Collaborative Paradigm of Teaching Penetration Testing using Real-World University Applications

This paper shares our three years of experience in conducting collaborative-based cybersecurity teaching involving industrial-expertise sharing and an authentic-learning environment. Penetration testing (pen-testing) is widely adopted in the cybersecurity industry. It requires a wide range of skillsets, including non-technical aspects, which are not easy to be acquired in a standard lecture-style setting. While the fundamentals of the skillsets could be taught separately in different modules, an integrated pen-testing module using real-world target applications will provide students with a bird’s-eye view of security assessment in an authentic learning setting. There exist, however, challenges in providing a sustainable structured pen-testing module. These include the evolving industrial best practices and availability of authentic target environments. In this paper, we share our experience as well as best practices in designing and teaching a pen-testing module in our Bachelor of Computing degree program. The module unconventionally adopts a fruitful win-win collaborative paradigm. The students, guided along by professional pen-testers from the industry and academic instructors, pen-test our University’s operational applications selected by the University IT Department. With the completed six semesters to date, our students have tested various applications, including our University’s learning management system, student registration system, and student-hall dining system, which all manage sensitive data. We have received very positive feedback from the parties involved. This paper describes our module’s rationale, involved parties and roles, class arrangements and activities, as well as grading considerations. The paper also discusses encountered issues and our adopted solutions related to University application selection, student contribution assessment, and activity arrangements during the COVID-19 outbreak. Some notes are additionally given for others who are keen to offer similar modules using the same teaching pedagogy. Our experience thus demonstrates that, while provisioning industrial collaboration and authentic learning in education needs to address several technical and administrative issues, a collaborative based teaching paradigm can work well in a sustainable manner.