This is an abridged syllabus. You can access the complete syllabus in your Canvas course.

695.622.81 - Web Security

Cybersecurity

Summer 2025

Description

Information technology security is a broad field. This course focuses on the foundational technologies that build the Web-based Internet (Web) as we know it today. The goal of this course is to guide the learner to adopt a professional security mindset by applying the techniques of threat modeling, risk assessment, and apply the foundational security principles from the two "triad" models: "confidentiality, integrity, and availability" (CIA) and "authentication, authorization, and accounting" (AAA). The self-motivated learner will investigate vulnerabilities, threats, and mitigations with the objective of protecting the data, applications, frameworks, and the supporting complex technology stacks. Security at this level cannot be achieved by technology alone, the course will provide an opportunity to exercise a smart combination of methodologies and techniques that can build confidence and rapport to champion web security within their IT community. Applicable cryptology, digital certificates, and Public Key Infrastructure will be reviewed. Each module will involve hands-on labs that implement local virtual machines, containers, cloud computing environments, and an operative blockchain enabling the learner to probe more deeply into the cybersecurity challenge of each technology solution. The assignments will involve programming and system configuration thus a novice-level exposure of Python, PHP, JavaScript, Linux Commands, basic Internet architecture and common protocols is recommended. Prerequisite(s): EN.605.202 Data Structures

Expanded Course Description

Prerequisites

Students are expected to have completed EN.605.202 Data Structures. In addition, successful students will typically have familiarity with:

Python, PHP, and JavaScript
Basic Linux command line
Git and GitHub workflows
Cloud platforms (AWS/GCP/Azure)
Networking fundamentals (e.g., from 605.671)
Cryptographic principles (e.g., PKI, digital certificates)
Executive presentation and documentation skills
Internet research and prompt engineering for LLMs

Be ready to combine and synthesize your familiarity in these prerequisite topics, maintaining this perspective will contribute to a more fruitful and engaging learning experience throughout the course.

Instructor

David Concepcion

Course Structure

The course materials are divided into modules which can be accessed by clicking Course Modules on the left menu. A module will have several sections including the overview, lectures, readings, discussions, knowledge checks, and assignments. You are encouraged to preview all sections of the module before starting. Most modules run for a period of seven (7) days, exceptions are noted in the Course Outline. You should regularly check the Calendar and Announcements for assignment due dates.

Course Topics

Introduction to Web Security
PKI, SSL/TLS, Certificates
API, REST, JSON Security
SQL Server Security
App Container Security
App Dev Security Tools
Cloud Security
Big Data in Security
Mobile App Security
Smart contract Security
ToR/VPN Privacy
IoT Security
Web Security Testing Tools
Course Project (Involves Cloud Computing)

Course Goals

This master's degree course in web security is designed to explore the fundamental technologies that underpin the modern Web. The primary focus of the course is to safeguard web-based data, applications, frameworks, and supporting devices. While technology plays a crucial role, it is important to recognize that achieving security at this level requires a comprehensive approach involving procedures, techniques, and people.

By the end of the course, students will have a solid understanding of structured analytical techniques derived from the CI4A threat model. This model combines the key concepts from two widely recognized security industry models: "confidentiality, integrity, and availability" (CIA) and "authentication, authorization, and accounting" (AAA). These techniques will enable students to effectively analyze and explain web security activities.

On a practical level, students will gain hands-on experience in deploying various foundational web technology stacks. They will develop the competence to apply security principles in real-world scenarios and confidently defend their decision-making process. The course will equip students with the necessary skills to address web security challenges and protect critical assets in a web-based environment.

Overall, this master's degree-level course in web security aims to provide a comprehensive understanding of web security technologies, principles, and practices. Graduates will be well-prepared to navigate the complexities of securing web-based systems and contribute to the advancement of secure web development and protection of sensitive data.

Course Learning Outcomes (CLOs)

At the successful conclusion of the course, the student will be able to describe basic cryptography and public key infrastructure that supports Web security.
The student will survey foundational security principles while applying them to various Web technologies such as Client-side, server-side, containers, security tools, cloud, big data, IOT, Mobile, blockchain, and AI/ML.
The student will apply structured analytical techniques such as the CI4A ("CIA" and "AAA" Triads) models to the disparate challenges when it comes to protecting the Web's data, devices, applications, and frameworks.
The student will use threat modeling principles to explain threats, vulnerabilities, and possible mitigations across various Web technologies.
The student will summarize policy, regulation, and privacy issues as pertains to Web security.

