Securing Applications, Web Services, and Software-As-A-Service (SAAS)

(1)

Brandeis University Division of Graduate Professional Studies Rabb School of Continuing Studies

RIAS-0120-DL

Securing Applications, Web Services, and Software-As-A-Service (SAAS)

Course Syllabus

I. Course Information

Distance Learning Course Week: Thursday through Wednesday Instructor

Ramesh Nagappan

Mobile phone: 781 442 2529

Office hours: Generally Monday and Wednesday 5:30 pm - 7:30 pm (EST) or by other arrangement

Email: [email protected] or use Quickmail from Latte. Skype: ramesh.r.nagappan

GTalk: ramesh.r.nagappan

Email and Instant Messaging are the best and fastest ways to reach the instructor. Please submit assignments to the Assignment dropbox.

Document Overview

This syllabus contains all relevant information about the course: its objectives and outcomes, the grading criteria, the texts and other materials of instruction, weekly topics, outcomes,

assignments, and due dates.

Consider this your roadmap for the course. Please read through the syllabus carefully and feel free to share any questions that you may have. Please print a copy of this syllabus for reference. The following information is included in this syllabus. Details on the assignments can be found in the Assignments document posted in the Additional Course Materials block.

• Course Description • Materials of Instruction

• Grading Criteria and Assignments • Course Outline

• Course Calendar

• Course Policies and Procedures

• University and Rabb School of Graduate Professional Studies Standards

(2)

learn from each other, hoping that we’ll have open and enriching discussions as we move forward!

The instructor’s introduction has been posted on the course Homepage. The instructor look forward to reading your introduction (Discussion Topic: Week 1 – Introductions-->) and getting to know you as well. Feel free to post a picture of yourself along with your Introduction.

Related Programs:

Elective course MS in Information Security MS in Software Engineering MS in IT Management

MS in Health and Medical Informatics. Prerequisites:

This course is focused on Web application security, so students are required to have prior knowledge and understanding of a popular Web application environment (Using one of the following: Apache/Tomcat or Java EE or Microsoft .NET). Some Web application knowledge using Java or Microsoft .NET or PHP/Python or Web based applications development or administration will be helpful.

Course Description

The purpose of the course is to provide coverage from the ground up on applied security

concepts, technologies, techniques, patterns, best practices and checklists intended for securing Web based applications, XML Web services based Service-Oriented Architectures (SOA) and Software-As-A-Service (SAAS) in Cloud applications. The course presents the security standards and technologies intended for securing applications, Web portals, SOA/XML Web services, Identity management and enabling SAAS for Cloud application environments. The course dives deep into the real-world security challenges in IT applications and drills down on strategies for identifying security threats and risks, adopting a security design methodology, implementing security architecture using patterns and best practices and performing security testing and production deployment.

This course includes hands-on exercises for demonstrating security mechanisms and design patterns and case-study walkthrough for delivering end-to-end security architecture that includes Web applications, XML Web services and Identity Management solutions. By the end of this course, the student will able to describe and demonstrate proactive and prescriptive approaches to applying security in Web applications, Web portals, XML Web Services, SAAS environments and use of Identity management technologies for Single sign-on and Federation solutions. The course lectures and assignments will provide guidance for Java based application

environments. However, students may choose to use Java or Microsoft .NET environments for their application platform and web security assignments.

Online Course Content

This section of the course will be conducted completely online using Brandeis’ Latte site, available at http://latte.brandeis.edu. The site contains the course syllabus, assignments, our Discussions bulletin board, links/resources to course-related professional organizations and sites, and weekly checklists, objectives, outcomes, topic notes, self-tests, and discussion questions. Access information is emailed to enrolled students before the start of the course. To begin participating in the course, review Week 1 Checklist.

(3)

Overall Course Objectives

Security has achieved unprecedented consequence in the information technology (IT) industry and has become a critical part of every IT application. This heightened importance compels every IT application to adopt proactive or reactive measures that ensures security against disclosure of confidential information, destruction of data, misappropriation of resources, and compromise of accountability. IT applications can be secured by implementing appropriate countermeasures and safeguards as part of the software development lifecycle – from design and development through post-production operations. The course will expose students to the applied concepts, technologies, design patterns, best practices and strategies intended for Securing Applications, XML Web services, SOA, Identity Management and Software-As-A-Service in Cloud applications.

Upon successful completion of this course, the student will be able to:

• Describe the basic security concepts and techniques intended for securing web based applications, XML Web services, Service-oriented architecture (SOA) based applications, Identity Management and Software-As-A-Service in Cloud applications.

