Using a CTF Activity to Teach Cloud and Web Security

Abstract

While cloud computing is an attractive option in terms of price, availability, and scalability, cloud consumers must also weigh the security concerns of a cloud environment. In particular, security breaches due to misconfiguration are common, and this prevalence starts with inadequate education and training. Consequently, we incorporated a capture the flag (CTF) activity into an existing course to illuminate the potential pitfalls and consequences of cloud misconfiguration and to encourage participants to protect against such issues in their own applications. In this paper, we report on the effectiveness of the CTF activity to achieve these goals. Our evaluation specifically focuses on participants' interests, self-perceptions, and application of essential security practices (e.g., defensive programming techniques) to defend against common types of attacks. Our results indicate that the CTF activity was perceived favorably by students, but participants performed comparably to their peers on independent assessments, including test questions related to web security and securing a web application developed as part of a course project. We examine these issues and suggest a path forward to address them, particularly by better aligning the CTF activity with the stated course outcomes in conjunction with collecting additional data in future semesters.