MSc/Masters » Module Details

IY5601 Application and Business Security Developments

Second term, optional module.

Module leader

A.Tomlinson

Aims

This course will:

  • provide an in-depth coverage of some of the current issues and technological developments relating to the security of business and e-commerce applications;
  • consider the role of security in perspective and demonstrate how security techniques form part of an application system;
  • examine how a particular situation may make certain aspects of security important and how an entire system might fit together.

 

Objectives

On successful completion of the course students will be able to:

  • identify and analyse the security issues that arise in a variety of applications;
  • understand how and why particular applications address specific security concerns;
  • analyse the various security issues in a particular application and explain how they relate to one another;
  • review how the security aims are met in a particular application.

 

Provisional Syllabus

The course will commence with a general introduction to the design of security within an application. This general introduction will cover issues such as: security policy establishment; threat and vulnerability analysis; security requirements definition; system specification; security procedure definition; ongoing security management and audit.

The remainder of the course will examine up to three application domains in substantially more detail. In each domain the following issues will be explored in detail:

  • General security objectives;
  • Underlying technologies;
  • Example applications;
  • A detailed case study of part of an application of this type.

 

The precise list of security applications may vary slightly to reflect developments in the subject; however, the initial set of application d omains are likely to include:

  • Payment and e-commerce applications: technology issues covered will include: payment models, closed PKIs, EMV, 3-D Secure; the case study may be on managing the EMV PKI.
  • Web applications: technology issues covered will include: WS-security, XML security, SOAP, and SAML; the case study may be of a UEFA web application.
  • Identity management: technology issues covered will include: SSO systems, Kerberos, Passport and Liberty; the case study may be on Microsoft's InfoCard.

 

The main lectures will be delivered by ISG staff, although descriptions of individual case studies may be delivered by industry experts. All lectures will provide opportunities for questions and further discussion.

This module will include non-assessed coursework which students are encouraged to complete and submit. Feedback on coursework will be provided to students.

Main references

There is no single text which covers this course. The following list of books provides a useful starting point. Some of these contain useful background material whilst others provide further details of topics covered in the course.

B. Dournaee, XML Security. McGraw-Hill, 2002.

P. Kumar , J2EE Security for Servlets, EJBs, and Web Services. Prentice Hall PTR, 2003.

D. O'Mahony, M. Peirce, and H. Tewari, Electronic Payment Systems for e-commerce. Artech House, Boston, 2nd edition, 2001.

J. Rosenberg and D. Remy, Securing Web Services with WS-Security. SAMS Publishing, 2004.

J. Snell, D. Tidwell, and P. Kulchenko, Programming Web Services with SOAP. O'Reilly, 2002.

L. D. Stein, Web Security. Addison-Wesley, 1998.

F. Swiderski and W. Snyder, Threat Modeling. Microsoft, 2004.

M. W. Whitman and H. J. Mattord, Principles of Information Security. Thomson, 2003.

Method of examination

Written examination.