Information technology security is a broad field. This course focuses on the foundational technologies that build the Web-based Internet (Web) as we know it today. The goal of this course is to guide the learner to adopt a professional security mindset by applying the techniques of threat modeling, risk assessment, and apply the foundational security principles from the two "triad" models: "confidentiality, integrity, and availability" (CIA) and "authentication, authorization, and accounting" (AAA). The self-motivated learner will investigate vulnerabilities, threats, and mitigations with the objective of protecting the data, applications, frameworks, and the supporting complex technology stacks. Security at this level cannot be achieved by technology alone, the course will provide an opportunity to exercise a smart combination of methodologies and techniques that can build confidence and rapport to champion web security within their IT community. Applicable cryptology, digital certificates, and Public Key Infrastructure will be reviewed. Each module will involve hands-on labs that implement local virtual machines, containers, cloud computing environments, and an operative blockchain enabling the learner to probe more deeply into the cybersecurity challenge of each technology solution. The assignments will involve programming and system configuration thus a novice-level exposure of Python, PHP, JavaScript, Linux Commands, basic Internet architecture and common protocols is recommended. Prerequisite(s): EN.605.202 Data Structures
To enhance your learning experience in this course, it is helpful to refresh your knowledge of basic IT and Networking topics. Before the course begins, the instructor will make available a list of references to help you get up to speed:
Familiarity with these topics will contribute to a more engaging and rewarding learning experience throughout the course.
Web Security Foundations |
PKI, SSL/TLS, Certificates |
Client-side Security |
Server-side Security |
App Container Security |
App Dev Security Tools |
Cloud Security |
Big Data in Security |
Mobile App Security |
Smart Contract Security |
Tor & Privacy |
IoT Security |
Security Testing Tools |
This master's degree course in web security is designed to explore the fundamental technologies that underpin the modern Web. The primary focus of the course is to safeguard web-based data, applications, frameworks, and supporting devices. While technology plays a crucial role, it is important to recognize that achieving security at this level requires a comprehensive approach involving procedures, techniques, and people.
By the end of the course, students will have a solid understanding of structured analytical techniques derived from the CI4A security attributes and threat modeling methodology. This model combines the key concepts from two widely recognized industry security attribute triads: "confidentiality, integrity, and availability" (CIA) and "authentication, authorization, and accounting" (AAA). These techniques will enable students to effectively analyze and explain web security activities.
On a practical level, students will gain hands-on experience in deploying various foundational web technology stacks. They will develop the competence to apply security principles in these real-world scenarios and confidently defend their decision-making process. The course will equip students with the necessary skills to address web security challenges and protect critical assets in a web-based environment.
Overall, this master's degree course in web security aims to provide a comprehensive understanding of web security technologies, principles, and practices. Graduates will be well-prepared to navigate the complexities of securing web-based systems and contribute to the advancement of secure web development and protection of sensitive data.
(The above paragraph was re-written by chatGPT.)
There is no required textbook, but many current articles, videos, and reference resources will be used throughout the course. The instructor will provide links or the actual supplementary material, as necessary.
Oracle VirtualBox Link here or VMware Workstation/Fusion/Player Link here.
Lubuntu 22.04 or equivalent virtual machine provided by instructor. An email will be sent before the start of the course to help walk you through the steps.
To work in an isolated sandbox, student will run VirtualBox (or VMware) on their systems to accomplish their assignments. A properly configured system will help you fully participate in this course, if your system does not meet or exceed these minimums, you will likely experience frustration finding it difficult to complete the assignments.
System Hardware minimums: 64-bit Intel i5/i7 2.0+ GHz processor, 16 GB RAM, 100+ GB disk space free to work in, Enabled "Intel-VT" in BIOS.
Apple Mac computers that use the Mx chip may have challenges that need to be worked through. Try: Fusion - Run Windows on Mac | VM for Mac | VMware
It is expected that each module will take approximately 7–10 hours per week to complete. Here is an approximate breakdown: reading the assigned sections of the texts (approximately 1–3 hours per week) as well as some outside reading/research, listening to the audio annotated slide presentations (approximately 1–2 hours per week), and tutorial & writing assignments (approximately 3–4 hours per week), knowledge checks (approximately 1-2 hours per week).