• Gain understanding on security design methodologies, design patterns and processes and reality checks.

• Describe the Java technology security architecture and applied mechanisms for Java Enterprise Edition (Java EE) based applications

• Identify and understand the security patterns intended for Web-tier application deployments • Gain understanding on the use of SSL/TLS protocol, XML Web services Security

(WS-Security, WS-Policy, WS-SecurityPolicy) and Identity management standards (SAML, XACML, WS-Federation).

• Identify and understand the security design patterns intended for XML Web Services Security and Identity Management

• Understand the guiding principles of Cloud computing for Software As A Service (SAAS) • Understand the security requirements and features intended for deploying SAAS application

in Cloud environments. Materials of Instruction

a) Required Textbook

• Core Security Patterns: Best Practices and Strategies for J2EE, Web Services and Identity Management by Chris Steel, Ramesh Nagappan and Ray Lai (Prentice Hall)

b) Online Course Content

• Software As A Service

PDF copies of additional coursematerial for “Software As A Service (SAAS)” and Demo content via Illuminate.

(4)

Overall Grading Criteria

Percent Component

30 Class participation (Discussion Forums, Q & A) 20 Bi-weekly Quiz

30 3 Assignments 20 Final project

100 Total

Description of Assignments

Details of all assignments can be found in the Assignment Details document located on the Assignments page of the course.

1. Discussions/ Online Participation

Given the lack of a traditional classroom environment, all student participation will be done online via Latte. Each week there will be 1 or 2 discussions that you must participate in. Discussion questions can be found in the Forums.

The following are the minimum requirements for discussion participation. 1. Post in the discussions at least 3 out of the 7 days each week.

2. Initial responses to each of the discussion topics are due by end of day Saturday (midnight EST). These responses should be 300-400 words (300 words minimum) and include your own insights into the topics. You must demonstrate an integration of theory and experience. Any relevant sources used within the post should be cited appropriately. 3. Post (at least) 2 follow up responses in each of the discussion topics by end of day

Wednesday (midnight EST) each week. These other posts will be responses to the

discussion topic messages of others. The assumption is that you will read through the posts of your classmates to enhance your learning; respond to those of your choice, based upon your own experiences and insights.

Completion of the above criteria does not guarantee full credit for the weekly discussion. Timely participation is important to ensure that everyone has the necessary input from others to complete their own work. Keep in mind that these postings to the Discussions forums will be as rich as we make them; not having a traditional classroom in which to discuss topics, we can have some interesting discussions and share our experiences during the 10 weeks. These discussions are required to encourage you to share your knowledge and ideas while gaining from the

experiences of your peers as well.

Discussion Evaluation:

Each week students are required to post an original response to each discussion question by Saturday, and two follow up responses in each discussion by Wednesday. Discussions will be evaluated on

(5)

§ Timeliness

§ Initial response to each topic that is based primarily on your analysis of o Personal experience

o Research you have conducted

o

Your opinions

o Grammar/format/sources noted as appropriate

o Sufficient detail - original responses should be 350-500 words

o Technical content must contain your note/comment, with original sources properly cited. § Follow up responses (minimum of 2 in each topic)

o Your responses to colleagues are meant to share thoughts and experiences, but the content of each post must bring something new and valuable to the class. The instructor expects each of your replies to be more than 3 to 5 sentences, and, where possible, you should support your comments with reading from elsewhere. Postings that don’t add to the discussion will not contribute to your grades.

2. Homework Assignments

See Assignment Details document in the Additional Course Materials block for details of the homework assignments. Homework assignments should be posted in the appropriate Assignment dropbox.

There will be a 10% grade reduction for each day the assignment is late. 3. Final Project

In addition to the discussions and homework assignments, everyone is expected to complete and submit a final project. The purpose of this final project is for you to further develop, extend, and demonstrate your understanding of security concepts and techniques with an individualized scholarly project.

(6)

II. Course Outline

Note: Referenced below are Weekly Topics, Objectives, Readings, and Discussion Topics. All are located on the course site for the corresponding Weekly block.

Week 1 Security By Default

Objectives

Be able to gain understanding on: § The state of IT Security

§ Understanding security threats and vulnerabilities § Basics of application security

§ The role of SSL Protocol

Readings

Week 1 Course Topics

§ Business challenges around security § Security threats and vulnerabilities § Security requirements and goals

§ Basic security concepts and terminologies § Role of SSL/TLS protocol

Reference: Textbook Chapters 1 and 2, Instructor slides

Assignments / Assessments / Self-Assessments

Week 1 Discussion Topics.

§ Post a response to the topic by Saturday. Two substantive replies are due by Wednesday. All discussion due dates assume midnight EST.

§ Note: Refer to the Description of Assignments/Online Participation section above for discussion expectations and evaluation methods.

The complete text of discussion questions required for each week may be found each week’s discussion Forum.

Week 2 The Alchemy of Security Design in Applications

Objectives

Be able to define and describe:

§ Security Design Methodologies

§ Security Design Patterns, Processes and Reality checks § Risk analysis and Trade-offs

§ Security Policy design concepts § Common IT Security terminologies

Readings

§ Security Design Methodology, Patterns and Reality Checks § Secure UP

§ Risk analysis and Trade-off analysis § Security Patterns

§ Security policy design § Reality checks § Security testing

Reference: Textbook Chapter 8 and Instructor slides Assignments /

Assessments / Self-Assessments

Week 2 Discussion Topics

(7)

Week 3 Java Platform Security: Concepts, Architecture and Mechanisms

Objectives

Be able to gain understanding on: § Security in Java Platform § Java Security Architecture § Java Applet Security § Java ME Security § Java Card Security

Readings

§ Java Security Architecture § Java Applet security § Java ME security § Java Web Start Security § Java Card security

§ Java Security Management Tools § Securing Java Code

Reference: Textbook chapter 3 & Instructor slides Assignments /

Post a response to the topic by Saturday. Two substantive replies are due by Wednesday. All discussion due dates assume midnight EST.

Assignment 1

Week 4 Java Extensible Security Architecture

Objectives

Be able to gain understanding on:

§ Java Extensible Security APIs

§ Java Cryptography Architecture (JCA) and Java Cryptographic Extensions

§ Java Secure Socket Communication (JSSE)

§ Java Authentication and Authorization Service APIs (JAAS)

Readings

§ Java Cryptography Architecture and its extensions § Java Secure Socket Communication

§ Java Authentication and Authorization APIs Reference: Textbook chapter 4 & Instructor slides Assignments /

Week 4 Discussion Questions

§ Post a response to the topic by Saturday. Two substantive replies are due by Wednesday. All discussion due dates assume midnight EST. Bi-weekly Quiz

(8)

Week 5 Java EE: Web Application Security Architecture

Objectives

Be able to gain understanding on: § J2EE Architecture

§ J2EE Web/Presentation-tier application security § J2EE Declarative and Programmatic security § Securing communication using SSL/TLS

o J2EE Client security o J2ME Client security

Readings

§ Java Enterprise Security

§ Java EE Web Applications Security o Web components – JSPs, Servlets

o Container Managed and Programmatic Security § Java Authentication and Authorization APIs

§ Declarative vs. Programmatic security § Web-tier and EJB-tier authorization § Principal delegation

Reference: Textbook chapter 5, 9 & Instructor slides Assignments /

§ Post a response to the topic by Saturday. Two substantive replies are due by Wednesday. All discussion due dates assume midnight EST. Assignment 1 Due

Assignment 2

Week 6 Java EE: Web Application Security Patterns

Objectives

Be able to gain understanding on: § Security patterns format § Web-tier security patterns

Readings

§ Declarative and Programmatic Security o Web Components

§ Understanding Security Patterns Format § Applied Web Tier Security Patterns

§ Reference: Textbook chapter 5, 6 & 9. Instructor slides Assignments /

§ Post a response to the topic by Saturday. Two substantive replies are due by Wednesday. All discussion due dates assume midnight EST. Bi-weekly Quiz

(9)

Week 7 XML Web Services Security & Security Patterns

Objectives

§ XML Web services and its security requirements § XML Web services security standards

§ Web Services Security infrastructure § Web Services Security Protocol stack § Web services security patterns

Readings

§ Web Services Security Standards o XML Signature

o XML Encryption

o XML Key Management System o WS-Security

§ XML Web Services Security considerations § Web Services Security Protocols

§ Web Services Security Patterns

§ Web Services Security – Best practices and pitfalls Reference: Textbook chapters 6 and 11. Instructor slides Assignments /

Assignment 3

Week 8 Identity Management Standards & Technologies

Objectives

§ Basics of Identity Management

§ Architecture for Single Sign-on and Identity Federation § SAML, XACML, WS-Federation standards

§ SPML for enterprise provisioning

Readings

§ Identity Management – Core issues

§ Introduction to SAML, XACML, WS-Federation and Liberty Alliance standards

§ Architecture and applied scenarios for Single sign-on and Federation § Introduction to SPML

