VMware virtual machines (VM) that allowthe students to conduct the hands-on exercises on both theWindows and Linux environments. The application layerincludes a web server, a database that connects to the webserver, web applications, a proxy server for monitoringthe web traffic, and other web security and programmingtools. To run the virtual machine, the students only needto download the free VMware Player. The pre-configuredvirtual machines and the host machine can runconcurrently.The virtual machines which support the SWEETinclude the following applications pre-installed and preconfigured: Web and application servers: IIS, Tomcat, Apache,GlassFish (Sun’s Java EE 5 server referenceimplementation), Web Proxy: Paros, Web Scarab ,ISBN 1-933510-99-4 / 2010 CISSE Web Security testing: Web Goat , .Net SecurityToolkits,Programming/scripting languages: Java, C#, C/C ,VB .NET , Perl, PHP, Ruby,Programming IDEs: Eclipse, NetBeans, VisualStudio, Java Development Toolkit (JDK),Tutorials and documentation: MSDN library, Java EE5 tutorial, Google Web Toolkit ; Web service andXML tutorials and Linux tutorials.C. Web Security Teaching ModulesEach SWEET1 teaching module will include the lecturematerials and hands-on exercises. We have developedfour modules and are currently developing another fourmodules. The eight teaching modules are described asbelow:1) Web application development overview: The lecturewill cover HTML form and its various supported GUIcomponents; URL structure and URL rewrite; HTTPbasic requests; the four-tiered web architecture and webserver architecture and configuration; sessionmanagement with cookies, hidden fields, and serversession objects; CGI vs. Java servlet/JSP webapplications. The laboratory exercises will guide thestudents to setup a web server and observe HTTP trafficvia a web proxy.2) Service oriented architecture overview: The lecturewill cover the service-oriented computing andarchitecture; web service for integrating heterogeneousinformation systems across the networks; service interfacemethods and method invocation data with XML dialectsWSDL and SOAP. The laboratory exercises will guidethe students to configure and secure a simple web serviceapplication.3) Secure Web Communications: The lecture will coverSecure Socket Layer (SSL) protocols; public keyinfrastructure, certificate authority and X.509; digitalcertificates; certification validation and revocation; onlinecertification status protocol. The laboratory exercises willguide the students to configure SSL on a web server andto create and sign server certificates.4) Security issues and countermeasures in the analysis anddesign phases of web development: The lecture will coverthe life cycle of web application development; abusecases analysis; risk analysis, secure requirements; andSecure UML. The laboratory exercises will guide thestudents to design a secure requirement plan and conductthe risk analysis for a web service application.1SWEET teaching modules and virtual machines can bedownloaded from http://csis.pace.edu/ lchen/sweet/.

Proceedings of the 14th Colloquium for Information Systems Security EducationBaltimore Marriott Inner HarborBaltimore, Maryland June 7 - 9, 20105) Security issues and countermeasures in theimplementation phase of web development: The lecturewill cover the attacks exploiting vulnerabilities occurredduring the implementation, such as buffer overflow, SQLinjection, and poor authentication. Code review and riskbased testing will be discussed. The laboratory exerciseswill guide the students to understand the variousvulnerabilities and countermeasures via a pre-configuredvulnerable web server.6) Security issues and countermeasures in the deploymentphase of web development: The lecture will cover theattacks exploiting vulnerabilities occurred during thedeployment, such as cross-site scripting (XSS) and eshoplifting. The architectural risk analysis will beintroduced, which include the attack resistance analysis,ambiguity analysis and weakness analysis. The laboratoryexercises will guide the students to understand XSS ande-shoplifting and countermeasures via a pre-configuredvulnerable web server.7) Web application stress testing: The lecture will coverthe application penetration testing; web server loadbalancing; and distributed denial of service attacks. Thelaboratory exercises will guide the students to conduct apenetration testing to a pre-configured vulnerable webserver.8) Securing Ajax application: The lecture will cover theclient-side sandbox security; Java security policymanagement; Ajax technology overview; securing