Integrating Web Application Security into the IT Curriculum James Walden Dept. of Computer Science Northern Kentucky University Highland Heights, KY waldenj@nku.edu ABSTRACT Attackers are increasingly targeting web applications. Buffer overflows had been the most common vulnerability type since CERT began collecting statistics, but web applica- tion vulnerabilities like cross-site scripting have dominated vulnerability reports since 2005. Despite billions of dol- lars spent on network security, the amount lost to computer crime, much of it the result of the insecurity of web applica- tions, grows every year. In part, this problems results from the fact that perimeter security techniques like firewalls do little to protect web applications. In order for students to be prepared for the current threat environment, we need to integrate web application security into the IT curriculum. Both information security and web programming classes need to cover this topic. This paper describes techniques, tools, and labs for integrating web ap- plication security into both types of classes. Some tech- niques, such as penetration testing using web proxies, are applicable to both types of classes. Other techniques, such as secure programming guidelines, are primarily useful in web programming classes, while some tools, like web appli- cation firewalls, are more important in information security classes. We use the open source web application security teaching tool WebGoat for introductory labs that teach the students about the nature of specific vulnerabilities like SQL injec- tion. These labs also introduce students to open source web testing proxies, such as Burp Suite, which they use more deeply in later labs that focus on penetration testing of a complete web application. Students in security classes also learn how to use web vulnerability scanners and web ap- plication firewalls, while web programming classes focus on learning how to write code without common vulnerabilities. Categories and Subject Descriptors K.3.2 [Computers and Education]: Computer and Infor- mation Science Education; K.6.5 [Management of Com- puting and Information Systems]: Security and Pro- Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SIGITE’08, October 16–18, 2008, Cincinnati, Ohio, USA. Copyright 2008 ACM 978-1-60558-329-7/08/10 ...$5.00. tection; C.2.0 [Computer-Communication Networks]: General—security and protection General Terms Web application security Keywords web application security, web security education 1. INTRODUCTION As security at the network perimeter has improved, at- tackers have transferred their efforts to the easier target of web applications. Web applications are at the core of our electronic banking and commerce systems. Web applica- tions, like Google Docs, are also beginning to replace tra- ditional desktop applications. While the importance of web application security is growing, the quality of web security is declining. The 191% increase in the number of security vulnerabili- ties from 2004 to 2007[2] is largely attributable to vulnera- bilities in web applications. Vulnerabilities found primarily in web applications, such as SQL injection, make up four of the five most common types of vulnerabilities. Cross-site scripting became the most common vulnerability in 2004, displacing buffer overflows for the first time[15]. Network security techniques like firewalls and cryptogra- phy are of limited use for defending web applications. Orga- nizations have to allow network access to web applications so that customers can use them to bank, shop, or otherwise interact with the organization. The administrator cannot block network connections at the firewall, and encrypting the connection to the web application with SSL does nothing to prevent an attacker from launching a cross-site scripting or SQL injection attack. Web applications need to be defended at the application layer, either by designing and coding an application that has no vulnerabilities or by protecting the program with a tool such as a web application firewall. However, few web appli- cations are designed with security in mind, and it requires extensive customization to configure an application firewall to effectively protect an application. In addition to being less well-protected, web applications typically have assets that attackers desire. While credit card numbers, bank accounts, and other personally identifiable information (PII) are the most common targets, web sites are increasingly being used to distribute malware to unsus- pecting users. Compromised sites appear unchanged to their