What is SWEET?

SWEET (Secure WEb dEvelopment Teaching) is a set of portable teaching modules for secure web development. SWEET features eight teaching modules, six project modules and a virtualized web development platform that allows instructors to conduct hands-on laboratory exercises. The purpose of this project is to enhance the learning experience of computing students through standardized teaching modules and environment in secure web development. We have adopted this teaching tool to introduce web security concepts in both undergraduate and graduate courses. Each SWEET teaching module will be enough for a three-hour class containing lecture materials and hands-on laboratory exercises that are relevant to the contents in the lectures.



What is Virtualization?

SWEET utilizes virtualization technology for laboratory exercises. The virtualization of a computer means to run emulator software, like VMware Player or Microsoft Virtual PC, on a computer (host computer or physical computer) to emulate another desired computer (virtual computer). A virtual computer is implemented by a folder of 2-8 GB files, and the emulator runs these files to emulate the virtual computer as a computer window or the complete computer desktop. To the users a virtual computer is just the same as the physical one. The virtual and host computers can have different operating systems, and share data and Internet access. The users can work on multiple virtual computers and the host computer at the same time. The users can install new applications on the virtual computer as on a physical one. A virtual computer can run most operating systems including all versions of Windows and Linux.



Objectives & Goals

The objectives of this project are to generate a new teaching tool in secure web development for undergraduate students in computing field, to create a portable teaching laboratory in both Pace and CUNY, to evaluate the effectiveness of the teaching tool in improving students' learning experiences, and to foster collaboration relationship among Pace, CUNY and industry partners. The goals of this project are to train a new generation of computing professionals who would understand and be able to solve security problems occurred in web development. We are expecting to attract more undergraduate students studying in computing by providing a new, interesting and innovative teaching tool in secure web development.

Project Members


This project is conducted collaboratively by Pace University (Pace) and City University of New York - City College of Technology (CUNY City Tech). Pace is developing the SWEET platform, creating a sample teaching module, and developing eight hands-on teaching modules. CUNY City Tech is developing six project modules. Both Pace and CUNY City Tech are building its own portable teaching laboratory to incorporate SWEET in two to three undergraduate courses for each of the three semesters in fall 2009, spring 2010 and fall 2010. While developing SWEET, we consult our industry partner, Open Web Application Security Project (OWASP), for integrating practical experiences from industry experts.


Our project team:
  • Li-Chiou Chen (lchen@pace.edu), faculty, Pace, PI
  • Lixin Tao (ltao@pace.edu), faculty, Pace
  • Chienting Lin (clin@pace.edu), faculty, Pace
  • Xiangdong Li (xli@citytech.cuny.edu), faculty, CUNY City Tech
  • Wojciech Hojdysz, graduate student, Pace
  • Yogita Ahire, graduate student, Pace

Tutorials


The two tutorials introduce students to web application development and Linux. Students with limited background in these two areas can learn the fundamental concepts in a nutshell.

  1. Linux Tutorials: (Linux Manual) This tutorial introduces students to basic concepts in Linux utilizing an Ubuntu Linux virtual machine. Laboratory exercises guide students to be familiar with basic commands and applications in Ubuntu Linux.

  2. HTML-XML Tutorials: (HTML-XML Manual) This tutorial provides the fundamental concepts of Web computing, XHTML and Cascading Style Sheets. It also explains how HTTP protocol supports Web browser and Web server interactions and different ways of maintaining session data. Laboratory exercises guide students to build simple web pages using HTML-XML and to observe HTTP transactions.

SWEET Modules


  1. Introduction to Web Technologies: The module covers HTML form and its various supported GUI components; URL structure and URL rewrite; HTTP basic requests; the four-tiered web architecture and web server architecture and configuration; session management with cookies, hidden fields, and server session objects; Java servlet/JSP web applications. Laboratory exercises guide students to setup a web server and observe HTTP traffic via a web proxy.
  2. Introduction to Cryptography: This module covers basic concepts of private key encryption, public key encryption, hash function, digital signature and digital certificates. Laboratory exercises guide students to perform private key and public encryption using GPG on an Ubuntu Linux virtual machine.
  3. Secure Web Transactions: The module covers Secure Socket Layer (SSL) protocols; certificate authority and X.509; certification validation and revocation; online certification status protocol; OpenSSL utilities. Laboratory exercises guide students to configure SSL on a web server and to create and sign server certificates.
  4. Web Application Threat Assessment: The lecture covers attacks exploiting vulnerabilities occurred during construction of web application, such as SQL injection, cross site scripting (XSS), and poor authentication. Laboratory exercises guides students to understand various vulnerabilities and countermeasures via a preconfigured vulnerable web server utilizing OWASP WebGoat.
  5. Web Server Security Testing: The lecture covers application penetration testing; web server load balancing; and distributed denial of service attacks. Laboratory exercises guide students to conduct penetration testing to an intentionally vulnerable web server on a local virtual machine, BadStore.com.
  6. Vulnerability Management:The lecture covers basic concepts on software vulnerability database and vulnerability discovery. The countermeasures to two web specific vulnerabilities, SQL injection and XSS, are discussed. Laboratory exercises guide students to investigate and to modify the Perl CGI script of a web server that has both the SQL injection and XSS vulnerabilities.
  7. Introduction to Web Services: The lecture covers service-oriented computing and architecture; web service for integrating heterogeneous information systems across the networks; service interface methods and method invocation data with XML dialects WSDL and SOAP. Laboratory exercises guide students to configure and secure a simple web service application.
  8. Java Security: This lecture introduces the concepts and tools for supporting Java security framework and key management. The laboratory exercises guide students to review Java security framework, secure file exchange using Java security API and keys, and protect their computers from insecure Java applications.

