In teaching a class on Web Security (UNLV’s INF400 Special Topics in Informatics: Web Security), I spend a lot of time just trying to determine what topics I can cover. Despite a seemingly long semester – some 16 weeks – it is sometimes surprising how little one can actually cover in 40 hours of instruction.
It occurred to me in reviewing my notes from the time I taught it in the Spring (2010), that I ended up having to cover an inordinately large amount of basic background material. As I progressed through piecing the syllabus, I am finding myself looking for ways to streamline the ramping up process so we can get to the meat of it quicker.
For example, take the basic XSS (cross-site script) – just to even approach the topic, I have to consider that the student has a basic knowledge of the HTTP protocol (including headers, methods and responses), an understanding of browser comparatives (sandboxing and same-origin policy), a relatively good understanding of Javascript (and HTML for that matter), and willingness to spend time practicing and failing without getting frustrated. Or SQL injection the student needs a good understanding of the protocol, idempotency, RDBMS structures and the differences between engines, structured query language, and an understanding of the pass-through language (PHP, ASP, etc) along with how the forms interact and where lax validation and scrubbing might occur.
So I end up spending some 2-3 hours (which isn’t sufficient in the first place) just reaching the point that I can have a reasonable and engaging discussion about the dangers of XSS. And another 2-3 to do SQL injection. Add on top of that cross-site forgery, sidejacking, digital rights management, rogue CA, web server explots, caching breaches, DoS and DDoS, parameter polution and more, suddenly the 40 hours is gone very quickly.
I am also adamant that in a Web security course that students must have hands-on labs performing some hacking. In my experience, providing a platform for students to see and experience what a hacker eyes sees changes the perspective, giving them tools to think like the predator and seek better protection. Many of these students leave with a cognate in Cybersecurity (since UNLV’s now eliminated Informatics program is still an NSA Center for Academic Excellence – CAE – in cyber security).
My point is simply that there needs to be more. Students in any computer science, informatics, HCI, UX, web design, MIS or similar program should be required to take a course in Web Security and preferably more than one, simply because the material is so vast and quickly becoming more pronounced as the Web becomes increasingly part of the fabric of everyday life.
According to privacyrights.org chronology of data breaches, there were 342 million “records” breached from 2005-2009 alone. In 2010, another 167 million; this means 2010 had nearly 50% of the total breaches in the preceding 4 years – we’re almost reaching a geometric increase in such exploit. Of course this figure doesn’t include only records stolen through Web sources but as data becomes increasingly available and privacy only semi-transparent, it is sure to only add to this.
There is a prevailing need for more skilled workers with a good understanding of cyber- and web security, as much as the need for general public awareness. Just as computers and the Internet have become ubiquitous, so has the need for security in them.