AppSec Europe 2014

Teachers of Application Security in higher education institutions and universities are presented with some unique challenges, especially when compared to other scientific or even computer science fields. This is mainly because students have to learn how to design, implement and protect applications against both known and unknown attacks. Moreover, the so far established stereotypes present the potential intruders as being ingenious and able to penetrate almost every system.

The OWASP Hackademic Challenges Project introduces the "attacker's perspective" in higher education by implementing realistic scenarios with known vulnerabilities in a safe, controllable environment. Students can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective.

Its main difference from other projects that implement vulnerable applications for educational purposes, is that it is has been created mainly for use in a classroom environment, while most other solutions take a more self-learning approach. The OWASP Hackademic Challenges are not just another set of vulnerable applications but a complete teaching environment. In this manner, students can be organized in classes with different set of challenges per class. A sophisticated grading system allows the assessment of students according to their effort and performance and not just the ability to solve the challenge, while several forms of cheating can also be detected.

The OWASP Hackademic Challenges are currently being used by more than a dozen universities around the world and are also part of the "Hacking Lab" and "OWASP University Challenge". In addition, we have received contributions to the project by several researchers, including the New Jersey Institute of Technology.

The OWASP Hackademic Challenges simulate real-world scenarios that application security consultants and penetration testers encounter during their day-to-day engagements, combined with the academic requirements of a related module. These exercises can be used to complement the respective theoretical lectures. Statistical analysis of the feedback we received from students through questionnaires, shows that the students embraced this approach and have benefited significantly from going through these exercises. In practice, the OWASP Hackademic Challenges help students become more enthusiastic about application security by gaining a realistic, hands-on experience on some real-world vulnerabilities.

In this presentation we will give an overview of the Hackademic Challenges and analyze its scientific background. In addition, we will present new features introduced to the interface that was developed during the Google Summer of Code 2013 which include a plugin API. Moreover, as the project is still under development, we expect a bunch of new features to be ready by the conference dates.

We will introduce the new concept of training modules, a significant addition whose aim is to integrate entire teaching modules. A training module refers to a bundle of reading material and challenges with specific scoring rules. This allows the users/professors to manage complete logical entities and allows for better modularity of the courses. Also, in our experience there is a significant number of students who once they finish a security course, they wish to write challenges and improve the course in general. This concept will allow them, and anyone wishing to contribute course material, to provide entire logical modules in a bundle. Also, this method allows for easier integration of other useful features which are being developed, such as gamification.

Our goal is to create an educational ecosystem around Hackademic that includes teachers, students and professionals who contribute and consume teaching material and realistic challenges in an open way.

Finally, we will introduce an open id integration module. This showcases a good security practice and allows the users to login with many popular open-id providers, simplifying the registration process.

A demo of the new Hackademic portal and challenges will also be delivered, emphasizing on how it can be used in a real classroom and giving the chance to attendees to get their hands on it.