Project Modules


We have also created six project descriptions, which provide project ideas for semester long course projects. Topics of the project descriptions include:

  1. Automated Scanning
  2. Brute Force Attack
  3. Online Banking Security
  4. OWASP Projects Review
  5. Securing ASP.NET 2.0
  6. Web Application Auditing

Virtual Machines


The virtual machines needed fot the tutorials and teaching moduels can be downloaded from the links below. Depending on the computing platform users have, they need a different emulator to the virtual machines. On Windows, the virtual machines can be run using either VMware Player or VirtualBox. On MacOS, they can be run using VMware Fusion or VirtualBox. On Linux, they can be run using VirtualBox. Both VMware Player and VirtualBox are free and Vmware Fusion is only free for for 30 days evaluation.

  1. Ubuntu 10 for SWEET (self extraction version for VMware) (zip version for VMware) (zip version for VirtualBox): This virtual machine include all the software and configurations that are needed to run the exercises in the tutorials and the SWEET teaching modules. It includes Ubuntu Linux 10 with Apache, Tomcat, Java, WebGoat, Badstore, Paros, OpenSSL and other security tools.
  2. Ubuntu 10 basic (self-extraction version) (zip version): A clean slat Ubuntu Linux 10 virtual machine with no additional web applications and security tools. Students can learn to install web applications and tools from scratch.

Curriculum Development


  1. CIT251 : Overview of Computer Security: This class is required for BSIT majors and information assurance minors. This class incorporates teaching materials on Linux (tutorial 1), HTML introduction (tutorial 2), web introduction (SWEET module 1), crytography (SWEET module 2) and secure web transactions (SWEET module 3).
  2. CIT252 : Internet and Network Security: This class is elective for BSIT majors and required for information assurance minors. This class incorporates Linux (tutorial 1), web introduction (SWEET module 1), web server vulnerabilities (SWEET module 4) and web server penetration testing (SWEET module 5).
  3. IS632: Web and Internet Security: This class is required for MSIT and MSIS programs with a concentration on information assurance. All five SWEET modules are adopted in this class.

Faculty Development Workshops


  1. "Secure Web Development Teaching Modules," Li-Chiou Chen, Workshop, the 16th Americas Conference on Information Systems, Lima, Peru, August 12-15, 2010.
  2. "Hands-on Teaching Modules for Secure Web Application Development," Li-Chiou Chen & Lixin Tao, the 42nd ACM Technical Symposium on Computer Science Education March 9-12, 2011, Dallas, Texas, USA. (Abstract) (Exercises) (Slides)
  3. Seidenberg Institute for Computing Innovation, May 18-19, 2011, White Plains, New York. (Lab Book)
  4. "Hands-on Teaching Modules for Secure Web Application Development," Li-Chiou Chen and Lixin Tao, the 14th Colloquium for Information Systems Security Education, Fairborm, Ohio, June 13 - 15, 2011. (Lab Book)

    5. Publications & Presentations


    1. "On E-Commerce Security and Trust," Lixin Tao, Invited Talk, Research Seminar at School of Management, Shanghai University, China, Dec. 18, 2009.
    2. "Improving Web Security Education with Virtual Labs and Shared Course Modules," Lixin Tao and Li-Chiou Chen, the Michael L. Gargano 7th Annual Research Day, Seidenberg School of Computer Science and Information Systems, Pace University, May 7th, 2010.
    3. "How Secure is Your Web Activities - Using Virtualization Technology to Create Diversity in Teaching," Li-Chiou Chen and Lixin Tao, Faculty Institute Annual Conference, Pace University, May 17-18, 2010.
    4. "A Tool for Teaching Web Application Security," Li-Chiou Chen, Lixin Tao, XiangDong Li and Chienting Lin, the Proceedings of the 14th Colloquium for Information Systems Security Education, Baltimore, Maryland, June 7 - 9, 2010. (paper) (slides)
    5. "Virtual Open-Source Labs for Web Security Education," Lixin Tao, Li-Chiou Chen and Chienting Lin. World Congress on Engineering & Computer Science (International Conference on Education and Information Technology 2010), October 20-22, 2010, San Francisco, pp280-285 (awarded Certificate with Merit) (paper)
    6. "Improving Web Security Education with Virtual Labs and Shared Course Modules," Lixin Tao, Li-Chiou Chen and Chienting Lin, the Proceedings of the 40th Annual Frontiers in Education (FIE) Conference, Arlington, Virginia, October 27-30, 2010 (paper)
    7. 4. “SWEET: Secure Web Development Teaching Modules,” Li-Chiou Chen, Poster Session, CCLI-TUES Conference, January 26-28, 2011, Washington, DC (Poster)
 

Funding

NSF_logo NSF_logo

We acknowledge the support from the National Science Foundation for developing SWEET and the support from the Department of Defense for curriculum development. The material on this web site is based upon work supported in part by the National Science Foundation under Grant No. 0837549 and the Department of Defense under the Information Assurance Scholarship Program. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation, the Department of Defense, or the US government.