Syllabus - CS484 Fall 2021
Logistics#
Course: CS484 Secure Web Application Development
Lectures: MWF 2pm - 3pm Room: Burnham Hall 209
Prerequisite/Corequisite: CS341 Programming Language Design and Implementation
Piazza Online Forum: piazza.com/uic/fall2021/cs484 *Post all course related questions to Piazza
Lecturer: Chris Fulton cifulton@uic.edu
Office Hours: MW 11:30am - 12:30pm *Shoot me an email to notify me that you plan to stop by
Office Location: 923 SEO
Textbook#
(Required) WASEC: Web Application Security for the everyday software engineer: Everything a web developer should know about application security: concise, condensed and made to last. Author: Alessandro Nadalin ISBN: 978-1670062444
Learner Supplies#
Laptop is required for each class session
Course Delivery Format#
Our class sessions will be held in-person. Our sessions are scheduled to be recorded and livestreamed to allow for a small measure of flexibility for those who might not be able to make it to a session for various reasons. The expectation is that you would be able to attend the majority if not all class sessions. All quizzes and exams will be administered n-person unless noted otherwise. There will be a few Friday sessions that will be delivered asynchronously.
Course Description#
Web applications integrate concepts from software engineering, systems programming, and computer security. Teaches security through web development, enabling students to design, deploy, scale, attack, and defend modern web applications.
Course Overview#
This course integrates the concepts that underlie designing, deploying, and defending web applications to provide students with a foundational understanding of how to design and deploy scalable and secure web applications.
This class will teach students the concepts and techniques that enable web applications to maintain high performance in the face of numerous users and attackers. Students will learn and be able to apply software engineering concepts to manage the complexity of client‐side and server‐side software. Students will learn and be able to apply computer systems concepts to manage the scalability of the web application, and provide performant service to large numbers of simultaneous users. Students will learn and be able to apply computer security concepts to designing a web application which is robust to known and unknown attacks. Students will gain familiarity and facility with modern tools which enable creating applications that apply the aforementioned design, performance, and security concepts. Students will learn and be able to apply fundamental security concepts so that they can evaluate the security of future application designs in the face of potential future attacks.
Languages and Frameworks:#
- Node.js, Express.js Framework, Handlebars.js templating
- HTML, CSS, JS *Brief overview of Component-based Frameworks - React
- JSON
- SQL, SQLite Database
Topics Covered#
- Authorization and Authentication
- Page Layout
- XSS, CORS
- Paramaterized Queries
- Session Hijacking
- SEO
- DDOS Attack
- Passport.js
- SQL Injection
- Sessions, Cookies, Tokens
- Http/Https, TLS/SSL, Public/Private Key Exchange Algorithms
- Http Headers
- Version Control (Git and GitHub)
- CI/CD pipelines
- Containers (Docker)
Succeeding in this Class#
As the instructor, my job in class is to organize the material coherently, give helpful lectures, provide a framework that combines enough challenge and support for success, and grade reasonably. A reasonable academic expectation is that you spend 2 hours outside of class for every hour spent in class. For a few of your assignments you may go over this time estimate.
- Complete the assigned reading and review material prior to each class session.
- Take notes during lecture
- Utilize your Working Team's Expertise
Discussion and Forum#
This term we will be using Piazza for class discussion. The system is highly catered to getting you help fast and efficiently from classmates, the TA, and myself. Rather than emailing questions, I encourage you to post your questions on Piazza. If you have any problems or feedback for the developers, email team@piazza.com.
Find our class signup link at: https://piazza.com/uic/fall2021/cs484
Grading Scale#
| Grade | Range |
|---|---|
| A | 100% - 93.4% |
| A- | < 93.4% - 90.0% |
| B+ | < 90.0% - 86.7% |
| B | < 86.7% - 83.4% |
| B- | < 83.4% - 80.0% |
| C+ | < 80.0% - 76.7% |
| C | < 76.7% - 73.4% |
| C- | < 73.4% - 70.0% |
| D+ | < 70.0% - 66.7% |
| D | < 66.7% - 63.4% |
| D- | < 63.4% - 60.0% |
| F | < 60.0% - 0.0% |
Grading Rationale#
3 Assignments - (15pts each)
4 Quizzes (20pts)
1 Final Project (25pts)
1 Final Exam (50pts)
200pts Total
Course Schedule#
| Week | Monday | Wednesday | Friday |
|---|---|---|---|
| 1 | Aug. 23rd Topic: Syllabus Review, Pre-Assessment, Survey | Aug. 25th Topic: Web App Overview (Web Architecture), Final Project Review Reading: Understanding Web Arch. | Aug. 27th Topic: Threat Modeling (Various Models, DFD's) Reading: OWASP Threat Modeling Cheatsheet |
| 2 | Aug. 30th Topic Version Control - Git Review: Videos 1 -3 in Git Lecture | Sept. 1st Topic: Version Control - GitHub Review: Videos 4 -6 in Git Lecture | Sept. 3rd Version Control - Resources Release: Assignment 1 |
| 3 | Sept. 6th No Lecture - Labor Day | Sept. 8th HTML/CSS/JS Overview Review: HTML Lecture Videos CSS Lecture Videos | Sept. 10th Topic: Working Groups Due: Quiz 1 (Weeks 1 - 2 Material) |
| 4 | Sept. 13th HTML/CSS/JS Page Layout Review: Page Layout | Sept. 15th Topic: HTML/CSS/JS Responsive Design Review: Responsive Design | Sept. 17th Topic: Client-side JS - CSP/XSS Attack Mitigation (Asynchronous Class - Pre-recorded Lecture) Reading: XSS Attacks Content Security Policy (CSP) |
