Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Thursday, November 21 • 11:00am - 11:50am
OWASP Hackademic: a practical environment for teaching application security

Sign up or log in to save this to your schedule and see who's attending!

Video of session:
https://www.youtube.com/watch?v=OxDDzpJLClA&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=10

Teachers of Application Security in higher education institutions and universities are presented with some unique challenges, especially when compared to other scientific or even computer science fields. This is mainly because students have to learn how to design, implement and protect applications against both known and unknown attacks. Moreover, the so far established stereotypes present the potential intruders as being ingenious and able to penetrate almost every system. 
The OWASP Hackademic Challenges Project introduces the "attacker's perspective" in higher education by implementing realistic scenarios with known vulnerabilities in a safe, controllable environment. Students can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective. 
Its main difference from other projects that implement vulnerable applications for educational purposes, is that it is has been created mainly for use in a classroom environment, while most other solutions take a more self-learning approach. The OWASP Hackademic Challenges are currently used by more than a dozen universities around the world and are also part of the "Hacking Lab" and "OWASP University Challenge". In addition, we have received contributions to the project by several researchers, including the New Jersey Institute of Technology. 
The OWASP Hackademic Challenges simulate real-world scenarios that application security consultants and penetration testers encounter during their day-to-day engagements, combined with the academic requirements of a related module. These exercises can be used to complement the respective theoretical lectures. Statistical analysis of the feedback we received from students through questionnaires, shows that the students embraced this approach and have benefited significantly from going through these exercises. In practice, the OWASP Hackademic Challenges help students become more enthusiastic about application security by gaining a realistic, hands-on experience on some real-world vulnerabilities. 
In this presentation we will give an overview of the Hackademic Challenges and analyze its scientific background. In addition, we will present new features introduced to the interface that was developed during the Google Summer of Code 2012 and more importantly security improvements that were made possible by using OWASP ESAPI. The new interface introduces significant capabilities and features mainly for teachers and administrators. Moreover, as the project is still under development, we expect a bunch of new features to be ready by the conference dates. For example we are expanding the use cases of Hackademic in order for it to be used in a corporate environment to either train, assess or raise awareness among employees.
Moreover, we will introduce a new scoring mechanism. CTF-type challenges usually follow a binary scoring system (solved/not solved), which is not sufficient for university classes. We have implemented a much more complex scoring system, that takes into account various parameters in order to depict how easy it was for the student to solve the challenge and how much time was required. Using this system, students can be graded according to their performance. Furthermore, we have introduced a randomization algorithm that produces slightly different answers for each try. Thus, it is much more difficult for students to cheat.
A demo of the new Hackademic portal and challenges will also be delivered, emphasizing on how it can be used in a real classroom and giving the chance to attendees to get their hands on it.

Speakers
avatar for Konstantinos Papapanagiotou, Spryros Gastreratos

Konstantinos Papapanagiotou, Spryros Gastreratos

Information Security Services Team Lead, OTE
Both trainers are Hackademic project leaders, long time OWASP members and application security professionals


Thursday November 21, 2013 11:00am - 11:50am
Salon 2 (5th Floor Ballroom) NY Marriott Marquis