This course will consist of the following basic student requirements:
You are responsible for carefully reading all assigned material and being prepared for discussion.
Most readings are from the recommended material. Additional reading may be assigned to supplement text readings.
Post your initial response to the discussion questions by the evening of day 4 for that module week. Posting a response to the discussion question is part one of your grade for module discussions (i.e., Timeliness).
Part two of your grade for module discussion is your interaction (i.e., responding to classmate postings with thoughtful responses) with at least two classmates (i.e., Critical Thinking). Just posting your response to a discussion question is not sufficient; we want you to interact with your classmates. Be detailed in your postings and in your responses to your classmates' postings. Feel free to agree or disagree with your classmates. Please ensure that your postings are civil and constructive.
We will monitor module discussions and will respond to some of the discussions as discussions are posted. In some instances, we will summarize the overall discussions and post the summary for the module.
Evaluation of preparation and participation is based on contribution to discussions.
Preparation and participation is evaluated by the following grading elements:
Preparation and participation is graded as follows:
100–90 = A—Timeliness [regularly participates; all required postings; early in discussion; throughout the discussion]; Critical Thinking [rich in content; full of thoughts, insight, and analysis].
89–80 = B—Timeliness [frequently participates; all required postings; some not in time for others to read and respond]; Critical Thinking [substantial information; thought, insight, and analysis has taken place].
79–70 = C—Timeliness [infrequently participates; all required postings; most at the last minute without allowing for response time]; Critical Thinking [generally competent; information is thin and commonplace].
Each module has an assignment that will have the student building a technology stack within a virtual machine sandbox enviroment, then evaluatating the security implications using threat modeling. Each assignment witlInclude a cover sheet with your name and assignment identifier. Also include your name and a page number indicator (i.e., page x of y) on each page of your submissions. Each problem should have the problem statement, assumptions, computations, and conclusions/discussion delineated. All Figures and Tables should be captioned and labeled appropriately. External material must be cited either in-line with the text, or footnoted.
All assignments are due according to the dates in the Calendar.
Late submissions will be reduced by one letter grade for each week late (no exceptions without prior coordination with the instructors).
A course project is composed of 3 parts due at certain date/times during the course. The course project will be evaluated against the grading rubric provided in the assignment PDF and CANVAS. The project may also be discussed at office hours during the course.
Knowledge checks will be given with each module to ensure understanding and application of the material. They will include T/F, short answer, multiple choice, and multiple select questions. They will be graded primarily on correctness. Knowledge checks are open notes, open lecture, and open Internet, do not collaborate with anyone else.
NOTE: The knowledge checks may be completed in multiple sittings but must submitted before the end of the module week.
The final exam will be available at the last Module. You may start the exam anytime during that week, but it must be completed before the due date/time. Exam will include T/F, short answer, multiple choice, and multiple select questions. Students can reference all material available; Exam is open notes, open lecture, and open Internet, but do not collaborate with anyone else.
NOTE: The exams must be completed in one sitting and within a set time.
Assignments are due according to the dates posted in your Canvas course site. You may check these due dates in the Course Calendar or the Assignments in the corresponding modules.
We generally do not directly grade spelling and grammar. However, egregious violations of the rules of the English language will be noted without comment. Consistently poor performance in either spelling or grammar is taken as an indication of poor written communication ability that may detract from your grade.
A grade of A indicates achievement of consistent excellence and distinction throughout the course—that is, conspicuous excellence in all aspects of assignments and discussion in every week.
A grade of B indicates work that meets all course requirements on a level appropriate for graduate academic work. These criteria apply to both undergraduates and graduate students taking the course.
EP uses a +/- grading system (see “Grading System”, Graduate Programs catalog, p. 10). You should contact your Program Chair for guidance on the breakdown used by your program.
Score Range | Letter Grade |
---|---|
100-98 | = A+ |
97-94 | = A |
93-90 | = A− |
89-87 | = B+ |
86-83 | = B |
82-80 | = B− |
79-77 | = C+ |
76-73 | = C |
72-70 | = C− |
69-67 | = D+ |
66-63 | = D |
<63 | = F |
Final grades will be determined by the following weighting:
Item | % of Grade |
Discussions | 20% |
Assignments | 40% |
Course Project | 20% |
Knowledge Checks | 10% |
Final Exam | 10% |
Students will be sent course evaluations at midcourse and at the end of the course. Also, the instructor will send out calls for reflections, to collect the sentiment as the course progresses.
