Application Security - New York University

Class, New York University, Computer Science and Engineering, 2023

I was an Adjunct Professor for the Cyberfellows Application Security course for the following semesters: Spring 2023, Fall 2023, Spring 2024.

In the Spring 2023 and Fall 2023 semesters, I was co-teaching with Kevin Gallagher. In my last semester in Spring 2024, I was co-teaching with Robert Cimarelli.

As this is part of the Cyberfellows program, the course is entirely online and is specifically tailored for students who work full-time. Therefore, the course was asynchronous, but I still expected the four projects to be completed over the course of the semester to avoid anyone attempting to cram all assignments at the end of the semester.

Course Content

The course used a similar syllabus to this.

The four homework assignments are found here:

Homework 1: Beware of Geeks Bearing Gift Cards. This homework involves finding and remediating bugs such as segmentation faults in a C program. Also, this assignment covers using a fuzzer to help find bugs and code coverage testing.
Homework 2: When a Wreck Reaches the World Wide Web. This homework involves finding and remediating XSS, CSRF, OS Injection, and SQL Injection on a buggy Django web application. Then add encryption to the SQLite database.
Homework 3: Deployment Gone Wrong. This homework involves the security issues around Kubernetes. The first part is about utilizing Kubernetes Secrets instead of hard-coded secrets. The second part is how to enable monitoring of your web application with Prometheus.
Homework 4: Mobile Mess. This homework involves being given an Android application that has some security issues, and more importantly, removing code that could be invasive to a user’s privacy.

Teaching Philosophy

I believe in the idea that education should attempt to follow the idea that everyone should have their own digital Aristotle. On my end, I felt that I could leverage the fact this course is asynchronous and allow for students to submit their assignments to an autograder to get real-time feedback. The intention was that the autograder can detect common errors and provide hints in each step of the way to completing an assignment. A write-up was still expected to confirm students knew what they were doing rather than attempting to brute force the autograder.
Most of the assignments were created by Kevin Gallagher in Fall 2020. Therefore, by the time I took over, the material needed some important updates. My updates are covered in the next section for each homework.
I wanted the course to match as closely as possible to the on-campus experience. With the help of Professor Brendan Dolan-Gavitt, his recorded lectures in the Spring 2024 semester were added to the NYU Application Security Cyberfellows course.

Accomplishments and Innovations

Two pull requests here and here, where I figured out how to combine Django with Gradescope. This was important as it was unknown if you could have Homework 2 onboarded into Gradescope. Also, this means that a CTF could leverage Gradescope.
Every homework assignment now has an autograder.
The homework assignments were upgraded as follows with their justification:
- Homework 1: Beware of Geeks Bearing Gift Cards
  - We added more fuzzing hints as students struggled with this part of the assignment.
  - New Python code was added to help students generate the inputs to the C program to crash it.
  - The autograder uses exit codes to confirm a segmentation fault. This guidance would be returned in Gradescope if the application correctly crashed or gracefully exited.
- Homework 2: When a Wreck Reaches the World Wide Web
  - Standardized the assignment for students to specifically find 4 specific vulnerabilities. This made it easier for building the autograder and helped students to concentrate on specific vulnerabilities.
- Homework 3: Deployment Gone Wrong
  - Added a new part that requires students to learn how to publish images to DockerHub. This is crucial because DockerHub is the most widely used platform for sharing and distributing Docker images, making it an essential skill for real-world DevOps and software deployment workflows. Additionally, this provides an opportunity to demonstrate another practical use of GitHub Actions, showcasing its integration capabilities for automating CI/CD pipelines.
  - Kubernetes Secrets pose security risks because credentials are stored in plain text within the cluster, making them vulnerable to unauthorized access. To address this, students are now required to use Sealed Secrets, which encrypt Kubernetes Secrets and ensure they can only be decrypted by the target cluster. This teaches students a more secure and practical approach to managing sensitive data in real-world Kubernetes environments.
- Homework 4: Mobile Mess
  - Since Android uses Gradle, the homework has been updated to require students to enable testing with Gradle and automate the process using GitHub Actions. This change reinforces the importance of maintaining good CI/CD and testing practices, demonstrating that these principles can be effectively applied to mobile application development.
  - Updated the Android application Gradle version and SDK to avoid technical debt. Additionally, I added more documentation on how to set up Android Studio to assist students in getting started with the project.

Future Contributions and Impact

The autograders have been documented and transitioned for use in the Fall 2024 semester course taught by Professor Allon Hillel-Tuch and Professor Jonathan Mann.
I have created a public-facing documentation for the course and documented information such as how to set up EdStem, GitHub Classroom, etc.

Acknowledgements

I’d like to thank my course assistants, for they have been instrumental in helping me with refreshing the course material and creating/debugging the autograders: