SpoC 007 - The Scholastic Application Security Assessment Project

Back to SpoC 007 Selection page

AoC Candidate:   Eric Sheridan and Dr. Goran Trajkovski

Project coordinator: Dinis Cruz

Project Progress: 80% Complete, Progress Page

Abstract
One of the major goals of the Open Web Application Security Project is to educate developers in the field of application software security. Understanding the risks and threats associated with web application software is pivotal in building a mature application security process. While OWASP has made a significant impact in the professional industry, more time and energy should be focused towards the academic community. It is an unfortunate fact that most universities do not require a stringent software security course for their computer science students. Consequently, most young developers do not have the ability to assess and mitigate the risks and threats for their own applications. It is for this reason that we believe the Open Web Application Security Project should fund an initiative to encourage the adaptation of application software security methodologies in the academic course curriculum.

The Scholastic Application Security Project is intended to be the first step towards integrating security requirements in academic course curriculums. The primary goal of the project is to give students hands-on experience performing application security assessments using the tools and documentation found at http:///www.owasp.org. The assessment, lead by an application security professional, will demonstrate to students how the information and tools found at OWASP can be used to assess and ultimately increase the overall security posture of a web application.

This project contributes towards bridging the gap between academia and industry, by equipping students with hands-on ready-for-the-job-market skills in the application software securing industry.

Participants
The Scholastic Application Security Assessment Project requires that college level students, lead by an application security professional, perform a security audit on an open source web application using the tools and information available at OWASP.


 * Application Security Professional – Eric Sheridan Aspect Security
 * Towson University (TU) Partner – Dr. Goran Trajkovski Towson University
 * Students – Students of TU’s Application Software Security Course (COSC 458), nominated by the TU Partner
 * Web Application - The Open WebMail Project

OWASP Utilization
The Scholastic Application Security Assessment Project requires heavy utilization of existing OWASP tools and utilities. Through this requirement, the project will illustrate the fact that existing OWASP resources can be used and heavily relied upon in a professional security audit. The following is a list of notable OWASP resources whose use will be documented throughout the assessment:


 * OWASP Top Ten 2007 The security critical areas that the students will assess in the review
 * OWASP Testing Guide v2 The primary resource for building penetration testing cases
 * OWASP Guide The primary resource for technical details pertaining to a technology and/or vulnerability
 * OWASP WebScarabNG The primary proxy utility used throughout the assessment

The Final Report
Students are required to follow the principle of “responsible disclosure” during the course of the security assessment. The developers of the open source application will be notified if any significant issues are found. Once the assessment is complete, a final report will be delivered to the application developers and the appropriate OWASP Spring of Code personnel. For each finding in the report, the students will be required to describe how the tools and information found at OWASP were used in the discovery.

How does OWASP Benefit?
The Scholastic Application Security Assessment Project is specifically designed to benefit the OWASP brand:

The OWASP Community…
 * will be provided a case study proving that the resources available at OWASP can be utilized in an academic environment, that can be later used in advertising the OWASP efforts to similar programs as the one at TU.
 * will be providing students a hands on experience in learning and testing for the latest web application security threats, thus potentially enlarging the OWASP community of contributors and supporters.
 * will be addressing the need to educate developers in the security critical areas.
 * will be seen as offering a professional level service to another open source project.
 * will be addressing one of the root causes of application software insecurity.

Background
Eric Sheridan
 * Earned a Bachelor’s of Science in Computer Science from Towson University
 * Graduate Student in Information Security at Johns Hopkins University
 * Application Security Engineer at Aspect Security
 * Lead of the OWASP Stinger Project and the OWASP Validation Project

Goran Trajkovski, PhD
 * Has been teaching the Application Software Security course for the Computer Security undergraduate and master-level majors at TU since 2004 (TU has been a Center of Excellence in Information Assurance, designated by the NSA since 2002).
 * Assistant professor of Computer and Information Sciences at Towson University, and Director of its Cognitive Agency and Robotics Lab (CARoL).
 * Has lead curricular efforts in integrating application software security topics throughout the Computer Science and Computer Information Sciences curriculum
 * 12 years of full time teaching experience in higher ed.

Back to SpoC 007 Selection page