This is an abridged syllabus. You can access the complete syllabus in your Canvas course.

695.622.81 - Web Security

Cybersecurity

Fall 2024

Description

Information technology security is a broad field. This course focuses on the foundational technologies that build the Web-based Internet (Web) as we know it today. The goal of this course is to guide the learner to adopt a professional security mindset by applying the techniques of threat modeling, risk assessment, and apply the foundational security principles from the two "triad" models: "confidentiality, integrity, and availability" (CIA) and "authentication, authorization, and accounting" (AAA). The self-motivated learner will investigate vulnerabilities, threats, and mitigations with the objective of protecting the data, applications, frameworks, and the supporting complex technology stacks. Security at this level cannot be achieved by technology alone, the course will provide an opportunity to exercise a smart combination of methodologies and techniques that can build confidence and rapport to champion web security within their IT community. Applicable cryptology, digital certificates, and Public Key Infrastructure will be reviewed. Each module will involve hands-on labs that implement local virtual machines, containers, cloud computing environments, and an operative blockchain enabling the learner to probe more deeply into the cybersecurity challenge of each technology solution. The assignments will involve programming and system configuration thus a novice-level exposure of Python, PHP, JavaScript, Linux Commands, basic Internet architecture and common protocols is recommended. Prerequisite(s): EN.605.202 Data Structures

Expanded Course Description

Prerequisites

To enhance your learning experience in this course, it is helpful to refresh your knowledge of basic IT and Networking topics. Before the course begins, the instructor will make available a list of references to help you get up to speed:

Basic Linux Command Line Familiarity: Many assignments will use basic Linux commands.
Basic Networking Familiarity: Topics will often start with basic networking concepts, similar to those covered in Principles of Data Communications Networks (605.671).
Basic Programming Familiarity: Some assignments will involve modifying provided code in Python, PHP, JavaScript, or HTML.
Cloud Computing Basics: The course project and some modules will use cloud platforms like AWS, GCP, or Azure.
Version Control: Knowing how to use Git and GitHub for pulling code will be beneficial.
Troubleshooting and Collaboration: Comfort with troubleshooting technical issues and collaborating with peers will be valuable.
Internet Research: Efficiently conducting research in technical forums and blogs will help resolve technical issues.
AI Tools: Using AI assistants like ChatGPT and Perplexity will be encouraged and further developed as tools in the web security process.

Familiarity with these topics will contribute to a more engaging and rewarding learning experience throughout the course.

Instructor

David Concepcion

Course Structure

We will establish a weekly rhythm with each module focusing on mostly independent topics, helping us stay on track.

Each module is designed to facilitate your learning through various methods, including overviews, lectures, readings, discussions, assignments, and knowledge checks.

Be sure to regularly check the Calendar and Announcements for due dates.

Course Topics

Web Security Foundations

PKI, SSL/TLS, Certificates

Client-side Security

Server-side Security

App Container Security

App Dev Security Tools

Cloud Security

Big Data in Security

Mobile App Security

Smart Contract Security

Tor & Privacy

IoT Security

Security Testing Tools

Course Goals

This master's degree course in web security is designed to explore the fundamental technologies that underpin the modern Web. The primary focus of the course is to safeguard web-based data, applications, frameworks, and supporting devices. While technology plays a crucial role, it is important to recognize that achieving security at this level requires a comprehensive approach involving procedures, techniques, and people.

By the end of the course, students will have a solid understanding of structured analytical techniques derived from the CI4A security attributes and threat modeling methodology. This model combines the key concepts from two widely recognized industry security attribute triads: "confidentiality, integrity, and availability" (CIA) and "authentication, authorization, and accounting" (AAA). These techniques will enable students to effectively analyze and explain web security activities.

On a practical level, students will gain hands-on experience in deploying various foundational web technology stacks. They will develop the competence to apply security principles in these real-world scenarios and confidently defend their decision-making process. The course will equip students with the necessary skills to address web security challenges and protect critical assets in a web-based environment.

Overall, this master's degree course in web security aims to provide a comprehensive understanding of web security technologies, principles, and practices. Graduates will be well-prepared to navigate the complexities of securing web-based systems and contribute to the advancement of secure web development and protection of sensitive data.

(The above paragraph was re-written by chatGPT.)

Course Learning Outcomes (CLOs)

At the successful conclusion of the course, the student will be able to describe basic cryptography and public key infrastructure that supports Web security.
The student will survey foundational security principles while applying them to various Web technologies such as Client-side, server-side, containers, security tools, cloud, big data, IOT, Mobile, blockchain, and AI/ML.
The student will apply structured analytical techniques such as the CI4A ("CIA" and "AAA" Triads) models to the disparate challenges when it comes to protecting the Web's data, devices, applications, and frameworks.
The student will use threat modeling principles to explain threats, vulnerabilities, and possible mitigations across various Web technologies.
The student will summarize policy, regulation, and privacy issues as pertains to Web security.

