1. Course Identity
Course title: Internet Security
Hours per week: 3
ECTS Units: 6
Tutor: Ilioudis Christos
2. Learning goals
This module gives an introductory coverage of fundamentals of Internet and web security.
By the end of the module students should be able to:
- Understanding the vulnerabilities of internet-based systems
- Demonstrate the threats associated with providing active/dynamic web content and understand how the vulnerabilities affect the design, implementation, and maintenance of active/dynamic web content.
- Know how to conduct an audit/review of an existing system to identify and correct for security vulnerabilities.
The subjects covered are:
- Introduction to Internet Security
- Fundamentals of web security: Overview of web technologies, Web application architecture, Recent attack trends, Authentication vulnerabilities and defense, Authorization vulnerabilities and defense.
- Web Application Common Vulnerabilities and Mitigations: encryption use in web application, SSL vulnerabilities, Session vulnerabilities, Cross Site Request Forgery, SQL Injection vulnerabilities, testing and defense.
- Proactive Defense and Operation Security: Cross Site Scripting vulnerability and defenses, Web environment configuration security, Intrusion detection in web application, Incident handling
- Web Services security: Web services overview, XML security, WS security framework
- Risk Assessment & Threat Modelling: risk modelling for developing secure web applications,
- Design, Implementation, & Evaluation of Secure Web Apps: implementation & evaluation of secure web servers, services and applications.
The course will be covered by weekly lectures. An important part of the student load is the homework assignments on a specific part of the course. Moreover, there will be a final project requirement where the student will study a state of the art web security problem.
5. Student evaluation
Student evaluation will be based on the grades of the homeworks, the grade of the final project and the final exams.
- Textbook: D. Stuttard and M. Pinto. The Web Application Hacker’s Handbook. Wiley. 2008. ISBN:978-0-470-17077-9 )
- Ivan Ristik. ModSecurity Handbook. Feisty Duck, Ltd. 2010. http://www.feistyduck.com/books/modsecurity-handbook/
- Open Web Application Security Project. A Guide to Building Secure Web Applications and Web Services. http://www.owasp.org/index.php/Category:OWASP_Guide_Project
- Open Web Application Security Project. OWASP Top 10: The Ten Mist Critical Web Application Security Vulnerabilities. http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
- Open Web Application Security Project. OWASP Testing Guide. http://www.owasp.org/index.php/Category:OWASP_Testing_Project
- Google Inc. Browser Security Handbook. http://code.google.com/p/browsersec/wiki/Main/
- Selected readings from various sources as assigned