695.622.81 - Web Security
Description
Information technology security is a broad field. This course focuses on the foundational technologies that build the Web-based Internet (Web) as we know it today. The goal of this course is to guide the learner to adopt a professional security mindset by applying the techniques of threat modeling, risk assessment, and apply the foundational security principles from the two "triad" models: "confidentiality, integrity, and availability" (CIA) and "authentication, authorization, and accounting" (AAA). The self-motivated learner will investigate vulnerabilities, threats, and mitigations with the objective of protecting the data, applications, frameworks, and the supporting complex technology stacks. Security at this level cannot be achieved by technology alone, the course will provide an opportunity to exercise a smart combination of methodologies and techniques that can build confidence and rapport to champion web security within their IT community. Applicable cryptology, digital certificates, and Public Key Infrastructure will be reviewed. Each module will involve hands-on labs that implement local virtual machines, containers, cloud computing environments, and an operative blockchain enabling the learner to probe more deeply into the cybersecurity challenge of each technology solution. The assignments will involve programming and system configuration thus a novice-level exposure of Python, PHP, JavaScript, Linux Commands, basic Internet architecture and common protocols is recommended. Prerequisite(s): EN.605.202 Data Structures
Expanded Course Description
Prerequisites
To enhance your learning experience in this course, it is helpful to refresh your knowledge of basic IT and Networking topics. Before the course begins, the instructor will make available a list of references to help you get up to speed:
- Basic Linux Command Line Familiarity: Many assignments will use basic Linux commands.
- Basic Networking Familiarity: Topics will often start with basic networking concepts, similar to those covered in Principles of Data Communications Networks (605.671).
- Basic Programming Familiarity: Some assignments will involve modifying provided code in Python, PHP, JavaScript, or HTML.
- Cloud Computing Basics: The course project and some modules will use cloud platforms like AWS, GCP, or Azure.
- Version Control: Knowing how to use Git and GitHub for pulling code will be beneficial.
- Troubleshooting and Collaboration: Comfort with troubleshooting technical issues and collaborating with peers will be valuable.
- Internet Research: Efficiently conducting research in technical forums and blogs will help resolve technical issues.
- AI Tools: Using AI assistants like ChatGPT, Perplexity, and Gemini, are encouraged with conditions (see section below), and emerging tools as developed to support the web security process.
Familiarity with these topics will contribute to a more engaging and rewarding learning experience throughout the course.
Instructor
David Concepcion
Course Structure
Course Structure and Expectations
Each week, the course will focus on a distinct module covering independent topics related to Web Security. Modules are designed to enhance your learning through various components: overviews, lectures, readings, discussions, assignments, and knowledge checks. You are expected to engage with all aspects of each module.
Navigating the Course:
- Weekly Rhythm: Begin each module early in the week to allow sufficient time for all activities.
- Check Regularly: Keep an eye on the Calendar and Announcements for any updates and due dates.
- Embrace Curiosity: Approach challenges with a mindset of exploration and inquiry. Reach out to classmates via TEAMS, consult external resources like YouTube or StackOverflow, and use Office Hours for guidance on applying concepts.
- Utilize TEAMS: Use the HELP channel for assignment-related questions, and remember to track your time. If you spend over four hours on an assignment without progress, pause and seek help.
- Interactive Engagement: Engage with peers and the instructor, build professional connections, and share knowledge. Collaboration and interaction are essential to your success in this course.
Challenges and Collaboration:
The course content reflects real-world applications of technology, requiring you to navigate the dynamic nature of the Internet. Be prepared to adapt to challenges such as broken links or evolving technologies. Collaboration with your classmates and ingenuity are crucial; balance independent initiative with strong social skills to overcome obstacles and succeed.
Course Topics
Web Security Foundations |
PKI, SSL/TLS, Certificates |
Client-side Security |
Server-side Security |
App Container Security |
App Dev Security Tools |
Cloud Security |
Big Data in Security |
Mobile App Security |
Smart Contract Security |
Tor & Privacy |
IoT Security |
Security Testing Tools |
Course Goals
This is a master's degree-level course in web security is designed to explore the fundamental technologies that underpin the modern Web. The primary focus of the course is to safeguard web-based data, applications, frameworks, and supporting devices. While technology plays a crucial role, it is important to recognize that achieving security at this level requires a comprehensive approach involving procedures, techniques, and people.
By the end of the course, students will have a solid understanding of structured analytical techniques derived from the CI4A security attributes and threat modeling methodology. This model combines the key concepts from two widely recognized industry security attribute triads: "confidentiality, integrity, and availability" (CIA) and "authentication, authorization, and accounting" (AAA). These techniques will enable students to effectively analyze and explain web security activities.
