Security in Web Programming
Course Syllabus – Spring 2009
Course Information
Instructor: Mike Jochen
Phone: 570.422.3036
Email: mjochen@esu.edu
Office Hours: Tue/Thur 10 a.m. – 12 p.m.
Weds 12 – 1 p.m.
& by appointment
Office: 337 SCITECH Building
Course Number: CPSC328
Section: N882
Class Time/Place: Tue/Thur
12:30 – 1:45 p.m.
351 SCITECH
Semester Hours: 3
Resources:
Andrews, Mike & Whittaker, James. How to Break Web Software: Functional Security Teseting of Web Applications and Web Services. Addison-Wesley. 2006. ISBN: 0-321-36944-0. (Required textbook)
O’Neill, et al. Web Services Security. McGraw-Hill/Osborne. 2003. ISBN: 0-07-222471-1 (Required textbook)
Open Web Application Security Project. A Guide to Building Secure Web Applications and Web Services. http://www.owasp.org/index.php/Category:OWASP_Guide_Project
Open Web Application Security Project. OWASP Top 10: The Ten Mist Critical Web Application Security Vulnerabilities. http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Open Web Application Security Project. OWASP Testing Guide. http://www.owasp.org/index.php/Category:OWASP_Testing_Project
Class Web Page: http://www.esu.edu/~mjochen/Teaching/CPSC328/08s/
Course Overview:
This course covers Web safety and browser vulnerabilities, privacy concerns, issues with Java, JavaScript, ActiveX, and all things Web & security related. Various protocols, and approaches to provide web services in as secure a manner as possible will be investigated, to include: digital certificates SSL (Secure Socket Layer), TLS (Transport Layer Security), host security, server access methods, and secure CGI/API.
Course Objectives:
By the end of the course, you will:
1. Have a comprehensive understanding of the vulnerabilities associated with providing active/dynamic web content.
2. Understand how the above vulnerabilities affect the design, implementation, and maintenance of active/dynamic web content.
3. Know how to conduct an audit/review of an existing system to identify and correct for security vulnerabilities.
Requirements:
The following work will be required of you throughout the semester:
Tentative Class Schedule:
Keep in mind that these dates are approximations, the actual due dates will be announced in class & posted on the class web site.
|
Week |
Topic |
Activity |
|
1/12 |
Web Services |
Read WSS: chpt 1, Read HTBWS: chpt 1, 10 |
|
1/19 |
Security & Privacy |
Read WSS chpt 2, Read HTBWS: chpt 9 |
|
1/26 |
Web Services Security |
Read WSS: chpt 3, Read HTBWS: chpt 2 |
|
2/2 |
User Input |
HTBWS: chpt 5, 6, OWASPTT: A1 |
|
2/9 |
Injection |
HTBWS: chpt 5, OWASPTT: A2 |
|
2/16 |
Server Attacks |
HTBWS: chpt 7, OWASPTT: A3 |
|
2/23 |
Insecure Storage |
Mid-Term Exam |
|
3/2 |
Spring Break |
Relax |
|
3/9 |
State Based Attacks |
HTBWS: chpt 4, OWASPTT: A10 |
|
3/16 |
Encryption & |
HTBWS: chpt 8, OWASPTT: A8, A9 |
|
3/23 |
SOAP |
WSS: chpt 9, OWASPTT: A7 |
|
3/30 |
UDDI |
WSS: chpt 12, OWASPTT: A6 |
|
4/6 |
.NET |
WSS: chpt 10, OWASPTT: A5 |
|
4/13 |
Liberty Alliance |
WSS: chpt 11, OWASPTT: A4 |
|
4/20 |
|
Oral Presentations |
|
4/27 |
Final Exam Week |
Final Exam |
Key:
WSS: Web Service Security
HTBWS: How to Break Web Software
OWASPTT:
OWASP Top Ten
Grading:
All exams, homework assignments, and laboratory assignments count towards your final grade. If you fail to take an exam or submit a homework assignment/lab exercise, you will receive a grade of zero for that work. If you want me to reconsider your grade on a particular assignment, you must make your request within seven days of my handing out the graded work. At the end of the semester, you will give a presentation on a subject related to the course.
Quizzes will be given throughout the semester. If you are absent the day a quiz is given, you will receive a grade of zero for that quiz. I will automatically drop your lowest quiz score (one score only) when calculating your final grade.
The make-up of the total number of points for your final grade breaks down as follows:
5% Class Participation
5% Homework
10% Quizzes
15% Oral Presentation/Research Project
15% Labs
20% Mid-Term Exam
30% Final Exam
Grading Policy:
Your grade is the application of some arbitrary scale to reflect the amount and quality of work that you, the student, accomplish during the semester. To that end, I do not assign your grade, you earn your grade. Rather than grading on a competitive, curve-based grading scheme, I use a criterion-based grade scale. Thus, if every student works sufficiently hard, and earns a letter grade of “A”, then all students will receive “A”s (that would be wonderful J). Keep in mind, I view letter grades in the following light:
A – Excellent
B – Good
C – Fair
D – Poor
E – Failure
This means, to receive an “A”, you must perform excellent work. Excellent work is that work which is marked with distinction, going above and beyond that of merely meeting the requirements for an assignment. Your final grades will be decided based on the following scale:
A 90.0-100%
B 80.0-89.9%
C 70.0-79.9%
D 60.0-69.9%
E 0-59.9%
Assignment Lateness Policy:
I strongly encourage you to keep up with the pace of the class and all associated work. Getting into the habit of turning in work after the due date will put you at a distinct disadvantage in learning the material. However, I do recognize that unforeseen events happen in life and I will accept late assignments with the following provisions: For each day late (n being the number of days late), you lose 2n points on your assignment. For example, if you turn in an assignment one day late, you will lose 21 or 2 points. The lateness penalty breaks down as follows:
Days Late Point Deduction
1 - 2
2 - 4
3 - 8
4 - 16
5 - 32
6 - 64
Class Attendance/Participation Policy:
Class attendance is required. As such, attendance will be taken each class. If you are absent for four or more unexcused absences, you will receive a final grade of E (failure) for the class (regardless of what your class average is). I expect you to participate constructively in each class. When you fail to come to class, not only do you miss out on the material for the day, but you disadvantage your fellow students as your unique perspective is absent from class discussion and problem sessions.
If you are absent the day an exam or quiz is given, you will receive a grade of zero. If you know you must miss a class, please speak with me ahead of time so that we can try to make a mutually beneficial arrangement.
Academic Honesty Policy:
All work submitted is to be completed individually (unless indicated as a group assignment), and is to be the sole product of your own efforts. Group work is to be the sole product of members of the group. Any perception of anything to the contrary or that violates the spirit of the Student Code of Conduct will be handled accordingly. This policy is very specific on what constitutes Academic Misconduct and provides a range of very unpleasant possible outcomes, should a violation be suspected. I encourage you to become familiar with this policy. Please refer to the relevant sections of the Student Code of Conduct for more information.
Special Needs:
If you need special accommodations or require additional assistance to fully participate and be successful in this class, I encourage you to contact me as soon as possible. I strongly desire each and every one of my students to be able to achieve their goals in this class. I will work with you and the Office of Disability Services to ensure that you have every opportunity to do well.