Textbooks

There is no required textbook, but many current articles, videos, and reference resources will be used throughout the course. The instructor will provide links or the actual supplementary material, as necessary.

Required Software

Software Requirements

Oracle VirtualBox Link here or VMware Workstation/Fusion/Player Link here.

Lubuntu 22.04 or equivalent virtual machine provided by instructor. An email will be sent before the start of the course to help walk you through the steps.

Technical Requirements

To work in an isolated sandbox, student will run VirtualBox (or VMware) on their systems to accomplish their assignments. A properly configured system will help you fully participate in this course, if your system does not meet or exceed these minimums, you will likely experience frustration finding it difficult to complete the assignments.

System Hardware minimums: 64-bit Intel i5/i7 2.0+ GHz processor, 16 GB RAM, 100+ GB disk space free to work in, Enabled "Intel-VT" in BIOS.

Apple Mac computers that use the Mx chip may have challenges that need to be worked through. Try: Fusion - Run Windows on Mac | VM for Mac | VMware

Student Coursework Requirements

It is expected that each module will take approximately 7–10 hours per week to complete. Here is an approximate breakdown: reading the assigned sections of the texts (approximately 1–3 hours per week) as well as some outside reading/research, listening to the audio annotated slide presentations (approximately 1–2 hours per week), and tutorial & writing assignments (approximately 3–4 hours per week), knowledge checks (approximately 1-2 hours per week).

This course will consist of the following basic student requirements:

Discussions (20% of Final Grade Calculation)

You are responsible for carefully reading all assigned material and being prepared for discussion.

Most readings are from the recommended material. Additional reading may be assigned to supplement text readings.

Post your initial response to the discussion questions by the evening of day 4 for that module week. Posting a response to the discussion question is part one of your grade for module discussions (i.e., Timeliness).

Part two of your grade for module discussion is your interaction (i.e., responding to classmate postings with thoughtful responses) with at least two classmates (i.e., Critical Thinking). Just posting your response to a discussion question is not sufficient; we want you to interact with your classmates. Be detailed in your postings and in your responses to your classmates' postings. Feel free to agree or disagree with your classmates. Please ensure that your postings are civil and constructive.

We will monitor module discussions and will respond to some of the discussions as discussions are posted. In some instances, we will summarize the overall discussions and post the summary for the module.

Evaluation of preparation and participation is based on contribution to discussions.

Preparation and participation is evaluated by the following grading elements:

Timeliness (50%)
Critical Thinking (50%)

Preparation and participation is graded as follows:

100–90 = A—Timeliness [regularly participates; all required postings; early in discussion; throughout the discussion]; Critical Thinking [rich in content; full of thoughts, insight, and analysis].

89–80 = B—Timeliness [frequently participates; all required postings; some not in time for others to read and respond]; Critical Thinking [substantial information; thought, insight, and analysis has taken place].

79–70 = C—Timeliness [infrequently participates; all required postings; most at the last minute without allowing for response time]; Critical Thinking [generally competent; information is thin and commonplace].

Assignments (40% of Final Grade Calculation)

Each module has an assignment that will have the student building a technology stack within a virtual machine sandbox enviroment, then evaluatating the security implications using threat modeling. Each assignment witlInclude a cover sheet with your name and assignment identifier. Also include your name and a page number indicator (i.e., page x of y) on each page of your submissions. Each problem should have the problem statement, assumptions, computations, and conclusions/discussion delineated. All Figures and Tables should be captioned and labeled appropriately. External material must be cited either in-line with the text, or footnoted.

All assignments are due according to the dates in the Calendar.

Late submissions will be reduced by one letter grade for each week late (no exceptions without prior coordination with the instructors).

Course Project (20% of Final Grade Calculation)

A course project is composed of 3 parts due at certain date/times during the course. The course project will be evaluated against the grading rubric provided in the assignment PDF and CANVAS. The project may also be discussed at office hours during the course.

Knowledge Checks (10% of Final Grade Calculation)

Knowledge checks will be given with each module to ensure understanding and application of the material. They will include T/F, short answer, multiple choice, and multiple select questions. They will be graded primarily on correctness. Knowledge checks are open notes, open lecture, and open Internet, do not collaborate with anyone else.

NOTE: The knowledge checks may be completed in multiple sittings but must submitted before the end of the module week.

Exams (10% of Total Grade Calculation)

The final exam will be available at the last Module. You may start the exam anytime during that week, but it must be completed before the due date/time. Exam will include T/F, short answer, multiple choice, and multiple select questions. Students can reference all material available; Exam is open notes, open lecture, and open Internet, but do not collaborate with anyone else.

NOTE: The exams must be completed in one sitting and within a set time.