Ajaxapplications; tradeoff of client-side and server-sidecomputing with Ajax. The laboratory exercises will guidethe students to study the security vulnerabilities of asample Ajax application.IV. AN EXAMPLE OF HANDS-ON EXERCISES: SECURE WEBCOMMUNICATIONSEach exercise contains a step-by-step instruction to showthe students how to accomplish a laboratory assignment.All software tools needed and the laboratory instructionsare pre-configured on the SWEET virtual machines.Figure 1 shows a part of the laboratory exercises forintroducing the secure web communications. Theseexercises guide the students to examine the rootcertificates and web server certificates in the browsers andto create a self-signed certificate for a web server. Theweb server for this exercise is pre-configured in aVMware virtual machine. Ubuntu2 Linux, Apache3, andOpenSSL4 are pre-installed in a virtual machine althoughthe students are provided with a clean slate Ubuntu virtualmachine and the instructions to install Apache andOpenSSL from scratch.For creating a self-signed web server certificate, theexercise guides the students to create a public and privatekey pair, a Secure Socket Layer (SSL) certificate and acertificate signing request (CSR). The students will thenplay the role of a Certificate Authority (CA) to sign thecertificate signing request for the pre-configured virtualweb server. In the lecture materials, we have introducedthe concept of public key encryption, digital certificates,and vulnerability in SSL implementation. We have alsocautioned the students of the risk in using self-signedcertificates and explained why a commercial server wouldask a trusted third party, such as VeriSign or RSA, to signthe certificate.The step-by-step instructions guide the students to createa certificate for a pre-installed virtual web server usingOpenSSL, to run the server and to communicate with theserver using HTTPS. The students are also asked toexamine the HTTPS handshaking transactions. We havealso designed review questions in the step-by-stepinstructions to verify the students’ progress and to ensurethe students’ understanding of the results.The virtualization technology provides variousadvantages of running the exercises. First, the exercisesare portable regardless the underlying operating systemsso that the students can run it either in a general-purposecomputer laboratory or on their home computers. Second,the exercises can be repeated multiple times as needed. Aslong as the students start from the virtual machineprovided for the exercise, they are able to practice thesame configuration steps as many times as they wouldlike to. Third, the experimental environment is confinedwithin a virtual machine without interrupting the actualcomputing environment. Finally, a vulnerable virtual webserver can be configured, investigated, exploited andfixed within the virtual machine without exposing thevulnerabilities to the actual networking environment.2Ubuntu is a variant of Linux which is available athttp://www.ubuntu.com/.3Apache is an open source web server program which isavailable at http://www.apache.org/.ISBN 1-933510-99-4 / 2010 CISSE4OpenSSL is a set of open source SSL libraries which areavailable at http://www.openssl.org/.

Proceedings of the 14th Colloquium for Information Systems Security EducationBaltimore Marriott Inner HarborBaltimore, Maryland June 7 - 9, 2010Laboratory ExercisesTopic: Secure Web CommunicationsI. Certificate Management in a Web BrowserThis exercise guides the students to examine the rootcertificates pre-installed in browsers and web servercertificates sent by HTTPS sessions. .(instructions) .II. Create certificates using OpenSSL on Linux VirtualMachineWe have established a web site called Pace Bank on a preconfigured Linux virtual machine and the web site is notsecure. We will secure it by creating a SSL certificate forthe web server before we can run the server securely withHTTPS.1. Access the Terminal window by navigating toApplications Accessories Terminal.2. Point the terminal shell to the ssl directory by runningcommand:cd /etc/apache2/sslThe ssl directory is where all the private keys, certificatesigning requests and certificates are stored.3. To generate the Certificate Signing Request (CSR), youneed to create your own private/public key pairs first. Youwill create a key by the name of server.key.The following command generates a RSA private key thatis 1024 bit long. Run the command from terminal tocreate the key:sudo openssl genrsa –des3 –out server.key 1024where the parameters are genrsa indicates to OpenSSL that you want togenerate a key pair. des3 indicates that the private key should beencrypted and protected by a passphrase. out indicates the file name in which to store theresults. 