סילבוס הקורס אבטחת מערכות וישומים ברשת - תשע"ט, פקולטה למדעים מדויקים, אוניברסיטת ת"א

שנה"ל תשע"ט

אבטחת מערכות וישומים ברשת
Web System and Application Security

0368-3250-01

מדעים מדויקים


סמ' ב'	0900-1200	'א	009	שיעור	ד"ר מובשוביץ דוד

D:\Inetpub\shared\yedion\syllabus\03\2018\0368\0368325001_desc.txt סילבוס מקוצר Web based systems (i.e. systems which are based on the HTTP protocol, including mobile and cloud based applicationsa) are facing unique threats from information security perspective, at the network layer, at the infrastructure layer, and at the application layer. In the course we will learn how to perform threat modeling to a web system, and how to secure the web system by implementing security mechanisms and security best practices. We will learn how to secure the access to a network using firewalls, how to harden the web system infrastructure, and how to secure the application layer by implementing authentication and authorization mechanisms, and web session management. In addition, we will discuss (web) application vulnerabilities and related attacks (e.g. Injection attacks, XSS, XSRF, etc.), and will learn how to prevent them by implementing secure coding best practices. מדעים מדויקים 0368-3250-01 אבטחת מערכות וישומים ברשת Web System and Application Security שנה"ל תשע"ט \| סמ' ב' \| ד"ר מובשוביץ דוד סילבוס מפורט/דף מידע שם הקורס: אבטחת ישומים ברשת (Web Application Security) מרצה הקורס: ד"ר דוד מובשוביץ שעות הקורס: יום א' בין השעות 9:00 ל 12:00 רקע לקורס: Web based systems (i.e. systems which are based on the HTTP protocol, including mobile and cloud based applicationsa) are facing unique threats from information security perspective, at the network layer, at the infrastructure layer, and at the application layer. In the course we will learn how to perform threat modeling to a web system, and how to secure the web system by implementing security mechanisms and security best practices. We will learn how to secure the access to a network using firewalls, how to harden the web system infrastructure, and how to secure the application layer by implementing authentication and authorization mechanisms, and web session management. In addition, we will discuss (web) application vulnerabilities and related attacks (e.g. Injection attacks, XSS, XSRF, etc.), and will learn how to prevent them by implementing secure coding best practices. הנושאים שילמדו בקורס: In the course we will learn: The unique security aspects and challenges of web security Web network layer security and firewall technologies Stateless and statefull packet filtering Network Address Translation (NAT and PAT) DMZ and related best practices Web Authentication & Session Management Web application authentication mechanisms Web application session management Web application Single Sign-On (SSO) and SAML Web infrastructure vulnerabilities and countermeasures Web environment risk analysis and threat modeling overview Web infrastructure hardening Web Authorization & Access Control Input Validation related vulnerabilities The causes for input validation related vulnerabilities (and related attacks) Insecure direct object reference Unvalidated redirect and forward Input validation based on positive security logic Input validation based on negative security logic Evasion techniques Injection attacks SQL Injection and related evasion techniques, OS/LDAP/XPath and other Injection attacks, Best practices to prevent injection based attacks Error handling Threats related to error that are not handled properly Best practices for error handling Auditing & Logging Auditing and log analysis Central logging Browser based attacks XSS attacks XSS Categories Countermeasures Input Validation and evasion techniques Output encoding CSP XSRF Attack description Countermeasures Reducing attack surface Anti-XSRF token Security considerations for AJAX and Mobile applications רשימת של נושאי ההרצאות: Introduction to the unique aspects of web security (1 meeting) Information security terminology and concepts with focus on web based system (1 meeting) Firewalls and network access control (2 meetings) Web application authentication mechanisms (1 meeting) Web application session management – mechanisms, risks and mitigation techniques (1 meeting) Web application Single Sign-On (SSO) (1 meeting) Web authorization and access control (0.5 meeting) Web infrastructure vulnerabilities and countermeasures (2 meeting) Input validation and related attacks (1 meeting) Injection attacks (1 meeting) Error handling, logging and auditing (0.5 meeting) XSS attacks and mitigations (1 meeting) XSRF attacks and mitigations (0.5 meeting) AJAX & Web 2.0 Security issues (1 meeting) הערה: הרשימה אינה סופית ויתכנו שינויים במהלך הקורס. דרישות קדם לקורס: ידע מוקדם באבטחת מידע ולכן הקורס "מבוא לאבטחת מידע" מהוה דרישת קדם. ידע בפיתוח ישומים ובכתיבת קוד. ולכן הקורסים מבוא למדעי המחשב ואלגוריתמים מהווים דרישת קדם. כמו כן ידע מוקדם ב HTTP, HTML ו JavaScript יועיל לסטודנט (אנו נחזור על נושאים אלו בקצרה במהלך הקורס) הציון בקורס: הציון בקורס מורכב מציון בחינה ומציון על העבודות הבית שתתבקשו להכין במהלך הקורס. השקלול של הציון הוא: ציון מבחן מסכם –80% ציון עבודות בית –20% על מנת לעבור את הקורס על הסטודנט לקבל ציון מינימום של 60 במבחן המסכם וציון 60 בקורס. שעת קבלה: בכל שאלה ונושא ניתן לפנות למרצה בשעת הקבלה, או לשלוח אליו דואל אלקטרוני לכתובת dmovshovitz@gmail.com Bibliography (Required Readings) Note: Since the course is covering many topics and there is no text book that cover all the topics discussed in the course, there is no mandatory text book and the presentation are very detailed and cover all the subjects discussed in the course in details. There is of course recommended list of books for reading. Recommended Readings 1.Developer's Guide to Web Application Security, by Michael Cross 2. Web Application Vulnerabilities: Detect, Exploit, Prevent, by Steven Palmer 3. Improving Web Application Security: Threats and Countermeasures by Microsoft Corporation Developer's Guide to Web Application Security by Matt Fisher (Paperback - Jul 1, 2006) Improving Web Application Security: Threats and Countermeasures by Microsoft Corporation 6.Hacking Exposed Web Applications, 2nd Ed. (Hacking Exposed) by Joel Scambray, Mike Shema, Caleb Sima 7.Cross Site Scripting Attacks: XSS Exploits and Defense by Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager, Petko D. Petkov

ש"ס: 3.0

סילבוס מקוצר

Web based systems (i.e. systems which are based on the HTTP protocol, including mobile and cloud based applicationsa) are facing unique threats from information security perspective, at the network layer, at the infrastructure layer, and at the application layer. In the course we will learn how to perform threat modeling to a web system, and how to secure the web system by implementing security mechanisms and security best practices. We will learn how to secure the access to a network using firewalls, how to harden the web system infrastructure, and how to secure the application layer by implementing authentication and authorization mechanisms, and web session management. In addition, we will discuss (web) application vulnerabilities and related attacks (e.g. Injection attacks, XSS, XSRF, etc.), and will learn how to prevent them by implementing secure coding best practices.

מדעים מדויקים
0368-3250-01 אבטחת מערכות וישומים ברשת
Web System and Application Security
שנה"ל תשע"ט | סמ' ב' | ד"ר מובשוביץ דוד

666סילבוס מפורט/דף מידע

שם הקורס: אבטחת ישומים ברשת (Web Application Security)

מרצה הקורס: ד"ר דוד מובשוביץ

שעות הקורס: יום א' בין השעות 9:00 ל 12:00

רקע לקורס:

הנושאים שילמדו בקורס:

In the course we will learn:

The unique security aspects and challenges of web security
Web network layer security and firewall technologies
- Stateless and statefull packet filtering
- Network Address Translation (NAT and PAT)
- DMZ and related best practices
Web Authentication & Session Management
- Web application authentication mechanisms
- Web application session management
- Web application Single Sign-On (SSO) and SAML
Web infrastructure vulnerabilities and countermeasures
- Web environment risk analysis and threat modeling overview
- Web infrastructure hardening
- Web Authorization & Access Control
Input Validation related vulnerabilities
- The causes for input validation related vulnerabilities (and related attacks)
  - Insecure direct object reference
  - Unvalidated redirect and forward
- Input validation based on positive security logic
- Input validation based on negative security logic
  - Evasion techniques
Injection attacks
- SQL Injection and related evasion techniques,
- OS/LDAP/XPath and other Injection attacks,
- Best practices to prevent injection based attacks
Error handling
- Threats related to error that are not handled properly
- Best practices for error handling
Auditing & Logging
- Auditing and log analysis
- Central logging
Browser based attacks
- XSS attacks
  - XSS Categories
  - Countermeasures
    - Input Validation and evasion techniques
    - Output encoding
    - CSP
- XSRF
  - Attack description
  - Countermeasures
    - Reducing attack surface
    - Anti-XSRF token
Security considerations for AJAX and Mobile applications

רשימת של נושאי ההרצאות:

Introduction to the unique aspects of web security (1 meeting)
Information security terminology and concepts with focus on web based system (1 meeting)
Firewalls and network access control (2 meetings)
Web application authentication mechanisms (1 meeting)
Web application session management – mechanisms, risks and mitigation techniques (1 meeting)
Web application Single Sign-On (SSO) (1 meeting)
Web authorization and access control (0.5 meeting)
Web infrastructure vulnerabilities and countermeasures (2 meeting)
Input validation and related attacks (1 meeting)
Injection attacks (1 meeting)
Error handling, logging and auditing (0.5 meeting)
XSS attacks and mitigations (1 meeting)
XSRF attacks and mitigations (0.5 meeting)
AJAX & Web 2.0 Security issues (1 meeting)

הערה: הרשימה אינה סופית ויתכנו שינויים במהלך הקורס.

דרישות קדם לקורס:

ידע מוקדם באבטחת מידע ולכן הקורס "מבוא לאבטחת מידע" מהוה דרישת קדם.

ידע בפיתוח ישומים ובכתיבת קוד. ולכן הקורסים מבוא למדעי המחשב ואלגוריתמים מהווים דרישת קדם.

כמו כן ידע מוקדם ב HTTP, HTML ו JavaScript יועיל לסטודנט (אנו נחזור על נושאים אלו בקצרה במהלך הקורס)

הציון בקורס:

הציון בקורס מורכב מציון בחינה ומציון על העבודות הבית שתתבקשו להכין במהלך הקורס. השקלול של הציון הוא:

ציון מבחן מסכם –80%
ציון עבודות בית –20%

על מנת לעבור את הקורס על הסטודנט לקבל ציון מינימום של 60 במבחן המסכם וציון 60 בקורס.

שעת קבלה:

בכל שאלה ונושא ניתן לפנות למרצה בשעת הקבלה, או לשלוח אליו דואל אלקטרוני לכתובת dmovshovitz@gmail.com

Bibliography (Required Readings)

Note: Since the course is covering many topics and there is no text book that cover all the topics discussed in the course, there is no mandatory text book and the presentation are very detailed and cover all the subjects discussed in the course in details. There is of course recommended list of books for reading.

Recommended Readings

1.Developer's Guide to Web Application Security, by Michael Cross

2. Web Application Vulnerabilities: Detect, Exploit, Prevent, by Steven Palmer

3. Improving Web Application Security: Threats and Countermeasures by Microsoft Corporation

Developer's Guide to Web Application Security by Matt Fisher (Paperback - Jul 1, 2006)
Improving Web Application Security: Threats and Countermeasures by Microsoft Corporation

6.Hacking Exposed Web Applications, 2nd Ed. (Hacking Exposed) by Joel Scambray, Mike Shema, Caleb Sima

7.Cross Site Scripting Attacks: XSS Exploits and Defense by Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager, Petko D. Petkov

להצהרת הנגישות