Grading Policy

Assignments are due according to the dates posted in your Canvas course site. You may check these due dates in the Course Calendar or the Assignments in the corresponding modules.

We generally do not directly grade spelling and grammar. However, egregious violations of the rules of the English language will be noted without comment. Consistently poor performance in either spelling or grammar is taken as an indication of poor written communication ability that may detract from your grade.

A grade of A indicates achievement of consistent excellence and distinction throughout the course—that is, conspicuous excellence in all aspects of assignments and discussion in every week.

A grade of B indicates work that meets all course requirements on a level appropriate for graduate academic work. These criteria apply to both undergraduates and graduate students taking the course.

EP uses a +/- grading system (see “Grading System”, Graduate Programs catalog, p. 10). You should contact your Program Chair for guidance on the breakdown used by your program.

Score Range	Letter Grade
100-98	= A+
97-94	= A
93-90	= A−
89-87	= B+
86-83	= B
82-80	= B−
79-77	= C+
76-73	= C
72-70	= C−
69-67	= D+
66-63	= D
<63	= F

Final grades will be determined by the following weighting:

Item	% of Grade
Discussions	20%
Assignments	40%
Course Project	20%
Knowledge Checks	10%

Final Exam	10%

Course Evaluation

Students will be sent course evaluations at midcourse and at the end of the course. Also, the instructor will send out calls for reflections, to collect the sentiment as the course progresses.

Course Policies

Course Culture

This course is likely to have a very different feel than others you have taken! The course philosophy embraces an informal and light-hearted learning environment. However, it is important to note that this does not indicate an easy or lenient approach. All EP program policies and deadlines remain in full effect. In this course, you are welcome to address me by my first name, fostering a sense of approachability and open communication.

Challenge Expectations

The content and assignments in this course are derived from real-world applications of technology, encompassing a wide range from conceptual ideas to detailed requirements. As the course heavily relies on the Internet for content delivery, it is necessary for students to be prepared to manage their expectations and address any issues that may arise.

The Internet is a dynamic and ever-changing environment, presenting challenges along the way. Links may break, standards and protocols may evolve, and emerging technologies can disrupt the intended flow of course objectives. It is crucial to be adaptable and resilient in navigating through these challenges.

By recognizing the variability and dynamics of the Internet, students can approach the course with a proactive mindset, ready to overcome obstacles and embrace the evolving nature of technology.

Collaboration is key

In this master's degree course, collaboration and ingenuity, which are the building blocks of the Internet, are crucial. Therefore, to navigate the course successfully, students will need to strike a balance between being self-starters and possessing strong social skills. It is essential to come prepared and be aware of the challenges that lie ahead.

Guidance

I want to ensure that you have an enriching learning experience while gaining a solid understanding of Web Security in your master's degree course. Please keep the following guidelines in mind:

Start each Module early: It is important to begin each module as early as possible. While I will make every effort to respond promptly, waiting until the weekend may hinder my ability to address all inquiries as quickly as I would like.
Embrace curiosity and experimentation: Throughout the course, you are likely to have questions about various concepts. I encourage you to have an authentic learning experience by reaching out to your classmates on Teams if you encounter challenges. It's highly probable that someone else is facing similar issues. Before seeking assistance, I encourage you to explore external resources such as YouTube, StackOverflow, textbooks, etc. Office Hours are designed to help you apply what you've learned from the Lecture Notes and weekly Readings to your assignments. While I am always available to assist you, I aim to guide you towards finding the correct answers rather than simply providing solutions. If I request to see your attempted solutions or refer you to a reference, it is not because I'm unwilling to help, but to ensure you grasp essential concepts.
Utilize TEAMS channels for help: If you require assistance with assignments, please keep track of the time you spend on them. The assignments are designed not to be unnecessarily difficult but to help you learn the technology and associated security principles. If you find yourself spending more than four hours on an assignment, please pause and post your issue in the Help channel. If no other student comes forward to assist or share a similar problem, and a day passes without a response, then feel free to reach out to me. Please refrain from direct messaging other students, as it hampers the opportunity for shared help and experiences within the class. Use the HELP channel to seek assistance or share your successes.
Be interactive: You are part of a fantastic program with diverse students who possess various areas of expertise and professional experiences. I encourage you to engage with everyone in the class, including me. Build professional connections, share your knowledge, showcase your expertise, and enjoy the journey! Please note that I have a personal policy of not accepting social media requests for connection or friendship until after the semester is over.

By following these guidelines, you will not only enhance your learning experience but also foster a collaborative and engaging environment within the course.

LATE POLICY

Acknowledging that unexpected circumstances can arise, I strive to accommodate students while maintaining fairness for the entire class. To strike a balance, the following Late Policy has been adopted for this master's degree class:

Plan and communicate: In the event that you require an extension due to a specific situation, it is important to reach out to me as soon as reasonably possible. While I understand that life can be unpredictable, many aspects of this course can be anticipated and planned for in advance. Please consider any upcoming vacations, medical leave, work travel, or similar commitments that may occur during the semester and notify me in advance if feasible.
Collaborate: Take advantage of the resources available to you, such as the assigned readings, lecture videos, office hours, and Teams collaboration, to independently solve assignments or work collaboratively with your peers. It is important to begin reviewing the material for each week early in the modules. However, please note that collaboration is encouraged when working on the assignments, the course project, and discussions. However, the knowledge checks and exams should be completed individually.
Limits: While I aim to be as flexible as possible, the granting of extensions ultimately rests at my discretion. Consequently, unless a valid reason is provided, I prefer not to grant extensions within 48 hours of the assignment due date. Additionally, I may find it challenging to offer more than two extensions per student over the course of the semester.
Penalty: It is important to be aware of the "late submission" policy, which allows for partial credit but incurs a penalty of 10% deducted per week of delay. Similarly, the "re-submission" policy permits you to submit an assignment for re-grading, although the late penalty may still apply.

By adhering to this Late Policy, we can navigate unexpected situations while maintaining fairness and ensuring the smooth progression of the course.

(The above policies wording was re-written by chatGPT.)

Academic Policies

Deadlines for Adding, Dropping and Withdrawing from Courses

Students may add a course up to one week after the start of the term for that particular course. Students may drop courses according to the drop deadlines outlined in the EP academic calendar (https://ep.jhu.edu/student-services/academic-calendar/). Between the 6th week of the class and prior to the final withdrawal deadline, a student may withdraw from a course with a W on their academic record. A record of the course will remain on the academic record with a W appearing in the grade column to indicate that the student registered and withdrew from the course.

Academic Misconduct Policy

All students are required to read, know, and comply with the Johns Hopkins University Krieger School of Arts and Sciences (KSAS) / Whiting School of Engineering (WSE) Procedures for Handling Allegations of Misconduct by Full-Time and Part-Time Graduate Students.

This policy prohibits academic misconduct, including but not limited to the following: cheating or facilitating cheating; plagiarism; reuse of assignments; unauthorized collaboration; alteration of graded assignments; and unfair competition. Course materials (old assignments, texts, or examinations, etc.) should not be shared unless authorized by the course instructor. Any questions related to this policy should be directed to EP’s academic integrity officer at ep-academic-integrity@jhu.edu.

Students with Disabilities - Accommodations and Accessibility

Johns Hopkins University values diversity and inclusion. We are committed to providing welcoming, equitable, and accessible educational experiences for all students. Students with disabilities (including those with psychological conditions, medical conditions and temporary disabilities) can request accommodations for this course by providing an Accommodation Letter issued by Student Disability Services (SDS). Please request accommodations for this course as early as possible to provide time for effective communication and arrangements.

For further information or to start the process of requesting accommodations, please contact Student Disability Services at Engineering for Professionals, ep-disability-svcs@jhu.edu.

Student Conduct Code

The fundamental purpose of the JHU regulation of student conduct is to promote and to protect the health, safety, welfare, property, and rights of all members of the University community as well as to promote the orderly operation of the University and to safeguard its property and facilities. As members of the University community, students accept certain responsibilities which support the educational mission and create an environment in which all students are afforded the same opportunity to succeed academically.

For a full description of the code please visit the following website: https://studentaffairs.jhu.edu/policies-guidelines/student-code/

Classroom Climate

JHU is committed to creating a classroom environment that values the diversity of experiences and perspectives that all students bring. Everyone has the right to be treated with dignity and respect. Fostering an inclusive climate is important. Research and experience show that students who interact with peers who are different from themselves learn new things and experience tangible educational outcomes. At no time in this learning process should someone be singled out or treated unequally on the basis of any seen or unseen part of their identity.

If you have concerns in this course about harassment, discrimination, or any unequal treatment, or if you seek accommodations or resources, please reach out to the course instructor directly. Reporting will never impact your course grade. You may also share concerns with your program chair, the Assistant Dean for Diversity and Inclusion, or the Office of Institutional Equity. In handling reports, people will protect your privacy as much as possible, but faculty and staff are required to officially report information for some cases (e.g. sexual harassment).

Course Auditing

When a student enrolls in an EP course with “audit” status, the student must reach an understanding with the instructor as to what is required to earn the “audit.” If the student does not meet those expectations, the instructor must notify the EP Registration Team [EP-Registration@exchange.johnshopkins.edu] in order for the student to be retroactively dropped or withdrawn from the course (depending on when the "audit" was requested and in accordance with EP registration deadlines). All lecture content will remain accessible to auditing students, but access to all other course material is left to the discretion of the instructor.