Textbooks

There is no required textbook, but the instructor will provide for each topic module appropriate articles, white papers, NIST documents, vendor write-ups and blog posts that will be assigned and/or referenced throughout the course. The reading content may be updated each semester as the industry and government agencies address emerging technologies.

Other Materials & Online Resources

Use of Large Language Models (LLMs): Students are allowed to use any tool that is suitable for preparing high-quality content for their assignments and research. In fact, at JHU, the use of LLM AI Tools (GPT, Gemini, Perplexity, Copilot, or other generative artificial intelligence technology) does not violate the academic misconduct policy. However, keep in mind two important criteria:

First, assignments are expected to demonstrate students learned knowledge of the topic. Thus, when students are asked to describe their major steps with the screen snips, any tool that is important to that process, including the use of LLMs, should be described also. For example, students should mention tools (including LLMs) that were used to complete the assignments including code generation, additional tutorial steps, visualization, log/data analysis, conducting risk, threat, and vulnerability analysis. It may also be advisable to describe the use of LLMs in implementing the method (if this corresponds to an important, original, or non-standard component of the approach).

Second, students are responsible for the entire content of the assignment, including all text and figures, so while students are welcome to use any tool for completing the assignments, they must ensure that all text and graphs are correct and original. Inasmuch, presenting the output of these tools as one's own work is considered plagiarism, and using these tools on assessments where they are explicitly forbidden is a form of cheating.

Required Software

Software Requirements

Oracle VirtualBox (online open source) or VMware Workstation/Fusion/Player.

Linux (Ubuntu variation) virtual machine provided by instructor.

Technical Requirements

Students will run a sandbox using Linux and Android in a VirtualBox (or VMware) on their systems to accomplish their assignments. A properly configured system will help you fully participate in this course, if your system does not meet or exceed these minimums, you will likely experience frustration finding it difficult to complete the assignments.

System Hardware minimums: 64-bit Intel i5/i7 2.0+ GHz processor, 16 GB RAM, 100+ GB disk space free to work in, Enabled "Intel-VT" in BIOS.

Mac M-series chip users: Be aware of known compatibility issues with VirtualBox. Alternatives include UTM, Parallels, or QEMU.

Student Coursework Requirements

It is expected that each module will take approximately 7–10 hours per week to complete. Here is an approximate breakdown: reading the assigned texts (approximately 1 hour per week) as well as some outside reading/research, listening to the audio lectures annotated slide presentations (approximately 1–2 hours per week), and tutorial & writing assignments (approximately 3–4 hours per week), knowledge checks (approximately 1-2 hour per week).

This course will consist of the following basic student requirements:

Discussions (20% of Final Grade Calculation)

In this course, discussions play a significant role in your learning and engagement. To ensure your success in this component, please adhere to the following guidelines:

Reading and Preparation: It is your responsibility to thoroughly read all assigned materials and come prepared for discussions. While most readings will be from the recommended material, additional readings may be assigned to supplement the text.
Timeliness: For each module week, post your initial response to the discussion question by due date/time specified. This timeliness contributes to part one of your grade for module discussions.
Interaction and Critical Thinking: Part two of your grade for module discussions is based on your interaction with classmates. This involves responding thoughtfully to at least two classmates' postings, demonstrating critical thinking skills. Merely posting your own response to the discussion question is insufficient; the aim is to engage and interact with your peers. When responding, provide detailed explanations and consider both agreement and disagreement. It is important to maintain a civil and constructive tone in all postings.
Evaluation and Grading: The module discussions will be monitored, and occasional responses may be provided by the instructor. Your preparation and participation will be evaluated based on your contributions to the discussions. The grading elements considered for evaluation include timeliness and critical thinking.

By actively participating in discussions and following these guidelines, you can make the most of this valuable learning opportunity and contribute meaningfully to the course.

Assignments (40% of Final Grade Calculation)Assignments in this course will encompass a combination of hands-on tutorials where students will construct technology stacks and perform threat modeling on them. To ensure effective evaluation, please adhere to the following guidelines for assignment submissions:

Screen Snips and Annotations: During tutorial work, students are required to capture screen snips and annotate them with concise, one-line descriptions for each significant step taken. The number of snips is not the sole focus; rather, the annotation descriptions should accurately reflect the displayed content. This demonstrates your understanding of how key steps contribute to the overall goal.
Document Formatting: Each submission should include your name and a page number indicator (e.g., "page x of y") on every page. For clarity and organization, assignments should clearly delineate the problem statement, assumptions, computations, and conclusions/discussion, as applicable. Figures and tables must be properly captioned and labeled. In-text citations or footnotes should be used to reference external material.
Submission Deadlines: All assignments are due according to the specified dates in the course calendar.
Evaluation Criteria: Assignments will be evaluated using predefined rubrics. Generally, the following aspects will be considered:
- Completion of all parts of the question.
- Clear statement of assumptions.
- Inclusion of intermediate derivations and calculations.
- Technical correctness and clear indication of answers.
- Appropriate precision and units for answers.
- High-level writing quality and technical accuracy, meeting or exceeding accepted standards for graduate-level English and scholarship. Assignments will be graded on grammar, style, and content.
Demonstration of Knowledge: Assignments should reflect your understanding and knowledge of the topic at hand.

By adhering to these guidelines, you can ensure that your assignments are well-structured, accurately presented, and effectively demonstrate your comprehension of the subject matter.

Course Project (20% of Final Grade Calculation)A course project is composed of 3 major parts due at certain date/times during the course.

Build a cloud-based serverless web solution.
Perform a risk assessment/threat modeling on the solution.
Draft and present the security plan at an executive level.

The course project will be evaluated against the grading rubric provided in the assignment PDF and CANVAS. The project may also be discussed at office hours during the course.
Knowledge Checks (10% of Final Grade Calculation)

Each module includes a knowledge check designed to reinforce key concepts and assess your understanding and application of the material. These checks may consist of true/false, short answer, multiple choice, and multiple select questions.

Knowledge checks are graded based on accuracy and timely completion. You are allowed to reference course materials, lecture slides, notes, and open-source Internet content while completing them. However, collaboration with others is not permitted.

Note: You may complete a knowledge check in more than one sitting, but it must be submitted by the end of the module week to receive full credit.

Exams (10% of Total Grade Calculation)

The final exam will be released during the last module and must be completed on the scheduled date listed in the course calendar. It must be finished on that day.

The exam will include a mix of true/false, short answer, multiple choice, and multiple select questions. It is open notes, open lectures, and open Internet, but strictly individual work—no collaboration of any kind is allowed.

Grading Policy

Assignments are due according to the dates posted in your Canvas course site. You may check these due dates in the Course Calendar document too.

We generally do not directly grade spelling and grammar. However, egregious violations of the rules of the English language will be noted without comment. Consistently poor performance in either spelling or grammar is taken as an indication of poor written communication ability that may detract from your grade.

A grade of A indicates achievement of consistent excellence and distinction throughout the course—that is, conspicuous excellence in all aspects of assignments and discussion in every week.

A grade of B indicates work that meets all course requirements on a level appropriate for graduate academic work. These criteria apply to both undergraduates and graduate students taking the course.

EP uses a +/- grading system (see “Grading System”, Graduate Programs catalog, p. 10). You should contact your Program Chair for guidance on the breakdown used by your program.

Score Range	Letter Grade
100-98	= A+
97-94	= A
93-90	= A−
89-87	= B+
86-83	= B
82-80	= B−
79-77	= C+
76-73	= C
72-70	= C−
69-67	= D+
66-63	= D
<63	= F

Course Evaluation

Midway and at the end of the course, JHU sends out formal evaluation forms.
Reflections will be solicited at various times during the course as a safe space for learners to express their emotions, establish meaningful connections, and actively engage in their own learning.
The instructor may inquire with students during the course or send out a survey for more specific feedback on a focused aspect from students at the end of the course.

