T. Andrew Yang

Email: yang@uhcl.edu

Web page:  http://sce.uhcl.edu/yang/

Tel.: (281) 283-3835

Last updated:

 

April 30, 2009

CSCI 5234 Web Security


Spring 2009  (1/20 - 5/4 + final)

 

Lecture Notes & Schedule
- Print and bring the lecture notes to the class.

Assignments / Projects
Office Hours

Important!  To be accepted into the discussion group, make sure you use your full name as your yahoo id.


Time (Classroom):

Thur. 4-6:50pm  (Delta241)

Prerequisite:   Web Applications Development (csci/cinf4230) and Computer Security (csci/cinf4233 or csci5233), or instructor's approval.
Note: If you do not have either of the prerequisites, you MUST talk to the instructor.  It is assumed that students enrolled in this class are familiar with fundamental topics such as cryptography (symmetric vs asymmetric encryptions/decryptions), security protocols (RSA, DES, Triple-DES, digital signatures, digital certificates, etc.), and n-tier web applications development.

Course Objectives:    The primary objective of this course is to study and practice fundamental techniques in developing secure web based applications, including vulnerability of web based applications and how to protect those applications from attacks. In addition, advanced topics related to Web, such as E-commerce security, Web 2.0, collaborative Web-based applications, etc., will also be studied. Students are encouraged to complete a publishable research paper in one of the related topics.

Class Format:  Lectures are combined with discussions and, if applicable, presentations and discussions of advanced topics.  Students are expected to be active participants in this class, by studying the relevant chapters and/or research papers, and actively participating at in-class and online discussions. Programming projects employing the various security techniques and n-tier web based architecture are part of the course.  Students are expected to engage in a research project of topics related to Internet security, and make both written and oral presentations of the project.


Instructor:   Dr. T. A. Yang 

  • (office) Delta 106
  • Office hours (NOTE: If the suite office is locked, you may use the phone outside the office to call me, by entering the extension 3835).

You are highly encouraged to send your questions to me by e-mails or by posting the question at the discussion board . You, however, are responsible for describing the problem(s) you have encountered, the solution(s) you have tried, and the outcome you have got from these solution(s).

  • (phone#) (281) 283-3835 (Please leave a message if not available.)
  • (email address) yang@uhcl.edu (Note: Emails without a proper subject line and your full name will be discarded.   Here is a sample subject line: "CSCI 5234 project #1, question 1".
  • (web site)  http://sce.uhcl.edu/yang/

 

  Teaching assistant info and office hours
              


Textbooks:

Required

O: Oppliger, Rolf. Security Technologies for the World Wide Web, Second Edition. Artech House Publishers. 2003. (ISBN: 1580533485).

Recommended

profJavaSecurity

GS: Garms, Jess and Daniel Somerfield. Professional Java Security.
Wrox. 2001.  (ISBN: 1861004257)
Note: You may purchase an electronic copy of the Java Security book from its current owner, APress.com, by clicking here. Or alternatively, you may check out the Amazon.com used book sale to find a used copy.

+ Instructor's handout in the class and/or on the Web

Supplemental Materials:

  • SSH:
    • SSH (or Secure SHell) is a protocol for creating a secure connection between two systems. In the SSH protocol, the client machine initiates a connection with a server machine ...
  • RFCs related to HTTP:
  • RFCs related to TLS:
  • Other Related RFCs:

Topics, Notes &  Schedule

wk (dates)

Topics (Chapter)

Due Dates

1 (1/22)

Syllabus, projects, presentations, etc.
Overview of N-tier web applications
Introduction of Internet, WWW, and Security (O: Ch 1)

List of sample projects: discussion/selection of projects

All have joined the discussion group (see above).

Project teams are formed.

2  (1/27)

Overview: security components and mechanisms

On-line shopping & payment systems
HTTP Security (O: Ch 2), IIS security

Team project title and team membership are due. Publish them in the discussion group.

3 (2/5)

Proxy Servers, Firewalls, NAT (O: Ch 3)
+ Firewalls (an older set of slides)
+ Pix firewall configuration
+ Design of Distributed Computer Security Lab, Journal of Computing Sciences in Colleges. 20(1). 10/2004.
+ Network Security Development Process (a working draft)


4 (2/12)

Internet Security Protocols (O: Ch 5, slides 75-100)
+ IP security (slides from the Stallings book)

Assignment 1

5 (2/19)

SSL & TLS Protocols (O: Ch 6, slides 101-114)

+ SSL (GS: Ch. 9)
+ a case study of SSL and Man-in-the-Middle attack (or local copy)
+ Man in the middle attack as explained on Wikipedia, the free encyclopedia
+ Internet Explorer SSL Vulnerability (08/05/02)

Preliminary design (ER model, UML class diagrams) of Programming project (Publish it in the class discussion board before the class.)

 

 

6 (2/26)

Certificates for the WWW (O: Ch 7, slides 115-135)
+ Ten Risks of PKI (by Ellison and Schneier, local copy)

Abstract of the research project (Publish it in the class discussion board.)

7 (3/5)

Midterm Exam

 

Midterm exam

8 (3/12)

Demonstration of project one
NOTE: Each team's Power Point slides must be published 24 hours before the presentation.

Prototype Demo (15~20 minutes per team)

Programming project

·        Detailed Design (Publish it in the discussion board.)