Reference: Textbook chapters 7, 12 and 13 and Instructor slides Assignments /

(10)

Week 9 Software As A Service

Objectives

• What is Software As A Service (SAAS) and its security requirements • SAAS in Cloud computing

• SAAS Security

Readings

§ Introduction to Software As A Service (SAAS) § Securing SAAS application in a Cloud environment SAAS Security (Refer additional material: Content posted in LATTE)

Project Abstract Due

Week 10 Software As A Service – Security Case Study

Objectives

Be able to understand:

• How to deploy and deliver a SAAS Application on the Cloud

Readings Week 10 Course Topics _{§ SAAS Case Study}

Week 10 Discussion

§ Post a response to the topic by Friday. Two substantive replies are due by Wednesday. All discussion due dates assume midnight EST. Final Project Due

Class Calendar

Week Quizzes and Assignment Due

1 None

2 Bi-weekly Quiz 3 Assignment 1 posted 4 Bi-weekly Quiz

5 Assignment 1 Due & Assignment 2 posted 6 Bi-weekly Quiz

7 Assignment 2 Due & Assignment 3 posted 8 Bi-weekly Quiz

9 Assignment 3 Due 10 Final Project

(11)

III. Course Policies and Procedures

Work Expectations

Students are responsible to explore each week's materials and submit required work by their due dates. On average, a student can expect to spend approximately 3-5 hours per week reading and approximately 4-6 hours per week completing assignments and discussions. The calendar of assignments and due dates is located at the end of this syllabus, and all assignments are due by the close of the associated week (Wednesday evenings).

Late Work

Written assignments will receive a 10% per day reduction in grade.

Discussion grades may be penalized for late postings and not meeting the discussion requirements. Grading Standards

Grades are not given but are earned. Students are graded on demonstration of knowledge or

competence, rather than on effort alone. Each student is expected to maintain high standards of honesty and ethical behavior. All assignments except those designated as "optional group case study

assignments" are meant to represent your own work. I expect students to conduct themselves

courteously online. If in my judgment a student's conduct is not courteous, I reserve the right to reduce that student's grade.

Feedback

Grades for all assignments and discussions will be posted in the course gradebook. Feedback will be provided on all assignments within 10 days of receipt. In addition, students will receive a weekly feedback email within 10 days of the end of each week on discussion posts (participation) submitted that week. Students may keep track of total points accumulated to date by reviewing the grade book.

(12)

IV. University and Rabb School Graduate Professional Studies

Please review the policies and procedures of Graduate Professional Studies, found at

http://www.brandeis.edu/gps/students/studentresources/policiesprocedures/index.html. We would like to highlight the following.

Learning Disabilities

If you are a student with a documented disability on record at Brandeis University and wish to have a reasonable accommodation made for you in this course, please contact me immediately.

Academic Honesty & Student Integrity

Academic honesty and student integrity are of fundamental importance at Brandeis University and we want students to understand this clearly at the start of the term. As stated in the Brandeis Rights and Responsibilities handbook, “Every member of the University Community is expected to maintain the highest standards of academic honesty. A student shall not receive credit for work that is not the product of the student’s own effort. A student's name on any written exercise constitutes a statement that the work is the result of the student's own thought and study, stated in the students own words, and produced without the assistance of others, except in quotes, footnotes or references with appropriate

acknowledgement of the source." In particular, students must be aware that material (including ideas, phrases, sentences, etc.) taken from the Internet and other sources MUST be appropriately cited if quoted, and footnoted in any written work turned in for this, or any, Brandeis class. Also, students will not be allowed to collaborate on work except by the specific permission of the instructor. Failure to cite resources properly may result in a referral being made to the Office of Student Development and Judicial Education. The outcome of this action may involve academic and disciplinary sanctions, which could include (but are not limited to) such penalties as receiving no credit for the assignment in question, receiving no credit for the related course, or suspension or dismissal from the University.

Further information regarding academic integrity may be found in the following publications: "In Pursuit of Excellence - A Guide to Academic Integrity for the Brandeis Community", "(Students') Rights and

Responsibilities Handbook" AND "Continuing Studies Student Handbook". You should read these publications, which all can be accessed from the Continuing Studies Web site. A student that is in doubt about standards of academic honesty (regarding plagiarism, multiple submissions of written work,

unacknowledged or unauthorized collaborative effort, false citation or false data) should consult either the course instructor or other staff of the Rabb School for Continuing Studies.

University Caveat