I want to be careful throwing shade because I apparently know some people involved in this, and they are smarter than me, but this is pretty basic. Take a whack at the 2019 final exam for a flavor of where they're at.
The CORS content is solid. But the vulnerabilities themselves are dated. As a threshold concern, a 2020 web security class needs to be teaching about SSRF, the most important current web bug class. OAuth flows would be another thing I'd hope to see covered.
There's always going to be new stuff that can't be covered; I understand how these curricula work†, and don't expect HTTP Request Smuggling or DNS fingerprinting on the final. But system("cat ${input}")?
† The network security course taught at major CS research universities was written at one place like 10 years ago and shared and handed down from semester to semester; I assume something similar happens here.
PS
3 hours is a bananas amount of time to get for this exam. We're speedrunning it on Slack and the median is closer to 15 minutes (albeit without writing careful answers). If this were a commuter school with students who don't come in knowing how to code, sure; but this is Stanford CS!
Sadly, this is the case at many major CS research universities. I'm working on my Master's in Cybersecurity at one of these universities and most of the papers we read are something the professor co-authored in '08 or '09. Network security, and most security classes in general, are being taught 15 year old material.
> † The network security course taught at major CS research universities was written at one place like 10 years ago and shared and handed down from semester to semester; I assume something similar happens here.
This couldn't ring more true, in my experience. Whats worse is that each year the material is lightly modified so that you're also dealing with 10 years of revisions creating an incoherent mess.
I’m speculating here but perhaps one factor that adds to this situation is that people who are good at the stuff taught in this course, and have skills that are up to date, will earn lots more working for a FAANG than in academia.
The CORS content is solid. But the vulnerabilities themselves are dated. As a threshold concern, a 2020 web security class needs to be teaching about SSRF, the most important current web bug class. OAuth flows would be another thing I'd hope to see covered.
There's always going to be new stuff that can't be covered; I understand how these curricula work†, and don't expect HTTP Request Smuggling or DNS fingerprinting on the final. But system("cat ${input}")?
† The network security course taught at major CS research universities was written at one place like 10 years ago and shared and handed down from semester to semester; I assume something similar happens here.
PS
3 hours is a bananas amount of time to get for this exam. We're speedrunning it on Slack and the median is closer to 15 minutes (albeit without writing careful answers). If this were a commuter school with students who don't come in knowing how to code, sure; but this is Stanford CS!