As a part of its effort to educate Web application developers on how to sidestep common programming mistakes that leave the doors open for attackers, Google has unveiled a “Web Application Exploits and Defenses” course within it Google Code University.
The course is built around Jarlsberg, “a small yet full-featured microblogging application with lots of security bugs”, says Google. Jarlsberg is vulnerable to cross-site scripting, cross-site request forgery, information disclosure, denial of service and remote code execution – which makes it ideal for this kind of course.
The course consists of a series of exercises, during which the students must think like a hacker and find instances of various described vulnerabilities. The students are challenged to use both black-box and white-box hacking.
“The source code to Jarlsberg is published under a Creative Commons license that allows you to incorporate excerpts from the code in your course materials and allows students to use the code in white box hacking exercises, to code review and to try and fix bugs,” says Google, but warns that this course is intended only for learning, so that the programmers may use the acquired knowledge to make their own applications secure.