|
T. Andrew Yang Email: yang@uhcl.edu Web: http://cse.uhcl.edu/yang/ Tel.: (281) 283-3835 |
Last updated: 11/11:
presentation schedule updated 11/10:
presentation schedule updated 11/3:
Presentation schedule updated 10/19:
final exam date fixed 10/12:
sample midterm exam added 10/12:
removal of spurious content 9/16:
Remaining assignments posted 9/8:
Assignment 1 due date extended 8/25:
submission of research paper revised 8/24/2021:
first posted |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
fall 2021 (8/23 – 12/3 + final week)
Time
& Classroom Wedn.,
4:00pm – 6:50pm (Delta 158B) Prerequisite: Web
Applications Development (csci/cinf4230) and Computer Security
(csci/cinf4233 or csci5233), or instructor's approval. Note: If you do not have either
of the prerequisites, you MUST talk to the instructor. It is assumed that
students enrolled in this class are familiar with fundamental topics such as
cryptography (symmetric vs asymmetric encryptions/decryptions), security
protocols (RSA, DES, Triple-DES, digital signatures, digital certificates,
etc.), and n-tier web applications development. Course Description: Fundamental
coverage of issues and techniques in developing secure web-based
applications; related topics such as network security, web server security,
application-level security and web database security, etc. Course Objectives: The
primary objective of this course is to study and practice fundamental
techniques in developing secure web-based applications, including
vulnerability of web-based applications and how to protect those applications
from attacks. In addition, advanced topics related to Web, such as E-commerce
security, Cloud security, collaborative Web-based applications, etc., will
also be studied. Students are encouraged to complete a publishable research
paper on one of the related topics. Learning Outcome:
·
Understand
security-related issues in Web-based systems and applications. ·
Understand the
fundamental security components of a computer system. ·
Be able to evaluate a
Web-based system with respect to its security requirements. ·
Understand the process
of developing secure networked systems. ·
Understand the
fundamental mechanisms of securing a Web-based system. ·
Be able to implement
security mechanisms to secure a Web-based application. ·
Understand security
issues and common controls in electronic commerce systems. Class Format: Lectures are combined with discussions and, if applicable,
student presentations and discussions of advanced topics. Students are
expected to be active participants, by studying the relevant chapters and/or
research papers, and participating at in-class discussions. Lifelong learning “Education is not
something you can finish.” (Isaac Asimov) A note about Bloom's Taxonomy
and your learning …
(source: https://tips.uark.edu/using-blooms-taxonomy/
) Instructor:
Dr. T. Andrew Yang - Email address: yang@uhcl.edu - Web site:
http://cse.uhcl.edu/yang (or https://sceweb.uhcl.edu/yang - Office: Delta 174 - Phone: (281) 283-3835 (Please leave a message if not
available. - Drop-in Office
Hours Tuesdays: 12:00pm-1:00pm Wednesdays: 3:00pm-4:00pm Thursdays: 12:00pm-1:00pm Join
Zoom Meeting Meeting
ID: 965 7332 3294 Dial
by your location Join
by Skype for Business - To communicate with the professor, you are encouraged to email your questions or
issues to yang@uhcl.edu and, if necessary,
set up a time with the professor to have an online meeting. Emails are
typically replied within 24 hours. If you have not received a response within
24 hours, either send a reminder email or leave a message at (281) 283-3835. - Using emails effectively: Emailing
has become an indispensable tool in most work places. Emails
without a subject line or the signature line will be considered as
potentially malicious and be discarded.
Here is a sample subject line: "CSCI 1320 assignment #1, question
3". The signature line should have your full name and the name of the
class. Although
email messages tend to be informal, please check the grammar and spelling of
your messages to ensure their legibility. Try
to provide sufficient details in your email message, such as the problem(s)
you have encountered, the solution(s) you have tried, and the outcome you
have got from these solution(s). Teaching assistant info and office hours Note: Contact the instructor (yang@uhcl.edu)
immediately if you have any problem with the TA or the office hours.
