Course syllabus - Web Security, 7.5 credits
Autumn semester 2021
A1N (Second cycle, has only first-cycle course/s as entry requirements).
School of Innovation, Design and Engineering
Course literature is preliminary up to 8 weeks before course start. Course literature can be valid over several semesters.
Modern web applications can often be described in terms of cooperation and sharing, both on the level of the users of the application and on the level of the application and the service providers, which puts web applications in a distributed application class with mutual distrust between the different stakeholders, and leads to a plethora of security challenges.
This course covers the most prevalent security challenges of web applications, from a theoretical and practical perspective. The aim of the course is to give the students the ability to identify and analyze common vulnerabilities and related protection mechanisms, and to put this knowledge to practice. While the course focuses on web applications, most of the covered security challenges are instances of more general challenge classes, valid for many other types of applications, both within the application class of web application and outside.
After completing the course, the student shall be able to:
1. display knowledge of web applications and the corresponding application class, and the ability to construct complex applications
2. display knowledge of the most prevalent security challenges of web applications, and the ability to identify vulnerabilities in applications
3. display theoretical knowledge of protection mechanisms and their limitations, in isolation and in relation to each other
4. display knowledge of current research on attacks and protection mechanisms
The course gives an overview of the defining properties of web applications and the corresponding application class, and identifies different security challenges in relation to the different stakeholders: the users, the application provider, and the service and library providers. It covers concepts like statelessness, confidentiality, integrity, access control, authentication and authorization, session handling, and attacks related to those concepts. In addition, the course involves different forms of injection attacks, where code, in one way or another, is injected and executed on the client or server side.
The course emphasizes the importance of the interplay between theory and practice, where both attacks and protection mechanisms are studied from a theoretical perspective and put into practice. In selected cases, the attacks are identified as instances of more general classes of attacks and their relation to other instances of the corresponding class is discussed.
In addition, the course gives an orientation of selected parts of current research on attacks and protection mechanisms, in relation to the application class of web applications.
120 credits of which at least 80 credits in technology or informatics, including at least 30 credits in programming or software development. In addition, Swedish course B/Swedish course 3 and English course A/English course 6 are required. For courses given entirely in English exemption is made from the requirement in Swedish course B/Swedish course 3.
Laboratory work (LAB1), 6 credits, examines the learning outcomes1-4, Marks Fail (U) or Pass (G).
Exercise (OVN1), 1,5 credits, examines the learning outcomes 3 and 4, Marks Fail (U) or Pass (G).
A student who has a certificate from MDH regarding a disability has the opportunity to submit a request for supportive measures during written examinations or other forms of examination, in accordance with the Rules and Regulations for Examinations at First-cycle and Second-cycle Level at Mälardalen University (2016/0601). It is the examiner who takes decisions on any supportive measures, based on what kind of certificate is issued, and in that case which measures are to be applied.
Suspicions of attempting to deceive in examinations (cheating) are reported to the Vice-Chancellor, in accordance with the Higher Education Ordinance, and are examined by the University’s Disciplinary Board. If the Disciplinary Board considers the student to be guilty of a disciplinary offence, the Board will take a decision on disciplinary action, which will be a warning or suspension.Study guide
Interim provision and other journals
The course completely overlaps with DVA456 Web Application Security and DVA446 Applied Cybersecurity.