On a practical level, students will gain hands-on experience in deploying various foundational web technology stacks. They will develop the competence to apply security principles in these real-world scenarios and confidently defend their decision-making process. The course will equip students with the necessary skills to address web security challenges and protect critical assets in a web-based environment.
Overall, this master's degree course in web security aims to provide a comprehensive understanding of web security technologies, principles, and practices. Graduates will be well-prepared to navigate the complexities of securing web-based systems and contribute to the advancement of secure web development and protection of sensitive data.
Course Learning Outcomes (CLOs)
- At the successful conclusion of the course, the student will be able to describe basic cryptography and public key infrastructure that supports Web security.
- The student will survey foundational security principles while applying them to various Web technologies such as Client-side, server-side, containers, security tools, cloud, big data, IOT, Mobile, blockchain, and AI/ML.
- The student will apply structured analytical techniques such as the CI4A ("CIA" and "AAA" Triads) models to the disparate challenges when it comes to protecting the Web's data, devices, applications, and frameworks.
- The student will use threat modeling principles to explain threats, vulnerabilities, and possible mitigations across various Web technologies.
- The student will summarize policy, regulation, and privacy issues as pertains to Web security.
Textbooks
There is no required textbook, but many current articles, videos, and reference resources will be used throughout the course. The instructor will provide links or the actual supplementary material, as necessary.
Required Software
Software Requirements
Oracle VirtualBox Link here or VMware.
A version of Ubuntu 22+ or equivalent virtual machine provided by instructor. An email will be sent before the start of the course to help walk you through the steps.
Technical Requirements
To work in an isolated sandbox, student will run VirtualBox (or VMware) on their systems to accomplish their assignments. A properly configured system will help you fully participate in this course, if your system does not meet or exceed these minimums, you will likely experience frustration finding it difficult to complete the assignments.
System Hardware minimums: 64-bit Intel i5/i7 2.0+ GHz processor, 16 GB RAM, 100+ GB disk space free to work in, Enabled "Intel-VT" in BIOS.
Apple Mac computers: In the past the use of the Mx chip had challenges, so be aware. VirtualBox may work on your Mac. But if you have issues, try: QEMU, which is both free and Open Source. If that doesn't suit you, Parallels Desktop, VMware Fusion, UTM and Lima.
Student Coursework Requirements
It is expected that each module will take approximately 7–10 hours per week to complete. Here is an approximate breakdown: reading the assigned sections of the texts (approximately 1–3 hours per week) as well as some outside reading/research, listening to the audio annotated slide presentations (approximately 1–2 hours per week), and tutorial & writing assignments (approximately 3–4 hours per week), knowledge checks (approximately 1-2 hours per week).
This course will consist of the following basic student requirements:
Discussions (20% of Final Grade Calculation)
You are responsible for carefully reading all assigned material and being prepared for discussion.
Most readings are from the recommended material. Additional reading may be assigned to supplement text readings.
Post your initial response to the discussion questions by the evening of day 4 for that module week. Posting a response to the discussion question is part one of your grade for module discussions (i.e., Timeliness).
Part two of your grade for module discussion is your interaction (i.e., responding to classmate postings with thoughtful responses) with at least two classmates (i.e., Critical Thinking). Just posting your response to a discussion question is not sufficient; we want you to interact with your classmates. Be detailed in your postings and in your responses to your classmates' postings. Feel free to agree or disagree with your classmates. Please ensure that your postings are civil and constructive.
We will monitor module discussions and will respond to some of the discussions as discussions are posted. In some instances, we will summarize the overall discussions and post the summary for the module.
Evaluation of preparation and participation is based on contribution to discussions.
Preparation and participation is evaluated by the following grading elements:
- Timeliness (50%)
- Critical Thinking (50%)
Preparation and participation is graded as follows:
100–90 = A—Timeliness [regularly participates; all required postings; early in discussion; throughout the discussion]; Critical Thinking [rich in content; full of thoughts, insight, and analysis].
89–80 = B—Timeliness [frequently participates; all required postings; some not in time for others to read and respond]; Critical Thinking [substantial information; thought, insight, and analysis has taken place].
79–70 = C—Timeliness [infrequently participates; all required postings; most at the last minute without allowing for response time]; Critical Thinking [generally competent; information is thin and commonplace].
