[Owasp-hackademic-challenges] GSoC project idea: Defensive challenges (secure coding)

Anirudh Anand anirudhanand722 at gmail.com
Mon Feb 2 16:06:39 UTC 2015


Hello everyone,

My name is Anirudh Anand and I am currently pursuing my 3rd year Bachelors
degree in computer science. I was going through the OWASP Hackademic
project recently because I always love to create and crack problems (and
hence I love CTF's). When I went through the current issues, I came across
this: https://github.com/Hackademic/hackademic/issues/69


I have personally gone through so many applications like DVWA, OWASP
webgoat, google gruyere, pentest lab exercises etc.. to enhance my skills
in appsec but one thing I have noticed (and sad about it) is that almost
all of them focus on teaching how to attack a vulnerable application and
how to exploit them. But none of them teaches the students *why such issues
exists*, which *part of code results in this attack* and how to *securely
code* applications so as to overcome such issues. Answers to these
questions is what I am trying to complete with the project.

For example:

How about giving basic SQLi vulnerable code and telling the users to fix
it? Then we can test it by trying to inject and if the database dumps
unusual results, that means fix is not correct (I haven't personally tried
implementing this but I think it's possible. Please correct me if I am
wrong.).

If implementing the above idea is difficult, how about a small variety like
this: http://www.gameofhacks.com ? The basic idea is to give them
vulnerable code and tell them to identify which kind of issue exists within
a particular type of code. Once he/she gives the correct answer, we can
provide a much more detailed explanation on why it happens and how it can
be tackled by secure coding (imho implementing this in order of difficulty
will really help students learn the concepts). Similarly we can implement
defensive challenges to a wide variety(covering entire OWASP top 10).

The objective I have in mind is that secure coding must be taught to
students along with techniques on how to attack them. We have too much
application out there which we can actually try attacking and trying to
exploit the same. Also we have CTF competitions where we again attack the
application and exploiting them but not fixing them. I haven't seen any
good application giving importance to secure coding and teaching students
on how to code securely so that issues like XSS or sqli can be prevented
(which I think is a really important task).

I am thinking of further ideas on how I can improve this so that it could
be more benefitable for the students who use hackademic for learning the
concepts of appsec. It would be great to get a feedback on this idea.

Thanks,
-- 

Anirudh Anand
bi0s at AMRITA
www.securethelock.com

*"Those who Say it cannot be done, should not interrupt the people doing
it"*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-hackademic-challenges/attachments/20150202/af474005/attachment.html>


More information about the Owasp-hackademic-challenges mailing list