This course is likely to have a very different feel than others you have taken! The course philosophy embraces an informal and light-hearted learning environment. However, it is important to note that this does not indicate an easy or lenient approach. All EP program policies and deadlines remain in full effect. In this course, you are welcome to address me by my first name, fostering a sense of approachability and open communication.
The content and assignments in this course are derived from real-world applications of technology, encompassing a wide range from conceptual ideas to detailed requirements. As the course heavily relies on the Internet for content delivery, it is necessary for students to be prepared to manage their expectations and address any issues that may arise.
The Internet is a dynamic and ever-changing environment, presenting challenges along the way. Links may break, standards and protocols may evolve, and emerging technologies can disrupt the intended flow of course objectives. It is crucial to be adaptable and resilient in navigating through these challenges.
By recognizing the variability and dynamics of the Internet, students can approach the course with a proactive mindset, ready to overcome obstacles and embrace the evolving nature of technology.
In this master's degree course, collaboration and ingenuity, which are the building blocks of the Internet, are crucial. Therefore, to navigate the course successfully, students will need to strike a balance between being self-starters and possessing strong social skills. It is essential to come prepared and be aware of the challenges that lie ahead.
I want to ensure that you have an enriching learning experience while gaining a solid understanding of Web Security in your master's degree course. Please keep the following guidelines in mind:
Start each Module early: It is important to begin each module as early as possible. While I will make every effort to respond promptly, waiting until the weekend may hinder my ability to address all inquiries as quickly as I would like.
Embrace curiosity and experimentation: Throughout the course, you are likely to have questions about various concepts. I encourage you to have an authentic learning experience by reaching out to your classmates on Teams if you encounter challenges. It's highly probable that someone else is facing similar issues. Before seeking assistance, I encourage you to explore external resources such as YouTube, StackOverflow, textbooks, etc. Office Hours are designed to help you apply what you've learned from the Lecture Notes and weekly Readings to your assignments. While I am always available to assist you, I aim to guide you towards finding the correct answers rather than simply providing solutions. If I request to see your attempted solutions or refer you to a reference, it is not because I'm unwilling to help, but to ensure you grasp essential concepts.
Utilize TEAMS channels for help: If you require assistance with assignments, please keep track of the time you spend on them. The assignments are designed not to be unnecessarily difficult but to help you learn the technology and associated security principles. If you find yourself spending more than four hours on an assignment, please pause and post your issue in the Help channel. If no other student comes forward to assist or share a similar problem, and a day passes without a response, then feel free to reach out to me. Please refrain from direct messaging other students, as it hampers the opportunity for shared help and experiences within the class. Use the HELP channel to seek assistance or share your successes.
Be interactive: You are part of a fantastic program with diverse students who possess various areas of expertise and professional experiences. I encourage you to engage with everyone in the class, including me. Build professional connections, share your knowledge, showcase your expertise, and enjoy the journey! Please note that I have a personal policy of not accepting social media requests for connection or friendship until after the semester is over.
By following these guidelines, you will not only enhance your learning experience but also foster a collaborative and engaging environment within the course.
Acknowledging that unexpected circumstances can arise, I strive to accommodate students while maintaining fairness for the entire class. To strike a balance, the following Late Policy has been adopted for this master's degree class:
Plan and communicate: In the event that you require an extension due to a specific situation, it is important to reach out to me as soon as reasonably possible. While I understand that life can be unpredictable, many aspects of this course can be anticipated and planned for in advance. Please consider any upcoming vacations, medical leave, work travel, or similar commitments that may occur during the semester and notify me in advance if feasible.
Collaborate: Take advantage of the resources available to you, such as the assigned readings, lecture videos, office hours, and Teams collaboration, to independently solve assignments or work collaboratively with your peers. It is important to begin reviewing the material for each week early in the modules. However, please note that collaboration is encouraged when working on the assignments, the course project, and discussions. However, the knowledge checks and exams should be completed individually.
