The current approach of teaching application security involves blindly attacking applications which are intentionally vulnerable (like DVWA/Webgoat). This approach has the inherent drawback of never guiding users on how to fix the vulnerabilities being exploited. Hence, as far as developers/students are concerned, their takeaways are limited to identification and exploitation.

In this talk, we plan to introduce a new method in teaching/learning security with a hands-on approach, the use of which can teach users both offence and defence (focusing equally on both) in one place. In order to achieve this better teaching mechanism, we have created a framework making use of Docker containers as an effective sandbox environment through which users are given vulnerable source code which they are to fix and submit. The submitted code is then automatically executed inside the container and the results are analyzed through a series of unit tests.

Kurukshetra (the framework we are introducing) would immensely help the companies by teaching secure coding practices to developers in an effective way, which in turn would reduce the number of vulnerabilities in the long run.