Archives

To meet the growing demand for skilled professionals who can develop secure software, it is important to provide software security education to computer science students in colleges and universities. This paper describes a set of hands-on laboratory exercises we developed to teach software security. These laboratory exercises cover the following topics: code review with tools, web application vulnerability assessment, web spidering, exploiting hidden value, fuzz testing, and threat modeling. Our teaching experiences and related work are also discussed.

This High School Cybersecurity eLearning Pilot was conceived to address a significant national issue: the Science, Technology, Engineering and Mathematics (STEM) shortfall that does not appear to have an available solution. The Pilot demonstrated that U.S. educators currently have the resources to implement a national cybersecurity training program, whether as part of a school’s program, or conducted after school. From this experience, we have demonstrated that this shortfall can be immediately addressed through a formal curriculum, supported by a 24x7 online trainer technology, and procedures and tools to empower the local educators.

This research identifies the critical need for a standardized framework to establish and maintain compliance of security and privacy in healthcare organizations. In response to this need, this research proposes the design and development of a novel standardized framework for establishing and maintaining security and privacy compliance in information systems for health care organizations and clinical practices.

IT Security Auditing helps students understand security from management and policy perspective rather than from technological perspectives. In this paper, we brainstorm the common body of knowledge on IT Security Auditing after elaborating its importance in IA. We also share our course design and implementation from our teaching this course for the last five years to our undergraduate and graduate students in the Cybersecurity degree programs. We want to emphasize that IT Security Auditing course should be different from computer forensic courses. Lastly, we will discuss our continuing project on self-learning and self-auditing tool that is being used by our students.

The same vulnerabilities continue to appear in code, over and over again, yet many educational institutions continue to teach programming as they always have. Some high-tech companies have found it necessary to establish ongoing security training for their developers to make up for the absence of college-level, secure coding curriculum. Recently, the thread model, which integrates security concepts into existing computing curricula, has been recognized as effective to transform education in secure software, while not impacting resource-limited institutions with a complete curriculum change.

We all know that it is necessary for educators to provide their security students hands-on experiences. Without these experiences students are not going to be prepared for the world of work, where employers expect the graduates to hit the ground running. To address this issue many different approaches have been used, such as traditional labs, virtual labs, and simulated web labs. Similar to other institutions, we have used all these approaches with high levels of success. However, because our students are expected to have real-world experience, our college has moved most, if not all, of the final semester hands-on labs to real-world, live Internet labs. This paper describes our decision processes for converting our labs to this real-world approach and our experiences in that environment.

While the necessity of ensuring that secure coding practices are universally taught and adopted is becoming increasingly apparent, there is still debate over whether we are making significant progress in this area. This paper recalls the accomplishments of the first Secure Coding Workshop in 2008 and discusses some of the outcomes, challenges, and findings from that workshop. It then discusses the 2011 Summit on Secure Education, which explored some of the issues raised at the Secure Coding Workshop. It also discusses some of the follow-on activities that the workshop helped to inspire or promote, and some remaining objectives that are still presenting challenges in the ongoing pursuit of secure coding.

Moodle eLearning System is well known as a free web application e-learning platform used in many schools as a way to allow on-line student interaction. Institutions use Moodle for its flexibility, adaptability and ease of use. Moodle has an installation base of tens of thousands of institutions with millions of student users. Our institution uses Moodle for admission of timed on-line quizzes taken outside the classroom as well as a vehicle for students to submit homework assignments. This paper outlines well-known vulnerabilities for Moodle v. 1.9 and attempts to exploit these vulnerabilities as well as identify new vulnerabilities in Moodle v. 2.1.

Cyber security competitions are becoming more common and more complex, and faculty interested in hosting a small scale event may be intimidated into thinking that they necessarily require significant investments of time and resources. In this paper, we describe how we a single faculty member has been able to run a number of small scale competitions in a variety of formats, ranging from class and club level up to competitions with five different participating schools.

Teaching secure programming should not be separate from teaching programming. By teaching high school students to code responsibly we foster a security mindset and establish a foundation of secure programming skills. High school computing teachers need ready-to-use resources that allow them to incorporate security principles in their programming classes. Additionally, it would be helpful to provide a seamless laboratory environment in which to run them. This paper discusses the Security Injections @ Towson project running in the RAVE environment which has proven success in the two- and four- year environment and could easily be adapted for the high school classroom.