9 (3/19)

Spring break

 

10 (3/26)

Securing a Database (GS: Ch. 10)
+ supplemental Notes: TunnelServer.doc (for Oracle)
+ Tunnel Server Tutorial for MySQL

+ Oracle Roadmap: JDBC
+ Two sample applications using Oracle JDBC drivers:
a) secure thin JDBC; b) secure OCI JDBC (thick client)

 

·        last day to drop a class: 3/30

11 (4/2)

Electronic Payment Systems (O: Ch 9, slides 150-159)

+ VeriSign's Technical Brief "Building an E-Commerce Trust Infrastructure: SSL Server Certificates and Online Payment Services + questions & answers

+ electronic money (at Wikipedia.org)

Server-side security (O: Ch 11, slides 189-216)

Assignment 2

12 (4/9)

Client-side security (O: Ch 10, slides 160-188)
Securing Large Applications (GS: Ch. 11)

Privacy Protection & Anonymity Services (O: Ch 12, slides 216-233)

+ privacy anonymity.ppt
+ Sample Privacy.net analysis
+ Privacy Analysis of your Internet Connection - How it works

Programming project
Final Report (Publish the project reports in the discussion board.)

13 (4/16)

Slides:

Adam_Vaughan_GradeBook_Slides.pdf

HailSecondPresentation.ppt

Nilsson_Claus_Presentation.pptx

Demo of programming projects

14 (4/23)

Slides:

PNT_FINAL_PRESENTATION.pptx

TeamCA Project Slides CSCI5234.pptx

Demo of programming projects

Research Project DRAFT (Publish it in the class discussion board.)

15 (4/30)

Risk Management (O: Ch 15)

-         sample vulnerability analysis (developing a networked lab)

-         a refined network security development model

System Security

Research Project
Send it to yang@uhcl.edu

16 (5/7)

Final exam (open-book, comprehensive)

Final exam questions can be downloaded from this page. Follow the instructions given in the exam to submit your answers.

Final exam


Computer Labs & Hours

The NT Lab (Delta 119) is equipped with computers that have been properly configured to run Java applications requiring JCE and JDK.

 

Check http://sce.uhcl.edu/computing.asp for lab information, open hours, FAQs, etc.

Evaluation:

 

category

percentage

assignments

10%

projects

20%

midterm

20%

participation (in class and in the discussion board)

10%

research paper

15%

Final exam

25%

NOTE:  The accumulated points from all the categories determine a person's final grade. There will be no extra-credit projects.

Grading Scale:

 

Percentile

Grade

93% or above

A

S90% - 92%

A-

87% - 89%

B+

84% - 86%

B

80% - 83%

B-

77% - 79%

C+

74% - 76%

C

70% - 73%

C-

60%-69%

D

59% or below

F

Tests:

Both analytic and synthetic abilities are emphasized. Being able to apply the learned knowledge toward problem solving is also highly emphasized in the tests. 

Assignments/Projects and Late Penalty:

Assignments and projects will be posted at the class web site. Assignments & projects are due before the beginning of the class on the due day.  See Topics and Notes for the due dates. 

Points will be deducted from late assignments: 20% for the first 24 hours after the due time, 40% for the next 24 hours, 70% for the third 24 hours, and 100% after that. No extension will be granted except for documented emergency.   Starting to work on the assignments as early as possible is always the best strategy.

NOTE: Unless otherwise specified, all assignments and projects are individual work.  Students should take caution not to violate the academic honesty policies.  See http://b3308-adm.uhcl.edu/PolicyProcedures/Policy.html for details of the University policies.

Assignments/Projects Guidelines:

  • Identification page: All assignments must have your name, and course name/number/section number (e.g., CSCI234-01 or CSCI5333-03) at the top of the first page.
  • Proper stapling:  Staple all the pages together at the top-left corner. NOTE: Do not use paper clips.
  • Order! Order!  Arrange the solutions following the sequence of the questions. Write the question number at the top-right corner of each page.
  • Word processing:  It is required that you type your reports (e.g., print them using a printer). Use a word processor and appropriate typesetting and drawing tools to do the assignments.
  • Check the spelling and the grammar for the whole document before handing it in. You may loose points due to spelling or grammatical errors.
  • Use proper commenting and structure in your programs.

Projects:

The projects will involve the design and implementation of a secure N-tier web based application demonstrating the development of a secure Java online application using various technology.  Students are expected to employ the theories and techniques learned in the class to design and implement the system.  


Attendance Policy:

You are expected to attend all classes. If you ever miss a class, it is your responsibility to get hold of whatever may have been discussed in that class.

Instructor's Notes:

  • Unless due to unexpected, documented emergency, no make-up exams will be given.  No make-up exams will be granted once the exams have been corrected and returned to the class. 
  • Important:   If you think you have lost some points due to grading errors, make sure you approach the instructor within a week after the assignment, project, or test is returned to you.  
  • To get the most out of this class, you need to read the textbooks and spend time using computers regularly.  Be prepared for a class by preview the material to be covered in that class and participate in discussions and problem-solving exercises, if applicable, in the class.
  • Due to the intensive nature of graduate classes, 15-20 hours per week are expected of students in studying the textbook/notes and working on the assignments, in addition to class attendance.   Expect to spend more hours during summer sessions.

Go to the  Index


  Main Page

  Biography

  Teaching

o   Office hours

   Research

o   Active projects

o   Research interest

o   Publications

o   Presentations

o   Grants

   Services

o   Student support

o   Committees

o   Curricular development

o   Centers

    Other Links