| 5 | Sept. 20th Topic: Review of Client-side JS - CSP/XSS Attack Mitigation Node.js Overview Reading: XSS Attacks Content Security Policy (CSP) | Sept. 22nd Topic Core Modules Http/Https, TLS/SSL Reading: Understanding HTTP/HTTPS TLS/SSL Handshakes | Sept. 24th Topic: Understanding NPM Due @ 11:59pm: Assignment 1 |
| 6 | Sept. 27th Topic: Routing, Express, HTTP Verbs Reading: Express Explained | Sept. 29th No Class | Oct. 1st Topic: Authentication and Authorization Reading: Best Practices - Authentication + Password Management Reading/Resource: The Ultimate Guide to Passport JS Released: Assignment 2 |
| 7 | Oct. 4th Topic: Sessions, Cookies and Tokens Reading: Using HTTP Cookies Reading/Resource: The Ultimate Guide to Passport JS | Oct. 6th Topic: Integrating Passport.js local strategy Reading/Resource: The Ultimate Guide to Passport JS | Oct. 8th Topic: App Testing - Unit Testing Reading: Jest Testing - Intro. Tutorial Quiz 2 (3 - 7 Material) |
| 8 | Oct. 11th Topic: Integrating Passport.js local strategy | Oct. 13th Topic: Intro. App Testing | Oct. 15th Topic: Working with Data + Data Modeling (JSON, Tables) |
| 9 | Oct. 18th Topic: ERD Diagrams Reading: ER Diagram's Explained | Oct. 20th No Class Session - Team Day | Oct. 22nd Topic: RDMS/NoSQL, ERD Diagrams + SQL(DDL/DML) Due @ 11:59pm: Assignment 2 Released: Assignment 3 |
| 10 | Oct. 25th Topic: Node.js + SQLite + Database Querying | Oct. 27th Topic: Parameterized Queries, SQL Injection, WAF Reading: DDos + Dos Attacks | Oct. 29th Topic: Understanding RESTFul API, Tools and Security Reading: Http Headers |
| 11 | Nov. 1st Topic: Http Headers + CORS Reading: Web Application Security Book pg.39 - 65 Reading: Cross Origin Resource Sharing | Nov. 3rd Topic: Brief Overview of React Resource: Guided React Resource | Nov. 5th Topic: Review of React Cont. Quiz 3 (8 -10 Material) |
| 12 | Nov. 8th Topic: Review of React Cont. | Nov. 10th Topic: Dockerfile, Docker Images | Nov. 12th Topic: Understanding Docker, Image Repository, Deploying Containers Due @ 11:59pm: Assignment 3 |
| 13 | Nov. 15th No Class Session - Team Day | Nov. 17th No Class Session - Team Day | Nov. 19th Topic: Continuing with Docker, Image Repository, Deploying Containers, Overview of Kubernetes Released: Final Project (Assignment 4) |
| 14 | Nov. 22th Topic: Scaling and Cloud Vendors CI/CD, GitHub Actions | Nov. 24th Topic: Usability and Performance | Nov. 26th NO CLASS |
| 15 | Nov. 29th OWASP, Bug Bounty Programs Reading: Web Application Security Book pg. 134 - 152 Quiz 4 (11 - 14 Material) | Dec. 1st Presentations | Dec. 3rd Presentations Due @ 11:59pm: Final Project (Assignment 4) |
| 16 | Dec. 6th NO CLASS Online Zoom presentations | Dec. 8th FINAL EXAM | Dec. 10th NO CLASS |
Formative Assessment#
In-Class Lecture Activities, Assignments, Quizzes
Summative Assessment#
Final Project, Final Exam
Late Work Policy#
All assignments must be submitted by the due date and time listed on the assignment. If assignment is not turned in by the due date and time listed, the assignment will not receive points and will be assessed a zero for the assignment.
Students are permitted to continue work on assignments beyond the due date if a grade has not posted. Once a grade post for the assignment, no further progress on the assignment can be made.
Academic Honesty#
Cheating, plagiarism, and any other forms of academic dishonesty will not be tolerated
COVID-19#
Mask Mandate#
Face Masks: Masks covering both the mouth and nose must be worn at all times by all students, faculty, and staff while on campus and inside any building regardless of vaccination status. If you do not wear a mask, you will be asked to leave the classroom and will not be allowed back in class unless or until you wear a mask. If you have forgotten your mask, you may pick one up from one of the student information desks on campus during the first two weeks of campus. Students who do not comply with the mask-wearing policy will be reported to the Dean of Students. Eating and drinking are not allowed in classrooms.
COVID Procedures#
My expectation is what is given on the FAQ Covid page, where the latest "Circle Back to Campus" newsletter is from. My understanding is that we will all be vaccinated (or be tested regularly), meet masked and in person in our classroom, without extra physical distancing. Of course this could all change! Should there be the need to go back to online only, our plan is to have synchronous class online using Zoom. We will make every effort to have all classes recorded so those who need to can watch a class recording asynchronously if needed for Covid reasons. Email me if you know you will need to attend class remotely because of Covid, and we can figure out a reasonable adjustment. This does not apply to you if you simply miss class and watch the recording remotely some day(s), or miss lab for non-Covid reasons. We have selected the streaming option for class recordings. While I haven't tried this before, it is myunderstanding that you should be able to watch the class live, remotely, by selecting the option under the Echo360 link on the course Blackboard page (see link to Blackboard in the Navigation bar).
Disability Services, Letters of Accommodation (LOA)#
Refer as needed to the UIC campus disability services policy which applies to students in this class. If you have special circumstances such as a letter of accommodation (LOA) from the UIC Disability office, then please indicate this to me directly via email along with a copy of your letter, and remind me before each exam of any accommodations needed.
Disclaimer#
This syllabus is subject to change at the instructor's discretion with prior student notification.