Google has released a new online training course for Web application developers designed to teach them how to avoid common programming mistakes that lead to vulnerabilities such as cross-site scripting, cross-site request forgery and others.
The course, which is part of the company’s Google Code University, is based around the concept of a Twitter-like application called Jarlsberg, an actual app that Google is releasing as part of the course. Known as “Web Application Exploits and Defenses,” the course gives developers the opportunity to see the inner workings of a fundamentally insecure application, analyze the vulnerabilities and learn about the programming mistakes that led to those flaws.
“This codelab is built around Jarlsberg
/yärlz’·bərg/, a
small, cheesy web application that allows its users to publish
snippets of text and store assorted files. ‘Unfortunately,’ Jarlsberg
has multiple security bugs ranging from cross-site scripting and
cross-site request forgery, to information disclosure, denial of
service, and remote code execution. The goal of this codelab is to
guide you through discovering some of these bugs and learning ways to
fix them both in Jarlsberg and in general,” the course’s documentation says.
The secure development course is built around a series of chalenges that require students to go through and identify specific vulnerabilities in the Jarlsberg code. After the students learn the basics of a vulnerability such as CSRF, they’re then asked to find a way to use that flaw to perform a specific malicious action in the application, such as changing some detail of a logged-in user’s account without his knowledge.
Secure-coding classes for developers are nothing new, nor are the kind of ethical hacking classes that give students the chance to learn basic attack techniques. But the idea of giving developers the chance to go after vulnerabilities in a Web application specifically designed for that purpose is somewhat novel, and probably much-needed, given how little security instruction most Web application developers get.
The security course is open to anyone and available for free, and the Jarlsberg code can be downloaded for free, as well.