Assignments (40% of Final Grade Calculation)
Each module has an assignment that will have the student building a technology stack within a virtual machine sandbox enviroment, then evaluatating the security implications using threat modeling. Each assignment witlInclude a cover sheet with your name and assignment identifier. Also include your name and a page number indicator (i.e., page x of y) on each page of your submissions. Each problem should have the problem statement, assumptions, computations, and conclusions/discussion delineated. All Figures and Tables should be captioned and labeled appropriately. External material must be cited either in-line with the text, or footnoted.
All assignments are due according to the dates in the Calendar.
Late submissions will be reduced by one letter grade for each week late (no exceptions without prior coordination with the instructors).
Course Project (20% of Final Grade Calculation)
A course project is composed of 3 parts due at certain date/times during the course. The course project will be evaluated against the grading rubric provided in the assignment PDF and CANVAS. The project may also be discussed at office hours during the course.
Knowledge Checks (10% of Final Grade Calculation)
Knowledge checks will be given with each module to ensure understanding and application of the material. They will include T/F, short answer, multiple choice, and multiple select questions. They will be graded primarily on correctness. Knowledge checks are open notes, open lecture, and open Internet, do not collaborate with anyone else.
NOTE: The knowledge checks may be completed in multiple sittings but must submitted before the end of the module week.
Exams (10% of Total Grade Calculation)
The final exam will be available at the last Module. You may start the exam anytime during that week, but it must be completed before the due date/time. Exam will include T/F, short answer, multiple choice, and multiple select questions. Students can reference all material available; Exam is open notes, open lecture, and open Internet, but do not collaborate with anyone else.
NOTE: The exams must be completed in one sitting and within a set time.
Grading Policy
Assignments are due according to the dates posted in your Canvas course site. You may check these due dates in the Course Calendar or the Assignments in the corresponding modules.
We generally do not directly grade spelling and grammar. However, egregious violations of the rules of the English language will be noted without comment. Consistently poor performance in either spelling or grammar is taken as an indication of poor written communication ability that may detract from your grade.
A grade of A indicates achievement of consistent excellence and distinction throughout the course—that is, conspicuous excellence in all aspects of assignments and discussion in every week.
A grade of B indicates work that meets all course requirements on a level appropriate for graduate academic work. These criteria apply to both undergraduates and graduate students taking the course.
EP uses a +/- grading system (see “Grading System”, Graduate Programs catalog, p. 10). You should contact your Program Chair for guidance on the breakdown used by your program.
| Score Range | Letter Grade |
|---|---|
| 100-98 | = A+ |
| 97-94 | = A |
| 93-90 | = A− |
| 89-87 | = B+ |
| 86-83 | = B |
| 82-80 | = B− |
| 79-77 | = C+ |
| 76-73 | = C |
| 72-70 | = C− |
| 69-67 | = D+ |
| 66-63 | = D |
| <63 | = F |
Final grades will be determined by the following weighting:
Item | % of Grade |
Discussions | 20% |
Assignments | 40% |
Course Project | 20% |
Knowledge Checks | 10% |
Final Exam | 10% |
Course Evaluation
Students will be sent course evaluations at midcourse and at the end of the course. Also, the instructor may send out calls for reflections, to collect the sentiment as the course progresses.
Course Policies
Course Culture
This course is likely to have a very different feel than others you have taken! The course philosophy embraces an informal and light-hearted learning environment. However, it is important to note that this does not indicate an easy or lenient approach. All EP program policies and deadlines remain in full effect. In this course, you are welcome to address the instructor by first name, fostering a sense of approachability and open communication.
Late Submission and Re-Submission Policy
Understanding that unexpected circumstances may arise, the goal is to support students while maintaining fairness across the class. To balance flexibility and accountability, the following Late Policy is in place for this master's degree course:
Late Submission: Late submissions will incur a 10% deduction immediately, with an additional 10% deducted for each week thereafter.
Re-Submission: You may re-submit an assignment for re-grading, but the late penalty may still apply.
Planning and Communication: If you anticipate needing an extension due to specific circumstances, please communicate with the instructor as early as possible. Together, you and the instructor will agree on a completion plan that you will be responsible for following.
While I strive to accommodate unforeseen challenges, it's important to plan ahead for predictable events such as vacations, medical leave, or work commitments. Please notify the instructor in advance if you foresee any potential conflicts.
Limits on Extensions: While I aim to be flexible, the decision to grant extensions is at the instructor's discretion. To ensure fairness and course progression:
- Extensions will not typically be granted within 48 hours of the assignment due date unless a valid reason is provided.
- The instructor may limit extensions to a maximum of two per student throughout the semester.
