Network and Web Security

Module aims

To cover network and web security broadly from the network to the application layer. The emphasis of the course is on the underlying principles and techniques, with examples of how they are applied in practice.

Learning outcomes

At the end of the course, a student will have an understanding of the themes and challenges of network and web security, and the current state of the art. The student will have developed a critical approach to the analysis of network security and web application security, and will be able to bring this approach to bear on future decisions regarding security.

Specific learning outcomes:

• Sustain a conversation on cybersecurity.
• Describe main threats, attack techniques and defences relevant to cybersecurity and network security.
• Identify vulnerabilities in web applications, propose countermeasures.
• Design secure web applications by leveraging security principles.

Module syllabus

Cybersecurity: Overview; Vulnerabilities; Passwords; Malware; Botnets; Main cyber  attacks, typical defenses and their limitations.

Threat analysis and bug finding: Secure software development life cycle (SSDLC); Threat modelling; Code review and testing; Penetration testing.

Internet security: TCP/IP; DNS; URIs; HTTP; SSL/TLS.

Server-­‐side security: Data breaches; Server-­‐side threats, including command injection and path traversal; PHP; SQLi attacks; Other attacks.

Client-­‐side security: The browser; JavaScript;  Same Origin Policy (SOP); XSS attacks; JavaScript isolation.

Sessions: Cookies; CSRF and other attacks on sessions; Secure sessions; Social sign-­‐on and related attacks.

Emerging security standards: CORS; HTML5 sandboxing;  CSP; HSTS.

Privacy issues: Device fingerprinting; Web tracking.

Guest lectures: 3 lectures by experts from cybersecurity companies with presence in the UK.

Websitehttps://www.doc.ic.ac.uk/~maffeis/331/

Pre-requisites

Several topics discussed during the module require a general knowledge of computer networks, distributed systems, and programming languages.

Recommended (not required) prerequisites:

• CO211 Operating systems
• CO212 Networks and Communications

Related courses:

• CO408H Privacy Enhancing Techniques
• CO409 Cryptography
• CO440 Software Reliability
• CO470 Program Analysis

Teaching methods

18 hours classroom-­‐based, 9 hours laboratory--based.

Assessments

*This is a level 6/H course

Assessed coursework: practical and written exercises.
Final exam: laboratory based, comprising practical exercises and written questions.

Reading list

Supplementary 

Module leaders

Dr Sergio Maffeis