1024 indicates the number of bits of thegenerated key.When prompted for the [sudo] password, it is the samethat is used to login. You are prompted for a pass phrase,once you type in the initial pass phrase, you will be askedto verify this pass phrase.Enter pass phrase for server.key:Verifying - Enter pass phrase for server.key:4. Next you create a certificate signing request withthe private/public key you have just created. Thiscommand will prompt for a series of things: Whenprompted enter the values as follows:Country Name: USState or Province Name: New York .( a set of values for the certificate)To create the Certificate Signing Request, run thefollowing command at the terminal prompt, makingsure you are still in the /etc/apache2/ssl directory.sudo openssl req –new –key server.key –outserver.csrYou will be prompted to enter your private keypassphrase and to enter the values which wereaddressed above.5. Now you will create your self-signed certificate.The certificate signing request (CSR) has to be signedby a Certificate Authority (CA). For testing purpose,you will not ask a commercial CA (such as Verisign)to sign the certificate but sign the CSR by yourselves,which is called self-signing. In this case, you are yourown CA.The following command takes the certificate signingrequest and your private key in order to create yourself-signed certificate. The certificate will expire in365 days.sudo openssl x509 –req –days 365 –in server.csr –signkey server.key –out server.crt6. Run command ls in the /etc/apache2/ssl directoryand you will see the self-signed server certificate(server.crt), the certificate signing request (server.csr),and the server private key (server.key).III. Running a Secure Web ServerThis exercise guides the students to run a web serverthrough HTTPS using the certificate they have justcreated in II. .(instructions) .IV. Capturing TLS HandshakesThis exercise guides the students to capture TLShandshaking transactions between the Pace Bankvirtual server and a browser using OpenSSL. .(instructions) .Figure 1. An example of laboratory exercise instructionsISBN 1-933510-99-4 / 2010 CISSE

Proceedings of the 14th Colloquium for Information Systems Security EducationBaltimore Marriott Inner HarborBaltimore, Maryland June 7 - 9, 2010V. EVALUATION AND DISCUSSIONSWe have currently incorporated some of the SWEETmodules in two courses at Pace University: Overview ofComputer Security, an introductory computer securitycourse for the undergraduate students, and Web Security,an IA graduate elective course. We collected the students’feedback on the SWEET modules adopted in the twoclasses offered in Fall 2009. A web-based survey using 5point Likert scale was conducted at the end of thesemester. The survey included the questions to elicit theirfeedback on the lecture materials, laboratory exercises,the mapping between the lecture and the lab and theoverall impact of these modules on their learningexperience. Table 1 shows a summary of thedemographics and Table 2 shows a list of summarizedresults.Our results show that the students had invested significantamount of time (2-4 hours per week on average) incompleting their hands-on exercises. However, theygenerally agreed that the course materials were wellplanned (average 4.1 for the lecture category), theexercises had drawn their interests (average 4.1 for the labexercise category), the exercises had helped them inlearning the course materials (average 4.1 for the mappingbetween labs and lecture), and they would be interested inpursuing further in IA (average 3.9 for the overallcategory).Our results also show that the teaching modules haveachieved the similar results for the different groups ofstudents. After a multiple regression analysis, we foundthat there is not enough evidence to support significantdifference between the graduate and undergraduatestudents, between the male and female students, andbetween the full-time working professionals and full-timestudents.The SWEET teaching modules will be adopted by NewYork City College of Technology, which is a minorityuniversity. Part of the SWEET projects will beincorporated in two undergraduate courses at New YorkCity College of Technology: Web Design andInformation Security. We believe that this collaborationwill broaden the participation of underrepresentedstudents. Furthermore, the SWEET teaching modules willbe posted on a project web site of both institutions to