Secure Web Application Development

Chris Kanich
Jul 27, 2017 · 2 min read

This fall, I will be teaching a new course called Secure Web Application Development. The overall structure of the class is roughly one half security course and one half web development course, with the overall goal of teaching students simultaneously how to succeed and fail at web programming, so that they’ll hopefully be defensive coders when they do write code that’s available on the wild wild web for anyone to use or attack.

Goals

  • Pedagogical: I want to expose students to the concepts in computer security (web applications are arguably the most attacked software artifacts in the modern world), software engineering (put together a working artifact, under some reasonable definition of “working”!), and computer systems (evaluating and maximizing performance) in a way that’s compelling to them, and has a connection to the real world.
  • Populist: The students really want to learn “web” stuff and “JavaScript” stuff, so I’m going to give it to them! The goal here is to give them what they want, but use it as a carrot to have a very rigorous schedule that really gets the most value out of fifteen weeks that we possibly can, as well as achieve the pedagogical goals above, so that they come out of it with more than a superficial understanding of programming for “the web.”
  • Academic: I want to understand this stuff better, because a lot of my recent research has been looking at the web as it is used. My hobby horse has been that the “one size fits all” platform of the web combines two popular use cases, one of software delivery and another of rich media distribution, and if I can better understand how the former happens, and how it interacts with the latter, I’ll have more insights into the problem and what our options are for fixing it.

Pitfalls

  • Going too fast. I have a very ambitious 15 week schedule at the moment, and as much as I’d love to drive everyone through it, I know there’s only so much “you want to learn this stuff don’t you?” I can rely on to motivate students.
  • Not including enough security. I’ve never taught an actual security course, as I’ve always been more interested in teaching students how to build things rather than how to understand the vulnerabilities or myriad defenses against those vulnerabilities. I’m hoping that I’ll be able to leverage Adam Doupe’s WackoPicko as best I can to give students/myself a good starting list of vulnerability classes/attacks to test out.
  • Lack of structure. Because there’s no “Secure Web Application Development” textbook, my current plan is to assign readings from The Tangled Web and Learning Web Application Development. The latter definitely lends itself to a course structure, but combining the two, as well as supplementing with relevant readings, is going to be a challenge.
  • Procrastination. This one speaks for itself :). I’m going to be publishing more blog posts related to designing and teaching this class as I do so, in an effort to keep myself ahead of the game.
Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade