This course is an introduction to building secure, full-stack web applications with Python and Flask. We'll start with Python and Flask and transition to web application security, where we'll look at different types of security vulnerabilities and best practices to patch up these vulnerabilities in your own apps. Then, we'll go to building your own API and securely authenticating with it, and finish by showing you how you can deploy your web app!
- Course: CMSC388J
- Prerequisites: C- or better in CMSC216 and CMSC250
- Credits: 1
- Seats: 38
- Lecture Time: Fridays, 12-12:50 PM (all sections)
- Location: CSI 2118
- Semester: Fall 2019
- Textbook: No textbook, all materials are provided and documentation is online
- Course Facilitators: Kenton Wong, Yashas Lokesh
- Faculty Advisor: Michael Marsh
- Syllabus last updated: September 10, 2019
- Previously offered: N/A
- Python
- Variables, expressions, operators
- Iterations, conditionals
- Functions
- As first-class objects
- Decorators
- "Main" function
- Built-in functions
- Web Application Security
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- SQL injections
- Man-in-the-Middle attacks (MitM)
- Token & Two-factor authentication
- Flask
- Routing your web app
- Templating
- Creating a REST API
- Adding extensions for more features
- WTForms
- SQLAlchemy
- Freeze
- SQLite
- Lightweight SQL database
- Local data storage
- Python packages
- Requests
- Bokeh
- JSON
- SQLite
- App Deployment
- Heroku
- Python Anywhere
- Possibly: Google App Engine, AWS
- Version Control
- Git
| Week | Topic | Assignment |
|---|---|---|
| 1 | Intro to Python | Python practice (P1) assigned |
| 2 | Flask Intro | P1 due |
| 3 | Intro to Web App Security | P2 assigned |
| 4 | Databases, Injection attacks | |
| 5 | Forms, CSRF | P2 due, P3 assigned |
| 6 | User Management | |
| 7 | Cookies, MITM, Security Headers, Signals | P3 due |
| 8 | Blueprints | |
| 9 | Testing | P4 assigned |
| 10 | Midterm | |
| 11 | Two-Factor Authentication | P4 due, Final Project assigned |
| 12 | Useful Python packages | |
| 13 | Deploying your app | |
| 14 | THANKSGIVING BREAK | |
| 15 | Presentations | Final Project due |
Grades will be maintained on (ELMS/department grade server/etc). You will be responsible for all material discussed in lecture as well as other standard means of communication (Piazza, email announcements, etc.), including but not limited to deadlines, policies, assignment changes, etc.
Grades will be maintained on the CS Department grades server.
You will be responsible for all material discussed in lecture as well as all other standard means of communication (Piazza, ELMS announcements), including but not limited to deadlines, policies, assignment changes, etc.
Your final course grade will be determined according to the following percentages:
| Percentage | Title | Description |
|---|---|---|
| 45% | Projects | Weekly projects to apply lecture material and make practical applications. |
| 20% | Midterm | Examination |
| 30% | Final Project | Final project to demonstrate mastery of all topics learned and apply knowledge to create a new application from scratch. |
| 5% | Survey Participation | Weekly anonymous feedback surveys |
Any request for reconsideration of any grading on coursework must be submitted within one week of when it is returned. No requests will be considered afterwards.
The project is due the day it is scheduled to be due, barring any extensions that may be given out. They will be due at 11:59 PM. Not all of the projects will have tests; they will be graded according to a rubric which will also be provided. All projects must be submitted online at the submit server.
Project 1 will be worth 9% of your final grade. The other projects (excluding the final) will be worth 12% each of your final grade.
Late Policy: Projects may be submitted up to one day late for 10% off your earned grade. After this, no more projects will be accepted. The highest score you get on the project, counting late and on-time submissions, will be your grade for that project. There are no exceptions unless you've talked with us beforehand or provide a valid excuse.
We will look at your most recent on-time and late (if applicable) submissions when grading.
Every project will have approximately 10% of the project grade reserved for style: proper formatting and commenting.
The midterm will test your knowledge of Python, Flask, and all security topics we discussed prior.
There will be conceptual questions on Python, Flask, and web application security. There will be 1-2 Python/Flask coding questions, and the rest will be fill-in-the-blank or short response questions on Python, Flask, and security.
All material discussed in lectures before the midterm will be tested.
We'll communicate through students mainly through Piazza and through office hours.
Office hours: Wednesday 1 - 2 PM @ AVW 1120, or by appointment
Email should only be used for emergencies, please use Piazza, otherwise. We'll get back to you more quickly on Piazza.
Instructor:
Dr. Michael Marsh - mmarsh@cs.umd.edu
Facilitators:
Yashas Lokesh - yashloke@umd.edu
Kenton Wong - kdubbs0@umd.edu
See the section titled "Attendance, Absences, or Missed Assignments" available at Course Related Policies.
See the section titled "Accessibility" available at Course Related Policies.
Note that academic dishonesty includes not only cheating, fabrication, and plagiarism, but also includes helping other students commit acts of academic dishonesty by allowing them to obtain copies of your work. In short, all submitted work must be your own. Cases of academic dishonesty will be pursued to the fullest extent possible as stipulated by the Office of Student Conduct.
It is very important for you to be aware of the consequences of cheating, fabrication, facilitation, and plagiarism. For more information on the Code of Academic Integrity or the Student Honor Council, please visit http://www.shc.umd.edu.
If you have a suggestion for improving this class, don't hesitate to tell the instructor or TAs during the semester. At the end of the semester, please don't forget to provide your feedback using the campus-wide CourseEvalUM system. Your comments will help make this class better.