helpother institutions to adopt or incorporate it into theirWeb/Security courses and to train more qualified ITprofessionals to meet the demand of the workforce.Number ofParticipantsAverage45 in totalGraduate students: 31 (69%)Undergraduate students: 14 (31%)Graduate students: 31ISBN 1-933510-99-4 / 2010 CISSEageSexUndergraduate students: 24Average yearsof workingexperience38% working full time (an average of5 years working experience and anaverage of 1.5 years of IAexperience)Average hoursof studyingoutside theclassroom62% : Male38% : FemaleGraduate students: 10 hoursUndergraduate students: 7 hoursCurrent use ofsecurity relatedcomputerapplications ortools11% : Never11% : about once a month31% : about once a week16% : about once or twice a day18% : three to five times a day13% : more than five times a dayCurrent generalcomputer use2% : about once or twice a day22% : about three to five times a day76% : more than five times a dayAvailability ofcomputer access4% : at home only96% : both at home and atoffice/schoolTable 1: Summary of demographicsSurvey Item /Average /(Standard Deviation)Categoryaverage/StandarddeviationQ1. The contents of the lectures improvemy knowledge in informationsecurity/computer network security.4.0 (1.0)Q2. Each lecture has a well-designedtheme in information security/computernetwork security.4.0 (1.1)Lecture: 4.1Q3. Each lecture has sufficient supporting(1.0)course materials, such as handouts, slides,textbook materials, for me to understandand review the weekly topic.4.0 (1.1)Q4. The contents of the lectures coverstopics that I would like to learn ininformation security/computer networksecurity.4.0 (1.0)Q5 Please estimates the number of hours you spent on alaboratory exercise.graduate students: 4.3 (3.7)undergraduate students: 2.3 (2.6)

Proceedings of the 14th Colloquium for Information Systems Security EducationBaltimore Marriott Inner HarborBaltimore, Maryland June 7 - 9, 2010VI. CONCLUSIONSQ6. Each lab exercise has a theme in thearea of information security or computernetwork security.4.2 (1.0)Q7. Lab exercises stimulate my furtherinterests in learning other securitysoftware or technology.4.1 (1.1)Q8. The lab equipments are sufficient forrunning the required lab exercises.4.0 (1.0)Q9. I have better understanding regardingthe weekly topic after finishing thecorresponding lab exercises.4.0 (0.9)Q10. I know better about putting thetechnologies or concepts/theories beingtaught in practice after finishing therelated lab exercises.4.0 (1.0)Q11. The combination of the lectures andlab exercises makes the class moreinteresting and informative than a classwith only lectures.4.2 (1.0)Q12. Lab exercises stimulate my furtherinterests in learning the technology andtheories/concepts behind the securitysoftware or security problems.4.2 (1.0)Q13. After taking the class, I am evenmore interested in the informationsecurity/computer network security areathat I did.4.0 (1.0)Q14. After taking the class, I am evenmore interested in having a career in theinformation security/computer networksecurity area than I did.3.7 (1.0)Q15. This class improves my knowledgeand skills in the area of informationsecurity/computer network security.4.1 (1.0)Q16. I will be interested in taking othersecurity classes that blend in lab exerciseswith lectures.4.0 (1.0)Table 2: Summary of Survey ResultsISBN 1-933510-99-4 / 2010 CISSELab/HomeworkExercises:4.1 (1.0)We had described our effort in developing the teachingmodules for the secure web development. A laboratoryexercise example on secure web communications waspresented and our experience of utilizing the example wasdiscussed. We had also discussed our experience ofincorporating the modules in our IA courses.The secure web development is an important topic inassuring the confidentiality, integrity and availability ofthe web-based systems. It is necessary for the securityprofessionals to understand the security issues in the lifecycle of developing a web-based system. Our secure webdevelopment teaching modules (SWEET) provides theflexible teaching materials for the Information Assuranceeducators to incorporate this topic in their courses and toeducate the next generation of security professionalsusing hands-on exercises and examples.VII. andLectures:4.1

Programming/scripting languages: Java, C#, C/C , VB .NET , Perl, PHP, Ruby, Programming IDEs: Eclipse, NetBeans, Visual . 5 tutorial, Google Web Toolkit ; Web service and XML tutorials and Linux tutorials. C. Web Security Teaching Modules Each SWEET1 application. Colloquium for Information Systems Security Education Baltimore Marriott Inner .