1

I'm looking for a class project that (1) is scalable to large classes, and (2) teaches secure design. This is for an undergraduate course on computer security. Hopefully, it would be educational and fun for the students.

  • The first requirement is that grading of the class project needs to be scalable. The course has 300-400 undergraduate students. There are some resources for grading course projects, but not a lot, so any course project has to be something that can be graded at scale.

    The resources available for grading scale linearly with the number of students taking the course: roughly speaking, the budget for grading a course project is 10-15 minutes from a teaching assistant (per undergrad in the course), plus 20-30 minutes from a less-experienced grader (per undergrad in the course). The teaching assistants are pretty knowledgeable about security (typically a Ph.D. student who is actively doing research in computer security); the graders, much less so (typically an undergraduate who has previously taken the course on computer security, but has no other experience or knowledge).

    Of course, if the project is a group project with N students per group, then the resources available to grade each project are increased by a factor of N. However, for practical reasons, N probably can't be larger than 3 or 4.

    The scalability requirements rules out a lot of potential projects that would otherwise be very cool. For instance, if grading the project requires an experienced teaching assistant to read a thousand lines of code per undergrad taking the course, then that's simply not feasible. If it involves reading a 5-10-page design document and doing a threat analysis of the system architecture, that might be tough, too.

  • The second requirement is that the class project should teach secure design. It is easy to come up with course projects where the students try to attack some system (e.g., find vulnerabilities in a web application, exploit a buffer overrun, etc.); I've got a bunch of awesome projects of that sort. But I would also like students to get experience designing secure systems, e.g., where we start from some requirements and they have to think through the options, choose a system architecture or a design approach, and build it.

These two requirements are in tension. Good design is hard to evaluate; it takes time to analyze a proposed design and determine whether it's good or not-so-good. That makes it not-so-trivial to craft a course project that lets students practice secure design, and where it can be meaningfully graded at scale. I've looked at course projects from a number of other undergraduate courses on computer security and found many projects that are either scalable or that teach secure design, but I haven't found any that do both at the same time.

What would be a course project that meets these requirements?

(Background: I'm lucky to have an outstanding group of students. The students are sophisticated, smart, and not afraid to work hard. They're typically computer science majors in their 3rd or 4th year of college. They're all there because they want to be there; the course is an elective, not a required course. It's fine for the project to involve designing and/or implementing something non-trivial. If the project is relevant to industry or their future career, so much the better!)

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • I'm not sure I know exactly what you're looking for but it seems these would fit the bill: (But not confident enough to post as an answer.) Designing a shopping cart website,Designing an HR customer portal where employees can view paychecks, change dependents, set up direct deposit... Anything where you're dealing with sensitive data that makes an attractive target would do. Have them draft threat models, architecture designs showing weak points, etc. – David Stratton Sep 05 '13 at 21:28
  • @DavidStratton, those sound intriguing. Thank you for the suggestions! I can see how they might help teach secure design. Can you elaborate on how you would evaluate or grade the designs that students come up with, in a time-efficient way? In other words, how would you meet the requirement that grading has to scale? – D.W. Sep 05 '13 at 21:35
  • I think I could.. I need to get offline for a bit but if nobody answers anything better, I'll give it a shot as a true answer. I've been teaching new hires secure design at work recently, which is probably similar. I'll type up a rough outline of what is taught and what I look for when evaluating them. – David Stratton Sep 05 '13 at 21:53

1 Answers1

2

Like @David mentioned, an e-commerce website or anything that handles "sensitive" data will be a good start.

Let's talk about your second requirement. If you are talking about secure design for web applications, you obviously want to point them towards the OWASP Top Ten. While the list is no where near complete, it is a good start. Perhaps have your students read through the it and come up with a design document explaining how they will mitigate each item in the list.

Your first requirement is a little tricky. Code review is a tedious process after all. If your students have prior programming experience and you are not grading them on the quality of the code itself, I suggest taking an entirely black box approach to the grading. Have the students try to attack each others code. I stand by my answer that the best way to learn about secure coding is by having someone break it. Perhaps you can think about dividing the grading into three components. The first component will be the initial design document that details the student's analysis of the threat model as well as proposed countermeasures. The second component will be the report of the "penetration test" against the code of a peer. This can be either a black box attack or a code analysis. The third component will be a report detailing how the students fix the flaws found in the code.

This way, your students get to experience the entire secure development process, up to patching any bugs that occur.

Community
  • 1