Tom sits, tapping away at his keyboard; his monitor resembles something from the Matrix. All of a sudden, “[Access Granted]” flashes on the screen and Tom, unbeknownst to the bankers and its users, now has access to every customer’s details. A security breach of overwhelming proportions is now on our hands; and it all happened from within Canterbury Christ Church University’s Invicta building.
This scenario may sound like something from a Hollywood movie, but it’s precisely what our students from the second and third years did under the watchful eyes of Nick Murison and Alexander Evans from Cigital. Of course, the bank was fictitious, but the attacks were very real and could pose serious problems to everyone concerned.
To facilitate the exercises, students used a wide range of exploitation-techniques, including XSS (Cross-Site Scripting), SQL Injection and Software Exploitation. Not only were students introduced to such techniques and how they can be applied, but also why these vulnerabilities exist to begin with and the ways in which they can be prevented by applying Application Security knowledge. In fact, a main focus of the presentation was about common software-engineering mistakes and how to best avoid them using, for example, Cigital’s own Seven Pernicious Kingdoms. Additionally, students were introduced to the various legal and ethical issues in the field of Penetration Testing and the procedures that must be followed in order to safeguard the client as well as the tester.
Overall the students enjoyed a four hour long lesson and we would be delighted to have Nick and Alex with us again at some point in the near future.