Limits: While I aim to be as flexible as possible, the granting of extensions ultimately rests at my discretion. Consequently, unless a valid reason is provided, I prefer not to grant extensions within 48 hours of the assignment due date. Additionally, I may find it challenging to offer more than two extensions per student over the course of the semester.
Penalty: It is important to be aware of the "late submission" policy, which allows for partial credit but incurs a penalty of 10% deducted per week of delay. Similarly, the "re-submission" policy permits you to submit an assignment for re-grading, although the late penalty may still apply.
By adhering to this Late Policy, we can navigate unexpected situations while maintaining fairness and ensuring the smooth progression of the course.
(The above policies wording was re-written by chatGPT.)Deadlines for Adding, Dropping and Withdrawing from Courses
Students may add a course up to one week after the start of the term for that particular course. Students may drop courses according to the drop deadlines outlined in the EP academic calendar (https://ep.jhu.edu/student-services/academic-calendar/). Between the 6th week of the class and prior to the final withdrawal deadline, a student may withdraw from a course with a W on their academic record. A record of the course will remain on the academic record with a W appearing in the grade column to indicate that the student registered and withdrew from the course.
Academic Misconduct Policy
All students are required to read, know, and comply with the Johns Hopkins University Krieger School of Arts and Sciences (KSAS) / Whiting School of Engineering (WSE) Procedures for Handling Allegations of Misconduct by Full-Time and Part-Time Graduate Students.
This policy prohibits academic misconduct, including but not limited to the following: cheating or facilitating cheating; plagiarism; reuse of assignments; unauthorized collaboration; alteration of graded assignments; and unfair competition. Course materials (old assignments, texts, or examinations, etc.) should not be shared unless authorized by the course instructor. Any questions related to this policy should be directed to EP’s academic integrity officer at ep-academic-integrity@jhu.edu.
Students with Disabilities - Accommodations and Accessibility
Johns Hopkins University values diversity and inclusion. We are committed to providing welcoming, equitable, and accessible educational experiences for all students. Students with disabilities (including those with psychological conditions, medical conditions and temporary disabilities) can request accommodations for this course by providing an Accommodation Letter issued by Student Disability Services (SDS). Please request accommodations for this course as early as possible to provide time for effective communication and arrangements.
For further information or to start the process of requesting accommodations, please contact Student Disability Services at Engineering for Professionals, ep-disability-svcs@jhu.edu.
Student Conduct Code
The fundamental purpose of the JHU regulation of student conduct is to promote and to protect the health, safety, welfare, property, and rights of all members of the University community as well as to promote the orderly operation of the University and to safeguard its property and facilities. As members of the University community, students accept certain responsibilities which support the educational mission and create an environment in which all students are afforded the same opportunity to succeed academically.
For a full description of the code please visit the following website: https://studentaffairs.jhu.edu/policies-guidelines/student-code/
Classroom Climate
JHU is committed to creating a classroom environment that values the diversity of experiences and perspectives that all students bring. Everyone has the right to be treated with dignity and respect. Fostering an inclusive climate is important. Research and experience show that students who interact with peers who are different from themselves learn new things and experience tangible educational outcomes. At no time in this learning process should someone be singled out or treated unequally on the basis of any seen or unseen part of their identity.
If you have concerns in this course about harassment, discrimination, or any unequal treatment, or if you seek accommodations or resources, please reach out to the course instructor directly. Reporting will never impact your course grade. You may also share concerns with your program chair, the Assistant Dean for Diversity and Inclusion, or the Office of Institutional Equity. In handling reports, people will protect your privacy as much as possible, but faculty and staff are required to officially report information for some cases (e.g. sexual harassment).
Course Auditing
When a student enrolls in an EP course with “audit” status, the student must reach an understanding with the instructor as to what is required to earn the “audit.” If the student does not meet those expectations, the instructor must notify the EP Registration Team [EP-Registration@exchange.johnshopkins.edu] in order for the student to be retroactively dropped or withdrawn from the course (depending on when the "audit" was requested and in accordance with EP registration deadlines). All lecture content will remain accessible to auditing students, but access to all other course material is left to the discretion of the instructor.