By adhering to this policy, we can manage unexpected situations effectively while ensuring fairness and maintaining the flow of the course. Thank you for your understanding and cooperation.
USE OF AI IN THIS CLASS
Students are encouraged to leverage their experience with AI tools such as GPT, Perplexity, Gemini, and Copilot, and be ready to further develop these skills as essential in researching academic topics like Assured Autonomy. Since this is an AI course, utilizing AI tools is an expected and integral part of the learning process.
However, it's crucial to use AI tools as aids to enhance your critical thinking and research capabilities, not as substitutes. AI can assist in tasks like summarizing complex topics, drafting initial versions of your work, and identifying relevant sources. That said, it's essential to critically assess the outputs of these tools to ensure they meet academic standards in terms of accuracy and reliability. Ultimately, the integrity of your assignments rests with you, so use AI to deepen your understanding and support your learning, not as a shortcut to bypass the effort required to master the course content.
When AI tools contribute significantly to your work, proper attribution is required.
I wish you the best in this course, stay alert and informed, be safe out there!
Academic Policies
Deadlines for Adding, Dropping and Withdrawing from Courses
Students may add a course up to one week after the start of the term for that particular course. Students may drop courses according to the drop deadlines outlined in the EP academic calendar (https://ep.jhu.edu/student-services/academic-calendar/). Between the 6th week of the class and prior to the final withdrawal deadline, a student may withdraw from a course with a W on their academic record. A record of the course will remain on the academic record with a W appearing in the grade column to indicate that the student registered and withdrew from the course.
Academic Misconduct Policy
All students are required to read, know, and comply with the Johns Hopkins University Krieger School of Arts and Sciences (KSAS) / Whiting School of Engineering (WSE) Procedures for Handling Allegations of Misconduct by Full-Time and Part-Time Graduate Students.
This policy prohibits academic misconduct, including but not limited to the following: cheating or facilitating cheating; plagiarism; reuse of assignments; unauthorized collaboration; alteration of graded assignments; and unfair competition. Course materials (old assignments, texts, or examinations, etc.) should not be shared unless authorized by the course instructor. Any questions related to this policy should be directed to EP’s academic integrity officer at ep-academic-integrity@jhu.edu.
Students with Disabilities - Accommodations and Accessibility
Johns Hopkins University values diversity and inclusion. We are committed to providing welcoming, equitable, and accessible educational experiences for all students. Students with disabilities (including those with psychological conditions, medical conditions and temporary disabilities) can request accommodations for this course by providing an Accommodation Letter issued by Student Disability Services (SDS). Please request accommodations for this course as early as possible to provide time for effective communication and arrangements.
For further information or to start the process of requesting accommodations, please contact Student Disability Services at Engineering for Professionals, ep-disability-svcs@jhu.edu.
Student Conduct Code
The fundamental purpose of the JHU regulation of student conduct is to promote and to protect the health, safety, welfare, property, and rights of all members of the University community as well as to promote the orderly operation of the University and to safeguard its property and facilities. As members of the University community, students accept certain responsibilities which support the educational mission and create an environment in which all students are afforded the same opportunity to succeed academically.
For a full description of the code please visit the following website: https://studentaffairs.jhu.edu/policies-guidelines/student-code/
Classroom Climate
JHU is committed to creating a classroom environment that values the diversity of experiences and perspectives that all students bring. Everyone has the right to be treated with dignity and respect. Fostering an inclusive climate is important. Research and experience show that students who interact with peers who are different from themselves learn new things and experience tangible educational outcomes. At no time in this learning process should someone be singled out or treated unequally on the basis of any seen or unseen part of their identity.
If you have concerns in this course about harassment, discrimination, or any unequal treatment, or if you seek accommodations or resources, please reach out to the course instructor directly. Reporting will never impact your course grade. You may also share concerns with your program chair, the Assistant Dean for Diversity and Inclusion, or the Office of Institutional Equity. In handling reports, people will protect your privacy as much as possible, but faculty and staff are required to officially report information for some cases (e.g. sexual harassment).
Course Auditing
When a student enrolls in an EP course with “audit” status, the student must reach an understanding with the instructor as to what is required to earn the “audit.” If the student does not meet those expectations, the instructor must notify the EP Registration Team [EP-Registration@exchange.johnshopkins.edu] in order for the student to be retroactively dropped or withdrawn from the course (depending on when the "audit" was requested and in accordance with EP registration deadlines). All lecture content will remain accessible to auditing students, but access to all other course material is left to the discretion of the instructor.