Ask the Expert

What Web security initiatives can be taken on a college campus?

I'm a final-year student of CSE, and I am planning on doing my final project on Web security. Can you suggest what to focus on?

    Requires Free Membership to View

Congratulations on your graduation. It's an exciting time to be an information security professional, since there's no lack of new attacks and systems/applications to protect. I also applaud your interest in Web applications. More than 75% of attacks are now targeting applications as opposed to networks or servers directly. Application security specialists have told me it would take them roughly 100 years to fully test all the applications they already have running. There will be great demand for professionals who understand how to attack and protect Web applications.

You've got a choice in what you attempt for your senior project by taking either an offensive stance or a defensive stance. Let me elaborate.

From an offensive standpoint, you can try to discover new attack vectors or prove that an existing attack vector works for a new application type. For example, try to find XSS (cross-site scripting) vulnerabilities on applications running on your campus. Or attempt a SQL injection attack on the registration system. Of course, work with the faculty and the IT team at your school to make sure you don't surprise the powers that be and end up in jail. But if you are going to test something, it may as well benefit the school.

Taking a defensive stance, you could work with the IT team to implement a source code analysis project on any of the applications currently running. Many of the vendors in the space will provide an educational license to use their commercial-grade tools in an academic environment. Again, this is pretty much a "free" way for your university to see how secure the applications are and what issues should be addressed in the near term.
Given the number of data breaches that happen in the education market, I think these would be great projects to undertake.

If you aren't comfortable playing with live ammunition, another possibility could be setting up a test bed by deploying a Web application and securely configuring the devices, implementing Web application firewalls and the like to protect the application. Then try to hack in using tools like the open source Metasploit or commercial ones such as Core Security Technologies' Core Impact. You could even run a "capture the flag" competition to test whether classmates can break into the test bed.

For more information:

  • In this SearchSecurity.com Q&A, Michael Cobb explains which Web services provide the best remote help desk support.
  • Information security threats expert Ed Skoudis discusses which flaws allow users to bypass proxy servers.
  • This was first published in December 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: