|
T. Andrew Yang
|
Last updated:
Nov. 15, 2011 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Time
(Classroom):
Prerequisite:
Web Applications Development (csci/cinf4230) and Computer
Security (csci/cinf4233 or csci5233), or instructor's approval. Note: If
you do not have either of the prerequisites, you MUST talk to the instructor.
It is assumed that students enrolled in this class are familiar with
fundamental topics such as cryptography (symmetric vs asymmetric
encryptions/decryptions), security protocols (RSA, DES, Triple-DES, digital
signatures, digital certificates, etc.), and n-tier web applications
development. Course Description: Fundamental coverage of issues and techniques in
developing secure web-based applications; related topics such as network
security, web server security, application-level security and web database
security, etc. Course Objectives: The primary objective of this course is to study and
practice fundamental techniques in developing secure web based
applications, including vulnerability of web based applications and how to
protect those applications from attacks. In addition, advanced topics related
to Web, such as E-commerce security, Web 2.0, collaborative Web-based
applications, etc., will also be studied. Students are encouraged to complete
a publishable research paper on one of the related topics. Learning
Outcome:
1.
Understand
security-related issues in Web-based systems and applications. 2.
Understand the
fundamental security components of a computer system. 3.
Be able to
evaluate a Web-based system with respect to its security requirements. 4.
Understand the
process of developing secure networked systems. 5.
Understand the
fundamental mechanisms of securing a Web-based system. 6.
Be able to
implement security mechanisms to secure a Web-based application. 7.
Understand
security issues and common controls in electronic commerce systems. Class
Format: Lectures are combined with discussions and, if
applicable, student presentations of advanced topics. Students are
expected to be active participants in this class, by studying the relevant
chapters and/or research papers, and actively participating at in-class and
online discussions. Programming
projects employing the various
security techniques and n-tier web based architecture are part of the course.
Students are expected to engage in a research project of topics
related to Internet security, and make both written and oral
presentations of the project. A few words about
notes-taking: It is critical that a student takes proper notes while listening to
the lecture. Pay attention to the line of reasoning presented by the
instructor. Try to form a conceptual map out of the concepts discussed in
class. After a class, review the notes to facilitate effective learning. An active learner is more than just a passive listener;
he or she always examines what is taught and tries to find any inconsistency
in the conceptual map that is being formed out of the learning process. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
TA -
Neeraj Jadhav (jadhav.neeraj87@gmail.com)
Office
Hours – (tentative until the end of the first week)
Monday - 12 PM to 5 PM
Tuesday - 3 PM to 7 PM
Wednesday - 11 AM to 2 PM
Thursday - 3 PM to 5 PM
Textbooks:
|
Required |
|
O: Oppliger, Rolf. Security
Technologies for the World Wide Web, Second Edition. Artech House
Publishers. 2003. (ISBN: 1580533485).
|
|
Recommended |
|
GS: Garms, Jess and Daniel Somerfield. Professional Java
Security. |
|
||
Supplemental
Materials
- JDBC Security:
- Oracle related
links:
o
Architecture
of Oracle Net Services
o
Oracle's Listener
Control Utility (lsnrctl)
o
Transparent
Network Substrate (TNS)
o
Complimentary Oracle Database Security Resource
Kit
- Useful
information about Java mail:
o
To implement the
JavaMail in program, you need to go to Sun's website to download the APIs: http://java.sun.com/products/javamail/
o
Sample code
fragment of using JavaMail: sendMail.java
- Servlet Security
& certificates:
o SSL Configuration HOW-TO, the Apache Tomcat 5.5
Servlet/JSP Container: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
Glossaries, RFCs, Related
Websites, etc.
- Internet Glossaries
o
RFC2828: Internet
Security Glossary. R. Shirey. May 2000.
o
http://www.rsa.com/glossary/: RSA’s
Information Security Glossary
o
http://www.netlingo.com: searchable
online dictionary
o http://www.sharpened.net/glossary/index.php: Definitions of Computer and Internet Terms
- HTTP &
History of the WWW:
o
o
o
o
o
o
- RFCs related to
HTTP:
o Searching the RFC database: http://www.rfc-editor.org/cgi-bin/rfcsearch.pl
o The Internet Engineering Task Force (IETF): http://www.ietf.org/
o RFC2616: Hypertext Transfer Protocol -- HTTP/1.1. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee June. June 1999. DRAFT STANDARD. local copy of rfc2616
o RFC2617: HTTP Authentication: Basic and Digest Access Authentication. J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, L. Stewart. June 1999. DRAFT STANDARD. local copy of rfc2617
o RFC2965: HTTP State Management Mechanism. D. Kristol, L. Montulli. October 2000. PROPOSED STANDARD. local copy of rfc2965
o RFC2585: Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP. R. Housley, P. Hoffman. May 1999. PROPOSED STANDARD. local copy of rfc2585 “This document specifies the conventions for using the File Transfer Protocol (FTP) and the Hypertext Transfer Protocol (HTTP) to obtain certificates and CRLs from PKI repositories. Additional mechanisms addressing PKI repository access are specified in separate documents.”
- RFCs related to
TLS:
o RFC2246: The TLS Protocol Version 1.0. T. Dierks, C. Allen. January 1999. PROPOSED STANDARD. local copy of rfc2246
o RFC2712: Addition of Kerberos Cipher Suites to Transport Layer Security (TLS). A. Medvinsky, M. Hur. October 1999. PROPOSED STANDARD. local copy of rfc2712
o RFC2817: Upgrading to TLS within HTTP/1.1. R. Khare, S. Lawrence. May 2000. PROPOSED STANDARD (Updates RFC2616). local copy of rfc2817
o RFC2818: HTTP over TLS. E. Rescorla. May 2000. INFORMATIONAL. local copy of rfc2818
o RFC2830: Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security. J. Hodges, R. Morgan, M. Wahl. May 2000. PROPOSED STANDARD (Updated by RFC3377). local copy of rfc2830
o RFC3268: Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS). P. Chown. June 2002. PROPOSED STANDARD. local copy
- Other Related RFCs:
o
RFC2827/BCP0038:
Network Ingress Filtering: Defeating Denial of Service Attacks which employ
IP Source Address Spoofing. P. Ferguson, D. Senie. May 2000. BEST CURRENT
PRACTICE. local copy
o
RFC3377:
Lightweight Directory Access Protocol (v3): Technical Specification. J.
Hodges, R. Morgan. September 2002. PROPOSED STANDARD. local
copy of rfc3377
- Related Web Sites & Documents:
o
Man in the middle
attack as explained on Wikipedia
o
Bejtlick,
Richard. "Implementing
Network Security Monitoring with Open Source Tools": Interesting
discussions of net monitoring issues, including open source tools such as tcpdump,
argus, snort, trafd/trafshow, sguil,
etc.
o
VeriSign
Technical Brief. "Building an
E-Commerce Trust Infrastructure: SSL Server Certificates and Online
Payment Services"
o
www.cybercrime.gov: Computer
Crime and Intellectual Property Section (CCIPS) of the Criminal Division of
the US Dept. of Justice
** Computer crime
o
Value of Authentication:
Authentication is critical to online security - free Thawte
guide (user registration required), local copy
o
The archived
World Wide Web Security FAQ: http://www.w3.org/Security/faq/
o
Cryptography
FAQ Index: http://www.faqs.org/faqs/cryptography-faq/
o
Cryptography.org:
http://www.cryptography.org/
o
The Open SSL
Project (SDKs for free download): http://www.openssl.org/
o Discussion
about Windows Security: http://www.windowsitpro.com/categories/category/security
- The due dates are
fixed and will not be extended, unless specifically announced. Start
your work early!
- The topics column is subject to change when the class
moves on. Check with the instructor if you have doubt concerning the
teaching schedule.
|
wk (dates) |
Topics (Chapter) |
Due Dates |
|
1 (8/24) |
Syllabus, projects, presentations, etc. List of sample projects:
discussion/selection of projects |
Form your project team for the programming
projects. |
|
2 (8/31) |
Overview: security
components and mechanisms |
Team project title and team
membership are due. - Publish them in the discussion group by 9/1. |
|
3 (9/7) |
HTTP Security (O: Ch 2), IIS security |
|
|
4 (9/14) |
Proxy Servers, Firewalls,
NAT (O: Ch 3) |
|
|
5 (9/21) |
Internet Security Protocols (O: Ch 5) |
Programming
project preliminary design (ER model, UML class diagrams) - Publish it in the class discussion board before the class. |
|
6 (9/28) |
SSL & TLS Protocols (O: Ch 6) + SSL (GS: Ch. 9) |
Abstract and literature survey
of the research project - Publish it in the class discussion board and
give a 5-minute presentation in class. |
|
7 (10/5) |
Midterm Exam |
Midterm exam |
|
8 (10/12) |
Prototype demonstration + detailed design (5~10 minutes per team) |
Programming
project detailed design - Publish it in the discussion board. |
|
9 (10/19) |
Certificates
for the WWW (O: Ch 7) |
|
|
10 (10/26) |
Securing a Database (GS: Ch. 10)
+ Oracle
Roadmap: JDBC |
|
|
11 (11/2) |
Electronic Payment Systems
(O: Ch 9) + VeriSign's Technical Brief "Building an E-Commerce Trust
Infrastructure: SSL Server Certificates and Online Payment
Services + questions
& answers + electronic
money (at Wikipedia.org) |
|
|
12 (11/9) |
Client-side and Server-side
security (O: Ch 10, 11) + Layered
Security: Protecting Your Data in Today's Threat Landscape, Tripwire
white paper, 2011. (local copy)
|
Programming project final report - Publish it
in the discussion board. |
|
13 (11/16) |
Project demonstration (10~15 minutes per team) |
Demo of
programming projects |
|
|
Thanksgiving holiday. No meeting. Privacy Protection & Anonymity Services (O: Ch 12) + privacy anonymity.ppt |
Research Project DRAFT
- Publish it in the class discussion board. |
|
15 (11/30) |
Risk Management
(O: Ch 15) -
sample
vulnerability analysis (developing a networked lab) |
Research
Project |
|
16 (12/7) |
Final exam (open-book,
comprehensive) |
Final
exam |
- The Windows Lab (Delta 119) is equipped with
computers that have been properly configured to run Java applications
requiring JCE and JDK. Check http://sce.uhcl.edu/computing.asp
for lab information, open hours, FAQs, etc.
-
Windows Lab
account information at: http://sce.uhcl.edu/accountSearch.html
- UNIX Lab (Delta
158B) information: http://sce.uhcl.edu/UnixLabFAQ/
- Computer &
Network Security Lab (Delta 158A)
|
category |
percentage |
|
assignments |
10% |
|
projects |
20% |
|
midterm |
20% |
|
participation (in class and in the discussion board) |
10% |
|
research paper |
20% |
|
Final exam |
20% |
NOTE: The accumulated points from all the categories determine a person's final grade. There will be no extra-credit projects.
Grading Scale:
|
Percentile |
Grade |
|
93% or above |
A |
|
90% - 92% |
A- |
|
87% - 89% |
B+ |
|
84% - 86% |
B |
|
80% - 83% |
B- |
|
77% - 79% |
C+ |
|
74% - 76% |
C |
|
70% - 73% |
C- |
|
60%-69% |
D |
|
59% or below |
F |
Tests:
Both analytic and synthetic abilities are emphasized. Being able to apply the learned knowledge toward problem solving is also highly emphasized in the tests.
Assignments and projects will be posted at the class web site. Assignments & projects are due before the beginning of the class on the due day. See Topics and Notes for the due dates.
Points will be deducted from late assignments: 20% for the first 24 hours after the due time, 40% for the next 24 hours, 70% for the third 24 hours, and 100% after that. No extension will be granted except for documented emergency. Starting to work on the assignments as early as possible is always the best strategy.
NOTE: Unless otherwise specified, all assignments and projects are individual work. Students should take caution not to violate the academic honesty policies. See http://b3308-adm.uhcl.edu/PolicyProcedures/Policy.html for details of the University policies.
· Identification page: All assignments must have your name, and course name/number/section number (e.g., CSCI234-01 or CSCI5333-03) at the top of the first page.
· Proper stapling: Staple all the pages together at the top-left corner. NOTE: Do not use paper clips.
· Order! Order! Arrange the solutions following the sequence of the questions. Write the question number at the top-right corner of each page.
· Word processing: It is required that you type your reports (e.g., print them using a printer). Use a word processor and appropriate typesetting and drawing tools to do the assignments.
· Check the spelling and the grammar for the whole document before handing it in. You may lose points due to spelling or grammatical errors.
· Use proper commenting and structure in your programs.
Projects:
The projects will involve the design and implementation of a secure N-tier web based application demonstrating the development of a secure Java online application using various technology. Students are expected to employ the theories and techniques learned in the class to design and implement the system.
Attendance Policy:
You are expected to attend all classes. If you ever miss a class, it is your responsibility to get hold of whatever may have been discussed in that class.
Instructor's Notes:
- Unless due to
unexpected, documented emergency, no make-up exams will be given. No
make-up exams will be granted once the exams have been corrected and
returned to the class.
- Important: If you think you have lost some points due to
grading errors, make sure you approach the instructor within a week
after the assignment, project, or test is returned to you.
- To get the most out
of this class, you need to read the textbooks and spend time using
computers regularly. Be prepared for a class by preview the material to
be covered in that class and participate in discussions and
problem-solving exercises, if applicable, in the class.
- Due to the intensive
nature of graduate classes, 15-20 hours per week are expected of
students in studying the textbook/notes and working on the assignments,
in addition to class attendance. Expect to spend more hours during
summer sessions.
Go to the Index
Related Links:
|
·
UHCL
General Program Requirements: http://www.uhcl.edu/XDR/Render/catalog/archives/125/06/ ·
Withdrawals,
Appeals, GPA, Repeated Courses, and the 6 Drop Rule: http://www.uhcl.edu/XDR/Render/catalog/archives/125/06/%23A0110#A0110 − 8/29/2011: Last day to drop a course or withdraw without
receiving a grade − 11/17/2011: last day to drop with W ·
ASSESSMENT
FOR ACCREDITATION: The School of Science and Computer
Engineering may use assessment tools in this course and other courses for
curriculum evaluation. Educational
assessment is defined as the systematic collection, interpretation, and
use of information about student characteristics, educational environments,
learning outcomes, and client satisfaction to improve program
effectiveness, student performance, and professional success. This
assessment will be related to the learning objectives for each course and
individual student performance will be disaggregated relative to these
objectives. This disaggregated analysis will not impact student grades, but
will provide faculty with detailed information that will be used to improve
courses, curriculum, and student performance. |
Go to the Index
Teaching
Research
o Grants
Services
o Centers