Course Policies

Late Submission and Re-Submission Policy

This policy is designed to support your success while maintaining fairness across the class. Timely submissions foster collaboration and allow you to fully engage with classmates in discussing key topics. When students fall behind, they lose out on the shared learning process and problem-solving opportunities essential to this course.

Start-Up Grace Period (Modules 1–3)

To support students who may need additional time to configure their environments:

No late penalties will be applied to Modules 1–3, provided all submissions are received by the Module 5 due date. (Rationale: Some students need some ramp up time to get their sandboxes running and get with the rhythm of the course.)
Starting Module 4, the standard late policy applies.

Late Submission Policy (Module 4 and Onward)

Assignments and projects submitted late without prior arrangements will be penalized 5 points per week.
Discussion posts: No credit will be given if the first post is made after the due date, as peer interaction is time-sensitive and essential for learning.

Re-Submission Policy

Students may resubmit assignments for re-grading, but any applicable late penalties may still apply unless a plan has been pre-arranged.

Exceptions & Flexibility

Life events happen. If you encounter a situation that may affect your ability to submit on time:

Contact the instructor before the due date to propose a plan.
If agreed upon, the plan will be documented via email (with the grader copied), and no penalty will be applied if you follow through.
Extensions are generally not granted within 48 hours of the deadline unless a valid reason is provided.
In fairness to all students, extensions are limited to two per student over the semester.

Planning Ahead

While flexibility is offered, students are expected to anticipate foreseeable conflicts (e.g., work travel, vacations, medical appointments) and notify the instructor in advance when possible.

By adhering to this policy, we create a learning environment that balances structure with understanding. Your communication and accountability are key to making this work for everyone.

Course culture

This course is likely to have a very different feel than others you have taken! The course philosophy embraces an informal and light-hearted learning environment. However, it is important to note that this does not indicate an easy or lenient approach. All EP program policies and deadlines remain in full effect. In this course, you are welcome to address me by my first name, fostering a sense of approachability and open communication.

Challenge level expectations

The content and assignments in this course are derived from real-world applications of technology, encompassing a wide range from conceptual ideas to detailed requirements. As the course heavily relies on the Internet for content delivery, it is necessary for students to be prepared to manage their expectations and address any issues that may arise.

The Internet is a dynamic and ever-changing environment, presenting challenges along the way. Links may break, standards and protocols may evolve, and emerging technologies can disrupt the intended flow of course objectives. It is crucial to be adaptable and resilient in navigating through these challenges.

By recognizing the variability and dynamics of the Internet, students can approach the course with a proactive mindset, ready to overcome obstacles and embrace the evolving nature of technology.

Collaboration is key

Collaboration and ingenuity, which are the building blocks of the Internet, are crucial to navigate the course successfully. Students will need to strike a balance between being self-starters and exercising their teaming skills. Please come prepared and be aware of the challenges that lie ahead.

Take advantage of the resources available to you, such as the assigned readings, lecture videos, office hours, and Teams collaboration, to independently solve assignments or work collaboratively with your peers. It is important to begin reviewing the material for each week early in the modules. However, please note that collaboration is encouraged when working on the assignments, the course project, and discussions. However, the knowledge checks and exams should be completed individually.

Helpful Hints:

I want you to have an enriching learning experience while gaining a solid understanding of Web Security in your master's degree program. Please keep the following guidelines in mind:

Start each Module early: It is important to begin each module as early as possible. While I will make every effort to respond promptly, waiting until the weekend may hinder my ability to address all inquiries as quickly as I would like.
Embrace curiosity and experimentation: Throughout the course, you are likely to have questions about various concepts. I encourage you to have an authentic learning experience by reaching out to your classmates on Teams if you encounter challenges. It's highly probable that someone else is facing similar issues. Before seeking assistance, I encourage you to explore external resources such as YouTube, StackOverflow, textbooks, etc. Office Hours are designed to help you apply what you've learned from the Lecture Notes and weekly Readings to your assignments. While I am always available to assist you, I aim to guide you towards finding the correct answers rather than simply providing solutions. If I request to see your attempted solutions or refer you to a reference, it is not because I'm unwilling to help, but to ensure you grasp essential concepts.
Utilize TEAMS channels for help: If you require assistance with assignments, please keep track of the time you spend on them. The assignments are designed not to be unnecessarily difficult but to help you learn the technology and associated security principles. If you find yourself spending more than four hours on an assignment, please pause and post your issue in the Help channel. If no other student comes forward to assist or share a similar problem, and a day passes without a response, then feel free to reach out to me. Please refrain from direct messaging other students, as it hampers the opportunity for shared help and experiences within the class. Use the HELP channel to seek assistance or share your successes.
Be interactive: You are part of a fantastic program with diverse students who possess various areas of expertise and professional experiences. I encourage you to engage with everyone in the class, including me. Build professional connections, share your knowledge, showcase your expertise, and enjoy the journey! Please note that I have a personal policy of not accepting social media requests for connection or friendship until after the semester is over.

