Software Quality
Web Applications are currently the predominant source of software vulnerabilities exploited in online attacks. Quantity and importance of data entrusted to web applications is growing, and defenders need to learn how to secure them. Traditional network defences, such as firewalls, fail to secure web applications. There is a growing need and demand for web programmers to be security literate.
This course introduces these potential risks and helps students to better understand web application vulnerabilities, thus enabling them to properly defend organizations’ web assets. This course covers the main types of web application vulnerabilities and professional coding and testing best practices to be able to successfully develop and test secure web applications.
Disclaimer!
Read this disclaimer carefully, and ensure you clearly understand all statements, before you start the course:
- You understand that in this class we may cover methods to exploit vulnerabilities in contemporary computer systems and computer networks.
- You further understand that we may learn techniques employed by unethical individuals to circumvent security mechanisms, violate copyright, cause damage, cause financial loss, or break the law in other ways.
- You hereby pledge to use all information obtained in this class in an ethical and responsible manner, properly observing University Policy and the law.
- You further pledge to abide by course rules, in particular (but not limited to) hacking systems declared off-limits by the instructional staff.
- By using the course materials, you accept that you will only lawfully use it in a test lab – with devices that you own or are allowed to conduct penetration tests on – to enhance your own knowledge. We do not endorse use of any information expressed on the course outside of a lab environment.
- Any actions and or activities related to the materials contained in this course is solely your responsibility.The misuse of the knowledge and information in this course can result in criminal charges brought against the persons in question.
Course Description
You can find the full course descriptor at: Software Quality Course Descriptor
Learning Outcome
On completion of this module, students will be able to:
- Understand web application security and its importance.
- Understand common mistakes of coders and vulnerabilities of web applications.
- Explains how code developers’ mistakes may be exploited to the benefit of the attackers and how to prevent these attacks.
- Build secure web applications using secure coding practices.
Assessment
The course assessment includes two components: Final Exam and Summative Assignment
Exam
The exam paper contains 40 questions (Multiple Choice Questions) from all topics covered in the course. A student needs to correctly answer at least 27 questions to successfully pass the course.
Assignment
There would be one final assignment for this course. The assignment will not contribute to the final grade of the course, but students need to fullfil the requirements of the assignment to successfully pass the course.
The submission deadline of assignment is 8 July 2020. Extended to Friday 10 July 2020
You should submit your assignment in Google Classroom.
Download the assignment description
Please note that this is a draft version of the assignment. We would like t recevie your feedbac o the assignment, if any extra clarification is needed. This draft will be automatically converted to the final version on Friday 29 May 2020, if we do not receive any comment from you.
Course Platform
We will be using this course page and Google Classroom as platforms for comminucation, sharing the materials, announcements, etc.
It is your responsibility to regularly check both pages (Google Classroom and Github Page) to ensure you are aware of all announcements, posts, deadlines, exercices, assignments, etc.
Course Plan
This course will be offered online, according to the schedule provided in the Lesrooster. Each online lesson includes three parts:
- Theory Lesson
- Review Quiz
- Practical Lesson
which are planned as below. However, there might be some minor adjustments, depends on the conditions.
| Activity | Slot 1 | Slot 2 | Slot 3 |
| Week 1 | Introduction to the Course | Theory Lesson 1 | Quiz 1 |
| Week 2 | Theory Lesson 2 | Quiz 2 | Practical Lesson 1 |
| Week 3 | Theory Lesson 3 | Quiz 3 | Practical Lesson 2 |
| Week 4 | Theory Lesson 4 | Quiz 4 | Practical Lesson 3 |
| Week 5 | Theory Lesson 5 | Quiz 5 | Practical Lesson 4 |
| Week 6 | Exam Tips | Discussion on Assignment with Q&A | Practical Lesson 5 |
| Week 7 | Formative Exam | … | Q & A |
Join Online Lessons
You can join online classes according to the timetable below:
| Weekdays | Time | Group | Join Link |
|---|---|---|---|
| Monday | 15.00 - 17.50 | DINF2 | INF2E | Join Now |
| Wednesday | 11.20 - 13.50 | INF2A | INF2B | Join Now |
| Wednesday | 13.50 - 16.40 | INF2C | INF2D | Join Now |
Slides for Theory Lessons
The print-friendly version of course slides can be download below (Slides will be uploaded weekly):
Week 1) Lesson 1: The Basics
Week 2) Lesson 2: Passing Data to Subsystems
Week 3) Lesson 3: User Input
Week 4) Lesson 4: Output Handling
Week 5) Lesson 5: Web Trojans
Week 6) No Lecture
Week 7) No Lecture
Please note that reading only the slides is not sufficient to successfuly pass the course. You will need to read the textbook to ensure you understand the discussed topics in the lessons.
Quizzes for Review
There are weekly quizzes designed to help you to review and assess the knowldge gained in the past lessons.
The quizzes are prepared in Kahoot. You will receive the code of quiz for each week during the online class.
In addition to live quiz in the class, you can use the game pins below to retake the quiz yourself. Pay attenton to the deadline of each code. It is because of the limitation defined by Kahoot. Don’t worry, if more trials are needed, let us know to provide you new pin codes and extend the deadline.
Week 1) The Basics (Game PIN: 02844779) - Play Now
Week 2) Passing Data to Subsystems (Game PIN: 0930445) - Play Now
Week 3) User Input (Game PIN: 0125284) - Play Now
Week 4) Output Handling (Game PIN: 01599478) - Play Now
Week 5) Web Trojan (Game PIN: 02746638) - Play Now
Instructions for Practical Lessons
Lab instructions can be download below (Instructions will be uploaded weekly):
Week 1: There is no Lab during the class time, but you need to complete a homework. The instruction can be downloaded here. Please ensure that you have it already completed, before joining the lesson of Week 2.
Week 2: HTTP Requests and Responses
Week 3: Building a Security Lab
Week 4: SQL Injection
Week 5: Input Validation
Week 6: Cross-site Scripting
Week 7: No Lab
Videos
You can watch and download videos of online lessons from your GoogleClassroom. The links are also provided here.
| Groups | DINF2/INF2E | INF2A/INF2B | INF2C/INF2D |
|---|---|---|---|
| Week 1 | 4 May 2020 (15.00-17.50) | 6 May 2020 (11.20-13.50) | 6 May 2020 (13.50-16.40) |
| Week 2 | 11 May 2020 (15.00-17.50) | 13 May 2020 (11.20-13.50) | 13 May 2020 (13.50-16.40) |
| Week 3 | 18 May 2020 (15.00-17.50) | 20 May 2020 (11.20-13.50) | 20 May 2020 (13.50-16.40) |
| Week 4 | 25 May 2020 (15.00-17.50) | 27 May 2020 (11.20-13.50) | 27 May 2020 (13.50-16.40) |
| Week 5 | Holiday (Join Wed. class) | 3 June 2020 (11.20-13.50) | 3 June 2020 (13.50-16.40) |
| Week 6 | 8 June 2020 (15.00-17.50) | 10 June 2020 (11.20-13.50) | 10 June 2020 (13.50-16.40) |
| Week 7 | 15 June 2020 (15.00-17.50) | 17 June 2020 (11.20-13.50) | 17 June 2020 (13.50-16.40) |
Textbook:
Sverre H. Huseby. Innocent Code: A Security Wake-Up Call for Web Programmers. Wiley; 1 edition (January 30, 2004).
Additional References:
Bryan Sullivan and Vincent Liu. Web Application Security, A Beginner’s Guide. McGraw-Hill Education; 1 edition (November 24, 2011).
Paco Hope and Ben Walther. Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast. O’Reilly Media; 1 edition (October 27, 2008).
Dafydd Stuttard and Marcus Pinto. The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws. Wiley; 2 edition (September 27, 2011).