One of the obstacles to getting a trained IT security staff is arranging for training. One can only go so far with textbook and theoretical examples. A good security person needs to be able to think like one of the Bad Guys, and part of that comes with practice. Unfortunately, most organizations don’t have the resources to set up a security training “sandbox”, and experimentation with live systems tends to be frowned upon.
Google, as part of its “Code University”, has introduced a new training environment for Web application designers to learn about exploits and defenses. Called Jarlsberg, after the Swiss-style cheese from Norway, it is a small Web-based microblogging environment, set up as a code lab, that contains a number of common Web security vulnerabilities, in order to provide some hands-on experience:
This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you’ll get a chance to do some real penetration testing, actually exploiting a real application
The vulnerabilities in Jarlsberg fall into three broad categories, according to the type of attack that can be used to identify and exploit them.
- BLACK BOX vulnerabilities can be discovered and exploited while treating the application as a “black box”. You don’t know what’s inside the box, but you can vary initial conditions and inputs to infer how the applications behaves.
- WHITE BOX vulnerabilities are those that can be discovered by having access to the source code of the application (as, for example, one would with an open source application).
- APPLICATION SPECIFIC vulnerabilities require some knowledge of the specific application to discover and exploit.
Some of the techniques covered in the code lab include Cross-Site Scripting (XSS), Cross-Site Request Forgery (XSRF), SQL Injection, and that old favorite, buffer overflows.
Google’s set-up provides a carefully isolated environment in which budding security folks can actually try hacking the “live” Jarlsberg service. Jarlsberg is written in the popular interpreted language, Python, but its features, and vulnerabilities, are not Python-specific.
Google is, of course, interested in promoting wider use of the Web, and better security is a means to that end. Even though it is in their own interest, I think they are to be commended for making this kind of teaching tool available.