Course syllabus - Web application security
Scope
5 credits
Course code
DVA456
Valid from
Autumn semester 2017
Education level
Second cycle
Progressive Specialisation
A1N (Second cycle, has only first-cycle course/s as entry requirements).
Main area(s)
Computer Science
School
School of Innovation, Design and Engineering
Ratified
2017-01-31
Status
This syllabus is not current and will not be given any more
Literature lists
Course literature is preliminary up to 8 weeks before course start. Course literature can be valid over several semesters.
Objectives
Modern web applications can often be described in terms of cooperation and sharing, both on the level of the users of the application and on the level of the application and the service providers, which puts web applications in a distributed application class with mutual distrust between the different stakeholders, and leads to a plethora of security challenges.
This course covers the most prevalent security challenges of web applications, from a theoretical and practical perspective. The aim of the course is to give students the ability to identify and analyze common vulnerabilities and related protection mechanisms, and to put this knowledge to practice. While the course uses web applications as the starting point, most of the covered security challenges are instances of more general challenge classes, valid for many other types of applications, both within the application class of web application and outside.
Learning outcomes
After completing the course, the student should have:
1. knowledge of web applications and the corresponding application class, and the ability to construct complex applications
2. knowledge of the most prevalent security challenges of web applications, and the ability to identify vulnerabilities in applications
3. theoretical knowledge of protection mechanisms and their limitations, in isolation and in relation to each other
4. the ability to perform attacks and implement the corresponding protections
5. knowledge of current research on attacks and protection mechanisms
Course content
The course gives an overview of the defining properties of web applications and the corresponding application class, and identifies different security challenges in relation to the different stakeholders: the users, the application provider, and the service and library providers. It covers concepts like statelessness, confidentiality, integrity, access control, authentication and authorization, session handling, and attacks related to those concepts. In addition, the course involves different forms of injection attacks, where code, in one way or another, is injected and executed on the client or server side.
The course emphasizes the importance of the interplay between theory and practice, where both attacks and protection mechanisms are studied from a theoretical perspective and put into practice. In selected cases, the attacks are identified as instances of more general classes of attacks and their relation to other instances of the corresponding class is discussed.
In addition, the course gives an orientation of current research on attacks and protection mechanisms, in relation to the application class of web applications.
Tuition
Lectures, exercises, and laboratory work.
Specific requirements
120 credits of which at least 80 credits in technology or informatics, including at least 30 credits in computer science or software development. In addition, at least 18 months of documented work experience in software development or related areas. In addition, Swedish course B/Swedish course 3 and English course A/English course 6 are required. For courses given entirely in English exemption is made from the requirement in Swedish course B/Swedish course 3.
Examination
Laboratory work (LAB1), 4 credits, (examines the learning objectives 1-4), Marks Fail (U) or Pass (G)
Exercise (ÖVN1), 1 credit, (examines the learning objectives 3 and 5), Marks Fail (U) or Pass (G)
A student who has a certificate from MDU regarding a disability has the opportunity to submit a request for supportive measures during written examinations or other forms of examination, in accordance with the Rules and Regulations for Examinations at First-cycle and Second-cycle Level at Mälardalen University (2020/1655). It is the examiner who takes decisions on any supportive measures, based on what kind of certificate is issued, and in that case which measures are to be applied.
Suspicions of attempting to deceive in examinations (cheating) are reported to the Vice-Chancellor, in accordance with the Higher Education Ordinance, and are examined by the University’s Disciplinary Board. If the Disciplinary Board considers the student to be guilty of a disciplinary offence, the Board will take a decision on disciplinary action, which will be a warning or suspension.
Grade
Pass, Fail