Treffer: Improving web security education with virtual labs and shared course modules

One challenge in web security education is its interdisciplinary and practical nature. Students need to have the basic knowledge and skills of a web developer to understand many of the web security topics, and some of them are normally covered in multiple advanced courses like Computer Networks and Network Security, or are absent from many existing undergraduate or graduate degree programs. This paper shares our experience of using VMware virtual machines in supporting hands-on web security education, and developing multiple virtual web security lab modules based on the virtual machines. The lab modules are part of our NSF SWEET (Secure WEb dEvelopment Teaching) project, and each of them contains (1) concepts in a nutshell; (2) lab objectives; (3) software setup; (4) detailed lab instructions; and (5) lab evaluations. Comprehensive lab modules have been developed to guide students to build virtual Ubuntu virtual machines with publicly available tools and install all necessary web servers, application servers and database servers on them so they can function as the foundation and platforms of the other course modules. The other covered course modules include cryptography, HTTP and HTTPS protocols, and introduction to Java web technologies.