The instructor answers students’ questions (Q&A), presents demos and moderates the presentation of case studies conducted by industry experts, moderates discussions using interactive systems e.g. webinar or video conference. These weekly supportive sessions are announced a priori to the participants.

Upon completing the course student is able to:
• Be aware of the most severe WEB application attacks occurring daily world-wide (OWASP TOP-10)
• Evaluate the impact of organizational risks associated with different WEB application threads
• Use the Penetration Testing Execution Standard as a guideline to create organized and well documented WEB application testing procedures
• Apply techniques and tools to test practical WEB application security level
• Repair practical WEB application security vulnerabilities revealed by penetration testing
• Apply in practice the principles recommended for designing, developing and implementing secure Web applications

General description:

The course focuses on threats to the WEB applications and the clients of the WEB applications. Most important attack vectors, as described by OWASP TOP-10, are considered. Attack vector combinations are considered and their combined impact on security is exposed. Special emphasis will be placed on practical security protection methods on multiple implementation platforms. Platform specific weaknesses are exposed and tested. WEB application stress testing will be conducted using a set of penetration testing tools. This will be applied to reveal application vulnerabilities security misconfigurations. The process of WEB application penetration testing will be based on relevant standards e.g. the Penetration Testing Execution Standard.

Course content:
• Chapter 1: Introduction to WEB Application Security
  • The role of web applications in modern society
  • The new security threads introduced by web applications
• Chapter 2: WEB Application Technologies and Frameworks
  • Basic technologies of underlying technologies
  • Diverse range of web applications
• Chapter 3: WEB Application Defense Mechanisms
  • Basic concepts of web application security
• Chapter 4: Mapping the Application
  • Reconnaissance activities of penetration testing process
  • Information gathering
• Chapter 5: By-passing Client Side Controls
  • Commonly used techniques used to limit functionality in client side
  • Bypass methods for Client Side Controls
• Chapter 6: Attacking Authentication
  • Introduction to authentication methods and functionalities
  • Common authentication failures and exploits
• Chapter 7: Attacking Session Management
  • Introduction to session management
  • Session management weaknesses
  • Securing session management
• Chapter 8: Attacking Access Controls
  • Access control concept
  • Common access control vulnerabilities
• Chapter 9: Injecting code
  • Code injection vulnerabilities and types of injections
  • SQL-injection in detail
• Chapter 10: Attacking Other Users
  • Client side exploits
  • The XSS and CSRF exploitation methods
• Chapter 11: Other Exploitation Methods
  • Commonly used exploitations.
• Chapter 12: Web Application Security Tools
  • The function of automated penetration testing
  • Automated testing tools
• Chapter 13: Penetration Testing Standards
  • Penetration testing standards overview
  • Penetration testing legislation

Lab assignments:

Lab experiments using a virtual lab will be assigned to the students. The labs are correlated with the multimedia interactive reading materials of each unit and make use of students' creativity and analysis capabilities. This requires them to prove their understanding of the materials and reflects their personal view on the topics. The lab results will be evaluated by the instructor of the course.

Collaborative and cumulative project:

A project will be assigned to the students. The project will be carried out in a collaborative manner by international teams of 2-3 students. It will be presented in a form of a wiki, a presentation or a portfolio. The project will be cumulative, i.e. each project step is based on the framework provided by the prior steps. The i-project results will be evaluated by the instructor of the course.

Discussions:

Throughout the course, students will be involved in e-discussions related to the course content through means specific to e-learning, such as forums, wikis, e-portfolios, etc. As part of the virtual community, each student will give feedback to at least two colleagues in the forums.

Performance:
• Lab performance = 30% of the final grade.
• Project performance = 20% of the final grade.
• Discussions performance = 10% of the final grade.
• Written presence exam (60 min.) = 40% of the final grade. (conducted at the home university with a help of a trusted teacher)
The result of the evaluation will be expressed in percentage and transferred to the students’ home university by the instructor.

Literature:
1. Dafydd Stuttard, Marcus Pinto, ”The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws”, 2nd Edition. Indianapolis. John Wiley & Sons, Inc., 2011.
2. Bryan Sullivan, Vincent Liu, ”Web Application Security, A Beginner's Guide”, 1st Edition, Mc Graw Hill, 2012.
3. The Penetration Testing Execution Standard: http://www.pentest-standard.org/index.php/Main_Page
4. Open Web Application Security Project: https://www.owasp.orghttps://www.owasp.org
5. OWASP Top 10 Web Application Security Risks: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Kimmo Sauren
Professor, Department of Information Technology, Metropolia University of Applied Sciences, Helsinki, Finland
Research interests: Web Application security, Embedded systems.
“In IT we constantly have to learn new skills. Especially in the field of security it is essential to have detailed knowhow in applied technologies. I find learning new ways of protecting systems challenging but extremely rewarding. And I like sports. During the summer you are likely to find me playing golf and during the winter on the shooting ranges Tervetuloa meidän kurssillemme!”