So... What would you want to learn in a short course on web security? What do you wish other people knew about web security?
Here's my brainstorming list, to be updated as new things occur to me:
- Overview of the OWASP top 10 / WASC threat classification
- XSS (incl. filter evasion techniques and a variety of ways to use XSS for defacement through to more subtle modifications, password/data theft, etc.)
- SQL Injection
- Best coding practices
- Web Application Firewalls
- Web Vulnerability Scanners
- Mashup solutions (e.g. MashupOS, OMash)
- Policies (e.g. SOMA, BEEP, CSP)
- Penetration testing techniques
Notes: The tentative plan is to separate things into a hands-on lab tutorial (probably using webgoat) and a set of lectures, mostly running simultaneously. We're going to have some top-notch students here, since we're drawing from a pool of smart security researchers to start, so we can cover a lot of ground and go much further in depth than we might teaching developers with no security background.