Office hours are conducted in Delta PC Lab (2nd
floor) and as Zoom meetings as well. Below are the zoom meeting details: Topic: Venkata Naga
Bhaavagni Maddi's Personal Meeting Room Join Zoom Meeting https://us05web.zoom.us/j/6895538478?pwd=cU9aelgwZm1tYVEvNW1iQ1NiYjgrZz09 Meeting ID: 689 553
8478 Passcode: gELJ9W Required Text:
+ Instructor's handouts in the class and/or on the Web Recommended Text: Z: Michal Zalewski, The Tangled Web: A Guide to Securing Modern Web
Applications, No Starch Press; 1 edition (November 15, 2011). ISBN-10: 1593273886, ISBN-13: 978-1593273880. Supplemental
Materials
o
Architecture
of Oracle Net Services o
Oracle's Listener
Control Utility (lsnrctl) o
Transparent
Network Substrate (TNS)
o SSL Configuration HOW-TO, the Apache Tomcat 5.5 Servlet/JSP Container:
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
Glossaries, RFCs, Related Websites, etc.
o
RFC2828: Internet
Security Glossary. R. Shirey. May 2000. o
http://www.netlingo.com: searchable
online dictionary o
http://www.sharpened.net/glossary/index.php:
Definitions of Computer and Internet
Terms
o
o
o
o
o
o
o Searching the RFC database: https://www.rfc-editor.org/ o The Internet Engineering Task Force (IETF): http://www.ietf.org/ o RFC2616:
Hypertext Transfer Protocol -- HTTP/1.1. R. Fielding, J. Gettys, J.
Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee June. June 1999.
DRAFT STANDARD. local copy of rfc2616 o RFC2617:
HTTP Authentication: Basic and Digest Access Authentication. J. Franks,
P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, L.
Stewart. June 1999. DRAFT STANDARD. local copy of
rfc2617 o RFC2965:
HTTP State Management Mechanism. D. Kristol, L. Montulli. October 2000.
PROPOSED STANDARD. local copy of rfc2965 o RFC2585:
Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP.
R. Housley, P. Hoffman. May 1999. PROPOSED STANDARD. local copy of rfc2585 “This document specifies the conventions for using the File
Transfer Protocol (FTP) and the Hypertext Transfer Protocol (HTTP) to obtain
certificates and CRLs from PKI repositories.
Additional mechanisms addressing PKI repository access are specified in
separate documents.”
o RFC2246:
The TLS Protocol Version 1.0. T. Dierks, C. Allen. January 1999. PROPOSED
STANDARD. local copy of rfc2246 o RFC2712:
Addition of Kerberos Cipher Suites to Transport Layer Security (TLS). A.
Medvinsky, M. Hur. October 1999. PROPOSED STANDARD. local
copy of rfc2712 o RFC2817:
Upgrading to TLS within HTTP/1.1. R. Khare, S. Lawrence. May 2000.
PROPOSED STANDARD (Updates RFC2616). local copy of
rfc2817 o RFC2818:
HTTP over TLS. E. Rescorla. May 2000. INFORMATIONAL. local
copy of rfc2818 o RFC2830:
Lightweight Directory Access Protocol (v3): Extension for Transport Layer
Security. J. Hodges, R. Morgan, M. Wahl. May 2000. PROPOSED STANDARD
(Updated by RFC3377). local copy of rfc2830 o RFC3268:
Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security
(TLS). P. Chown. June 2002. PROPOSED STANDARD. local
copy
o
RFC2827/BCP0038:
Network Ingress Filtering: Defeating Denial of Service Attacks which employ
IP Source Address Spoofing. P. Ferguson, D. Senie. May 2000. BEST CURRENT
PRACTICE. local copy o
RFC3377:
Lightweight Directory Access Protocol (v3): Technical Specification. J.
Hodges, R. Morgan. September 2002. PROPOSED STANDARD. local
copy of rfc3377
o
Man in the middle
attack as explained on Wikipedia o
Bejtlick, Richard.
"Implementing
Network Security Monitoring with Open Source Tools": Interesting
discussions of net monitoring issues, including open source tools such as tcpdump,
argus, snort,
trafd/trafshow, sguil,
etc. o
VeriSign Technical
Brief. "Building an E-Commerce
Trust Infrastructure: SSL Server Certificates
and Online Payment Services" o
Cryptography FAQ Index: http://www.faqs.org/faqs/cryptography-faq/
o
Cryptography.org: http://www.cryptography.org/ o The Open SSL Project (SDKs for free download): http://www.openssl.org/ ·
SEEDS Security labs: https://seedsecuritylabs.org/ ·
SEEDS Web Security labs:
http://www.cis.syr.edu/~wedu/seed/labs12_04.html ·
Computer & Internet
Security - Slides, Problems and
Labs: https://www.handsonsecurity.net/resources.html Topics and Notes
Attendance Policy: You are
expected to attend all classes (either in person or online). If you have ever
missed a class session, be sure to watch the recorded session to learn what
had been covered. It is your responsibility to get hold of whatever may have
been discussed in the class. Class Participation: Participating in the class is expected. You should
ask or answer questions during the in-class or online discussions. Grading Scale: The
accumulated points from all the categories determine a person's final grade. There
will be no extra-credit projects.
Exemption from the final exam: Students who have performed fantastically before the
final exam may be exempted from taking the final exam.
Tests & Exams: Both
analytic and synthetic abilities are emphasized. Being able to apply the
learned knowledge toward problem solving is also highly emphasized in the
tests. Unless
due to unexpected, documented emergency, no make-up exams will be given. No make-up exams will be granted once the exams have been
corrected and returned to the class. A note about applying
problem-solving to your learning: An important part of problem solving is correct understanding of the
given problem. -
Try to have a good grasp of
the problem before starting the process of finding the solution(s). -
Use any resources, including
the instructor, the TA, your classmates/friends, and online resources to
ensure that you have correctly understood the given problem. -
While trying to figure out
the solution(s), continue to verify your understanding of the problem. -
Read the given instructions
carefully before taking any action; while preparing
your solutions, be sure to follow the given instructions. Assignments
will be posted at the class web site as well as in the Blackboard. The due
date and time of each assignment is specified when it is published in the
Blackboard. a. Identification page: All assignments must have your
name, and course name/number/section number (e.g., CSCI5234-01) at the top of
the first page. b. Proper stapling: Staple all the pages together at
the top-left corner. NOTE: Do not use paper clips. c. Order ! Order! Arrange the solutions following the
sequence of the questions. Write the question number at the top-right corner
of each page. d. Word processing: It is required that you type your
reports (e.g., print them using a printer). Use a word processor and
appropriate typesetting and drawing tools to do the assignments. Spell-check
the whole document before printing it. You may lose points due to spelling or
grammatical errors. Projects: The
projects will involve the design and implementation of encryption/decryption algorithms
and/or application of the algorithms to real-world problems. Students are
expected to employ the theories and techniques learned in the class to design
the system. Details
of the projects are available at Assignments
& Projects. NOTE: When a grade is assigned, the grade can only be
appealed within a week after the grade has
been posted. Academic
Honesty Policy: NOTE:
Unless
otherwise specified, all assignments, projects, quizzes, tests and exams are
individual work. Students should take caution not to violate the academic
honesty policy specified by the university. Per the UHCL
academic honesty policy, plagiarism is defined as follow. Plagiarism: a. Incorporating the work
or idea of another person into one’s own work without acknowledging the
source of that work or idea. b. Attempting to receive
credit for work performed by another person, including papers obtained in
whole or part from individuals or other sources. c. Copying copyrighted
computer programs or data files belonging to someone else. Instructor's Notes:
Go to the Index |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
