The UC Cyber Risk Program just released its 2022 annual report (PDF), containing several stories about how UC locations are powering vigilance and innovation to meet new and rising threats head-on.

One such example is the Web Application Security Assessment Class in the UC Berkeley School of Information’s Master of Information and Cybersecurity Program, which offers students an opportunity to gain hands-on experience with penetration testing of real Berkeley campus applications. Offered for the first time in the summer of 2022, the class combines lectures and testing to find vulnerabilities in web application security.

How the course came about

The hands-on Web Application Security Assessment Class was the brainchild of three devoted UC Berkeley professionals: Josh Kwan of the Information Security Team; Lisa Ho, academic director of the Cybersecurity Program; and lecturer Jennia Hizver. Josh recognized the need for additional help testing UC Berkeley applications and reached out to Lisa to discuss how they could partner to do real testing in a class format. They then worked with Jennia to create the syllabus.

How it works

• First, a web application owner presents the functionality and features of their program to the class
• Then, students spend a few weeks testing the app to look for potential security risks
• Finally, students meet with the app owner to present any vulnerabilities in a detailed written report

Participant feedback

Students were enthusiastic about their participation, through which they gain valuable skills. UC Berkeley student Jacob Glad shared, “This course was my first deep dive into web application security testing and the hands-on experience furthered my understanding. I’ve since used my experiences to train others in my professional circles and to advocate for more testing of the systems I work with. This is one of the most immediately applicable and useful courses I have taken in the MICS program.”

Application owners and developers also have a lot to gain. Many do not have a security background, so it’s difficult for them to independently identify risks. An equivalent evaluation from external consultants would be cost-prohibitive, so students’ identification of potential vulnerabilities helps to reduce the risk of sensitive data exposure and potential losses.

Steven Hansen, an application developer at UC Berkeley, shared, “Working with the MICS students was a great experience. They found a handful of things that we missed in code reviews and a few things that we missed all together.”

Learn more

To find out more about the class, read the Web Application Security Assessment class overview. For questions about the class, please contact Lisa Ho.

To read more stories about systemwide cybersecurity initiatives, program accomplishments and goals for the future, please check out the 2022 annual report (PDF).

If you are a member of the UC IT community and have a story you’d like to share about a program or initiative you’re working on that pertains to cybersecurity across UC, contact c3@ucop.edu.

About

View all post by