ISSC411 - Application Security

The successful student will fulfill the following learning objectives:

• CO1: Describe web-based applications and associated threats
• CO2: Compare and contrast mainframes, client-server, and applications
• CO3: Describe the role of web-based applications in E-commerce transactions
• CO4: Describe social networking and evaluate associated risks
• CO5: Evaluate web application security vulnerabilities against published standards
• CO6: Identify web application security controls and risk mitigation techniques
• CO7: Develop a security strategy and solution for securing web-based applications
• CO8: Assess web application security compliance requirements and objectives
• CO9: Design a web – application Vulnerability and Security Assessment Test Plan

Evaluation Procedures

The grading will be based on assignments, forum postings, case study, term paper, and labs.

1. Assignments: There will be eight assignments. The assignments and exercise will count as 28% of the final grade. The assignments will follow each of the major portions of the course. These assignments should include at least 3 references and be submitted in APA formatting. Assignments should be prepared in Microsoft Word or an equivalent word processor program and uploaded into the student folder by the due date.
2. Forum Postings: There will be eight Forum postings you will need to respond to. Answers should be a paragraph with a topic sentence that restates the question and supporting sentences using the terms, concepts, and theories from the required readings. Each answer should be a minimum of 250 words. You may respond to other students’ answers using the terms, concepts and theories from the required readings. All responses should be a courteous paragraph that contains a topic sentence with good supporting sentences. You may respond multiple times with a continuous discussion with points and counter points. The key requirement is to express your idea and then support your position using the terms, concepts and theories from the required readings to demonstrate to me that you understand the material. The Forum postings will count as 24% of the final grade.
3. Case Study: There will be a case study in this course. Details will be provided during the term in the course management system. This will count as 10% of your total course grade.
4. Term Paper: There will be a comprehensive and research based Term Paper for this course. The items that count towards the term paper are worth a total of 18% of your total course grade. The deliverable for this assignment MUST NOT be less than 10-pages. Borrowed materials must be properly cited per APA documentation format. Any clear evidence of plagiarism will result to automatic zero. (Please see the section below for the details of the 4 parts towards the term paper).
5. Labs: There will be 4 lab assignments for this course. More details will be provided during the term in the course management system. This will count as 20% of your total course grade.

Term Paper Topic (Due at end of Week 2)

Instructions: Only the topic is due at the end of Week 2

Submission Instructions: You are required to write a 10-page research paper on a topic of your choosing, related to the course concepts. Your topic must be submitted for approval by the end of Week 2. Please submit the topic via Sakai in the assignment section and not email.

Term Paper Outline (Due at end of Week 3)

Instructions: You must submit an outline for approval by the end of Week 3. It must include a detailed outline of topics and subtopics, as well as an annotated bibliography.

Submission Instructions: You are required to write a 10-page research paper on a topic of your choosing, related to the course concepts. The annotated bibliography must include at least three of the references you will use in your paper, written in APA style, with each one followed by a brief description of the reference.

Term Paper PowerPoint Presentation (Due at end of Week 6)

Instructions: A PowerPoint presentation with a minimum of 10 slides outlining the following:

At a minimum include the following:

• Detailed description of the area researched
• Technology involved in the area
• Future trends in the area
• Example companies involved in the area
• Regulatory issues surrounding the area
• Global implications for the area
• References (minimum of 4)

Submission Instructions: You are required to write a 10-page research paper on a topic of your choosing, related to the course concepts. The presentation highlights major areas of the paper. Typically the presentation would be a presentation of what you plan to include in the paper project to ‘sell’ the idea to the executive team or the funding team that would make a final decision whether or not to continue with the project.

Term Paper (Due at end of Week 8)

Instructions: You are required to write a 10-page research paper on a topic of your choosing, related to the course concepts. Your final draft is due at the end of Week 8.

