According to the 2022 Verizon Data Breach Investigations Report, web application attacks account for over 60% of security incidents and over 40% of confirmed data breaches.
Conceived last September and officially launched this summer, the Web Application Security Assessment class, headed by lecturer Jennia Hizver, is addressing this major cybersecurity issue.
A joint venture between the I School’s Master of Information & Cybersecurity (MICS) program and Berkeley IT’s Information Security Office (ISO), the class offers a small batch of cybersecurity students the opportunity to perform hands-on penetration testing of live campus systems and applications.
Students are expected to onboard three to four apps per semester and present semester-end reports detailing vulnerabilities and recommendations to reduce the risk of sensitive data exposure in these systems. Application developers are then encouraged to make adjustments to solve these issues, and ISO helps to track remediation efforts.
The first cohort consisted of nine students who worked in small groups to test each app. Application administrators were directed to sign up for testing prior to the class start date, and applications classified as including P4 (restricted) and P3 (sensitive) data were prioritized. Throughout the semester, these students managed to discover a total of 36 vulnerabilities, which they categorized by risk severity. Some vulnerabilities they discovered include cross-site scripting, improper session management, and malicious file uploads. The students later received a recognition letter from ISO for their efforts, gaining not only cybersecurity skills but also a stamp of appreciation for their excellent work.
Reflecting on his experience, student Jacob Glad commented, “This course was my first real deep dive into web application security testing. The real hands-on experience […] really helped grow my understanding of web application security. I have since used the practices I learned in this course to train others in my professional circle, and I’ve used the principles taught to argue for increased testing coverage of systems that I work with. All said, this is one of the most immediately applicable and useful courses I have taken in the MICS program.”
It is also important to note that this program fulfills a campus-wide need for offensive security testing of UC Berkeley web applications. P4 or restricted data are required to undergo testing in some way as per the Minimum Security Standards for Electronic Information (MSSEI), and this class offers an efficient and timely way to undergo testing and ultimately protect the resources of the university. In fact, application developer Steven Hansen commented, “Working with MICS students was a great experience. They found a handful of things that we missed in code reviews and a few things that we just plain missed.”
Allison Henry, Berkeley’s Chief Information Security Officer, added, “The MICS partnership program has been a fantastic opportunity to improve the security of campus applications while supporting our core mission of educating students. The reports developed by the MICS students were clear, professional, and very informative — equal to if not better than reports I’ve seen from professional cybersecurity companies.”
Currently, the second cohort is full and in progress, working on the next batch of applications and helping keep the campus safe from data leaks.