These guidelines will enhance your learning experience and also foster an engaging environment within the course. Stay alert and informed, be safe out there.

Academic Policies

Deadlines for Adding, Dropping and Withdrawing from Courses

Students may add a course up to one week after the start of the term for that particular course. Students may drop courses according to the drop deadlines outlined in the EP academic calendar (https://ep.jhu.edu/student-services/academic-calendar/). Between the 6th week of the class and prior to the final withdrawal deadline, a student may withdraw from a course with a W on their academic record. A record of the course will remain on the academic record with a W appearing in the grade column to indicate that the student registered and withdrew from the course.

Academic Misconduct Policy

All students are required to read, know, and comply with the Johns Hopkins University Krieger School of Arts and Sciences (KSAS) / Whiting School of Engineering (WSE) Procedures for Handling Allegations of Misconduct by Full-Time and Part-Time Graduate Students. This policy prohibits academic misconduct, including but not limited to the following: cheating or facilitating cheating; plagiarism; reuse of assignments; unauthorized collaboration; alteration of graded assignments; and unfair competition. Course materials (old assignments, texts, or examinations, etc.) should not be shared unless authorized by the course instructor. Any questions related to this policy should be directed to EP’s academic integrity officer at ep-academic-integrity@jhu.edu.

Students with Disabilities - Accommodations and Accessibility

Johns Hopkins University is committed to providing welcoming, equitable, and accessible educational experiences for all students. If disability accommodations are needed for this course, students should request accommodations through Student Disability Services (SDS) as early as possible to provide time for effective communication and arrangements. For further information about this process, please refer to the SDS Website.

Student Conduct Code

The fundamental purpose of the JHU regulation of student conduct is to promote and to protect the health, safety, welfare, property, and rights of all members of the University community as well as to promote the orderly operation of the University and to safeguard its property and facilities. As members of the University community, students accept certain responsibilities which support the educational mission and create an environment in which all students are afforded the same opportunity to succeed academically. For a full description of the code please visit the following website: https://studentaffairs.jhu.edu/policies-guidelines/student-code/

Classroom Climate

JHU is committed to creating a classroom environment that values the diversity of experiences and perspectives that all students bring. Everyone has the right to be treated with dignity and respect. Fostering an inclusive climate is important. Research and experience show that students who interact with peers who are different from themselves learn new things and experience tangible educational outcomes. At no time in this learning process should someone be singled out or treated unequally on the basis of any seen or unseen part of their identity. If you have concerns in this course about harassment, discrimination, or any unequal treatment, or if you seek accommodations or resources, please reach out to the course instructor directly. Reporting will never impact your course grade. You may also share concerns with your program chair, the Assistant Dean for Diversity and Inclusion, or the Office of Institutional Equity. In handling reports, people will protect your privacy as much as possible, but faculty and staff are required to officially report information for some cases (e.g. sexual harassment).

Course Auditing

When a student enrolls in an EP course with “audit” status, the student must reach an understanding with the instructor as to what is required to earn the “audit.” If the student does not meet those expectations, the instructor must notify the EP Registration Team [EP-Registration@exchange.johnshopkins.edu] in order for the student to be retroactively dropped or withdrawn from the course (depending on when the "audit" was requested and in accordance with EP registration deadlines). All lecture content will remain accessible to auditing students, but access to all other course material is left to the discretion of the instructor.