Submission Instructions: Be sure your paper meets the following requirements:

You will be required to write one research paper this semester. The specifications are as follows:

1. 10 pages (double-spaced), excluding the title page, the abstract page (if included), and the references pages.
2. Choose any topic related to the course and write about the latest developments and issues.
3. Use at least five references outside of your textbook (you may use your textbook too, but are not required to).
4. In addition to the required number of pages for the assignment, you must also Include a reference page (bibliography), written in APA style, and a title page. Be sure to give all of your papers a descriptive title.
5. You must get your topic approved by the end of Week 2.
6. You must provide a 1-page outline of your paper by the end of Week 3. Your outline must include citations to three references (other than your textbook) and a brief summary of at least three references that you will use in your paper.
7. At Week 6 you will be working on a PowerPoint presentation highlighting the key points of the paper you are working on.
8. Use APA Style formatting in Arial 11 or 12-point font or Times New Roman styles.
9. Page margins Top, Bottom, Left Side and Right Side = 1 inch, with reasonable accommodation being made for special situations
10. Your paper must be in your own words, representing original work. Paraphrases of others’ work must include attributions to the authors. Limit quotations to an average of no more than 15% of the paper, and use quotations sparingly!

This assignment has the embedded TurnItIn feature turned on. When you submit the paper, an originality report will be generated. The report must comply with the acceptable originality criteria displayed in the announcements on Academic Honesty in Week 1 of the course.

Name	Grade %
Assignments	28.00 %
Assignment 1 (Wk1)	3.50 %
Assignment 2 (Wk2)	3.50 %
Assignment 3 (Wk3)	3.50 %
Assignment 4 (Wk4)	3.50 %
Assignment 5 (Wk5)	3.50 %
Assignment 6 (Wk6)	3.50 %
Assignment 7 (Wk7)	3.50 %
Assignment 8 (Wk8)	3.50 %
Forums	24.00 %
Forum 1	3.00 %
Forum 2	3.00 %
Forum 3	3.00 %
Forum 4	3.00 %
Forum 5	3.00 %
Forum 6	3.00 %
Forum 7	3.00 %
Forum 8	3.00 %
Labs	20.00 %
Week 2 Lab: Lab#1	5.00 %
Week 4 Lab: Lab#3	5.00 %
Week 5 Lab: Lab#4	5.00 %
Week 7 Lab: Lab#7	5.00 %
Case Study	10.00 %
Week 8 Case Study	10.00 %
Term Paper Topic	1.00 %
Term Paper Topic (Wk2)	1.00 %
Term Paper Outline	2.00 %
Term Paper Outline (Wk3)	2.00 %
Term Paper Presentation	5.00 %
Term Paper Presentation (Wk6)	5.00 %
Term Paper Product	10.00 %
Term Paper Final Product (Wk8)	10.00 %

Web-Based Readings

WEEK 1:

Ousterhout, J. (2012). Why Web? Web Applications. Standford University. Retrieved from http://openclassroom.stanford.edu/MainFolder/CoursePage.php?course=WebApplications

WEEK 2:

Wikibooks (2011). E-Commerce and E-Business/E-Commerce Applications: Issues and Prospects. Retrieved from http://en.wikibooks.org/wiki/E-Commerce_and_E-Business/E-Commerce_Applications:_Issues_and_Prospects

WEEK 3:

US-CERT (2011). Cyber Security Tip ST06-003. Retrieved from http://www.us-cert.gov/cas/tips/ST06-003.html

Brumley, David & Boneh, Dan (nd). Remote Timing Attacks are Practical. Retrieved from https://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf

Kocher, Paul (nd). Timing Attacks of Diffie-Hellman, RSA, DSS, and Other Systems. Retrieved from http://42xtjqm0qj0382ac91ye9exr.wpengine.netdna-cdn.com/wp-content/uploads/2015/08/TimingAttacks.pdf

WEEK 4:

The OWASP Foundation (2010). OWASP Top 10 – 2010: The Ten Most Critical Web Application Security Risks. Retrieved from http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf

MITRE Corporation (2011). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved from http://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.pdf

WEEK 5:

The OWASP Foundation (2010). OWASP Top 10 – 2010: The Ten Most Critical Web Application Security Risks. Retrieved from http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf

MITRE Corporation (2011). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved from http://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.pdf

WEEK 6:

The OWASP Foundation (2010). OWASP Secure Coding Practices Quick Reference Guide. Retrieved from https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf

The OWASP Foundation (2008). OWASP Code Review Guide, V1.1. Retrieved from https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf

The OWASP Foundation (2007). Embed within SDLC. Retrieved from http://www.owasp.org/images/f/f2/Education_Module_Embed_within_SDLC.ppt

WEEK 7:

PCI Security Standards Council (2010). PCI DSS Requirements and Security Assessment Procedures, Version 2.0. Retrieved from https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

WEEK 8:

InfoSec Institute (2011). OWASP Top Ten Tools and Tactics. Retrieved from http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/

The OWASP Foundation (2008). OWASP Testing Guide v3. Retrieved from http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

Software Requirements

• Microsoft Office (MS Word, MS Excel, MS PowerPoint)

Selected Bibliography

Brumley, David & Boneh, Dan (nd). Remote Timing Attacks are Practical. Retrieved from https://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf

InfoSec Institute (2011). OWASP Top Ten Tools and Tactics. Retrieved from http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/

Kocher, Paul (nd). Timing Attacks of Diffie-Hellman, RSA, DSS, and Other Systems. Retrieved from http://42xtjqm0qj0382ac91ye9exr.wpengine.netdna-cdn.com/wp-content/uploads/2015/08/TimingAttacks.pdf

MITRE Corporation (2011). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved from http://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.pdf

Ousterhout, J. (2012). Why Web? Web Applications. Standford University. Retrieved from http://openclassroom.stanford.edu/MainFolder/CoursePage.php?course=WebApplications

PCI Security Standards Council (2010). PCI DSS Requirements and Security Assessment Procedures, Version 2.0. Retrieved from https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

The OWASP Foundation (2008). OWASP Code Review Guide, V1.1. Retrieved from https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf

The OWASP Foundation (2007). Embed within SDLC. Retrieved from http://www.owasp.org/images/f/f2/Education_Module_Embed_within_SDLC.ppt

The OWASP Foundation (2010). OWASP Secure Coding Practices Quick Reference Guide. Retrieved from https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf

The OWASP Foundation (2008). OWASP Testing Guide v3. Retrieved from http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

The OWASP Foundation (2010). OWASP Top 10 – 2010: The Ten Most Critical Web Application Security Risks. Retrieved from http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf

US-CERT (2011). Cyber Security Tip ST06-003. Retrieved from http://www.us-cert.gov/cas/tips/ST06-003.html

WikiBooks (2011). E-Commerce and E-Business/E-Commerce Applications: Issues and Prospects. Retrieved from http://en.wikibooks.org/wiki/E-Commerce_and_E-Business/E-Commerce_Applications:_Issues_and_Prospects

Book Title:	Requires CITRIX CLIENT SOFTWARE INSTALLATION FOR ONLINE VIRTUAL LABS accessibility - instructions provided inside the classroom.
Author:	No Author Specified
Book Title:	ISSC411 virtual lab manual provided inside the classroom
ISBN:	NTMO-ISSC411
Publication Info:	CLASS-Jones & Bartlett
Electronic Unit Cost:	$55.00
Book Title:	Internet Security: How to Defend Against Attackers on the Web, 2nd Ed - the VitalSource e-book is provided inside the classroom
ISBN:	9781284090550
Publication Info:	VS-Jones & Bartlett
Author:	Harwood, Mike
Unit Cost:	$75.79
Electronic ISBN:	9781284107746
Electronic Unit Cost:	$35.00