TÜRKÇE
ENGLISH
Information
| Code | CENG0034 |
| Name | Web Application Security |
| Term | 2023-2024 Academic Year |
| Term | Spring |
| Duration (T+A) | 3-0 (T-A) (17 Week) |
| ECTS | 6 ECTS |
| National Credit | 3 National Credit |
| Teaching Language | İngilizce |
| Level | Yüksek Lisans Dersi |
| Type | Normal |
| Mode of study | Yüz Yüze Öğretim |
| Catalog Information Coordinator | |
| Course Instructor |
1 |
Course Goal / Objective
This course involves the security methods applied to websites, web applications, and web services. The course focuses on how to develop and maintain secure web applications by applying security principles and techniques.
Course Content
Users tracking/profiling. Privacy preserving. User authentication and session management. Web environment security: secure set-up of web servers and firewalling. SQL injection. Cross-site scripting (XSS). Cross-site request forgery (CSFR). Secure HTTP (HTTPS): goals and pitfalls. Internet e-mail: MIME and PGP, phishing, spamming & spoofing. Secure e-payment systems for websites. Cloud computing and security. Web DDoS attacks and prevention. XML security. AJAX and web services security. Security concepts of PHP vs. java servlets. Security concepts of java server pages and java server faces. Recent attack trends and cutting-edge web security
Course Precondition
There are no prerequisites.
Resources
1. Hanqing W. Web Security, CRC Press, 2015, ISBN: 978-1466592612
Notes
2. Harwood, M., Goncalves, M., and Pemble, M. Security Strategies in Web Applications and Social Networking (Information Systems Security & Assurance), 2010. ISBN: 9780763791957 3. Bruce W. Perry, “Java Servlet & JSP Cookbook”. O’Reilly Media, 2004
Course Learning Outcomes
| Order | Course Learning Outcomes |
|---|---|
| LO01 | Ability to describe web-based applications and associated threats and differentiate from mainframe, client-server applications |
| LO02 | Ability to evaluate web application security vulnerabilities and take countermeasures |
| LO03 | Ability to detect and mitigate Web DDoS attacks |
| LO04 | Ability to understand the role of secure web-based applications in e-commerce transactions |
| LO05 | Ability to describe the security concepts of PHP, java servlets, java server pages and java server faces |
| LO06 | Ability to describe recent web attack trends and cutting-edge web security |
Relation with Program Learning Outcome
| Order | Type | Program Learning Outcomes | Level |
|---|---|---|---|
| PLO01 | Bilgi - Kuramsal, Olgusal | On the basis of the competencies gained at the undergraduate level, it has an advanced level of knowledge and understanding that provides the basis for original studies in the field of Computer Engineering. | 3 |
| PLO02 | Bilgi - Kuramsal, Olgusal | By reaching scientific knowledge in the field of engineering, he/she reaches the knowledge in depth and depth, evaluates, interprets and applies the information. | 3 |
| PLO03 | Yetkinlikler - Öğrenme Yetkinliği | Being aware of the new and developing practices of his / her profession and examining and learning when necessary. | 4 |
| PLO04 | Yetkinlikler - Öğrenme Yetkinliği | Constructs engineering problems, develops methods to solve them and applies innovative methods in solutions. | 4 |
| PLO05 | Yetkinlikler - Öğrenme Yetkinliği | Designs and applies analytical, modeling and experimental based researches, analyzes and interprets complex situations encountered in this process. | 5 |
| PLO06 | Yetkinlikler - Öğrenme Yetkinliği | Develops new and / or original ideas and methods, develops innovative solutions in system, part or process design. | 5 |
| PLO07 | Beceriler - Bilişsel, Uygulamalı | Has the skills of learning. | 4 |
| PLO08 | Beceriler - Bilişsel, Uygulamalı | Being aware of new and emerging applications of Computer Engineering examines and learns them if necessary. | 3 |
| PLO09 | Beceriler - Bilişsel, Uygulamalı | Transmits the processes and results of their studies in written or oral form in the national and international environments outside or outside the field of Computer Engineering. | 3 |
| PLO10 | Beceriler - Bilişsel, Uygulamalı | Has comprehensive knowledge about current techniques and methods and their limitations in Computer Engineering. | 4 |
| PLO11 | Beceriler - Bilişsel, Uygulamalı | Uses information and communication technologies at an advanced level interactively with computer software required by Computer Engineering. | 2 |
| PLO12 | Bilgi - Kuramsal, Olgusal | Observes social, scientific and ethical values in all professional activities. |
Week Plan
| Week | Topic | Preparation | Methods |
|---|---|---|---|
| 1 | Introduction to Web Application Security | Reading related chapter in lecture notes | |
| 2 | Browser security: attack to browsers, users tracking/profiling, privacy preserving, anonymity, secure browsing | Reading related chapter in lecture notes | |
| 3 | User Authentication and Session Management | Reading related chapter in lecture notes | |
| 4 | Web Environment Security: Secure set-up of web servers and firewalling | Reading related chapter in lecture notes | |
| 5 | Website Attacks: SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSFR) | Reading related chapter in lecture notes | |
| 6 | Secure HTTP (HTTPS): Goals and Pitfalls | Reading related chapter in lecture notes | |
| 7 | Internet E-Mail: MIME and PGP, phishing, spamming & spoofing, e-mail forensics | Reading related chapter in lecture notes | |
| 8 | Mid-Term Exam | ||
| 9 | Secure E-Payment Systems for Websites | Reading related chapter in lecture notes | |
| 10 | Cloud Computing and Security | Reading related chapter in lecture notes | |
| 11 | Web DDoS Attacks and Prevention | Reading related chapter in lecture notes | |
| 12 | Security in parsing of XML data, XML injection | Reading related chapter in lecture notes | |
| 13 | AJAX and Web Services (SOAP and REST) Security | Reading related chapter in lecture notes | |
| 14 | Security Concepts of Java Servlets, Java Server Pages and Java Server Faces | Reading related chapter in lecture notes | |
| 15 | Recent Attack Trends and Cutting-Edge Web Security | Reading related chapter in lecture notes | |
| 16 | Term Exams | ||
| 17 | Term Exams |
Student Workload - ECTS
| Works | Number | Time (Hour) | Workload (Hour) |
|---|---|---|---|
| Course Related Works | |||
| Class Time (Exam weeks are excluded) | 14 | 3 | 42 |
| Out of Class Study (Preliminary Work, Practice) | 14 | 5 | 70 |
| Assesment Related Works | |||
| Homeworks, Projects, Others | 0 | 0 | 0 |
| Mid-term Exams (Written, Oral, etc.) | 1 | 15 | 15 |
| Final Exam | 1 | 30 | 30 |
| Total Workload (Hour) | 157 | ||
| Total Workload / 25 (h) | 6,28 | ||
| ECTS | 6 ECTS | ||