APIs and Web Security

• Help Policy
• Instructions
• Submission
  • Grading
    • Rubric

Due

2300 on Lessons 29 and 30

Duration

30–60 minutes

Points

10 points

Help Policy

Authorized Resources

Any, excluding classmates

Notes

Never copy another person’s work and submit it as your own

You must document all resources, including the instructor and instructor-provided course materials (such as the textbook)

Instructions

Respond to one of the following prompts, and reply to one of your classmates’ original posts. Unless otherwise indicated by the prompt, it is expected that responses should be no more than a paragraph (one paragraph ≈ 200 words).

1. Web services have a well-defined application programming interface (API) for interactions with clients. Find the API for a web service and briefly summarize the types of operations that can be performed using that API. Are there any operations that users cannot perform using the API compared to the corresponding web application? Would you want to use this API? Why or why not?
2. Identify an alternative to representation state transfer (REST). Compare and contrast that alternative to a REST service. Which would you want to use, either as a programmer who must support the service or as a user? Why?

3. The Open Web Application Security Project (OWASP) publishes a top-10 list of web application security risks. Select one risk and briefly describe it. Provide a concrete example of a vulnerable application and how it could be exploited. List techniques to mitigate the risk.

   Note: You cannot choose either SQL injection or cross-site scripting (XSS).

4. Reports of vulnerabilities in web applications are all too common. Identify one such security failure and its impact. What vulnerability (or vulnerabilities) led to that failure? What software engineering practices might have mitigated it?
5. Numerous security standards exist to mitigate vulnerabilities in or to improve the privacy of web applications. Such standards include HTTP Strict Transport Security (HSTS), Content Security Policy (CSP), Cross-Origin Resource Sharing (CORS), and Do Not Track (DNT) to name just a few. Select one such standard and briefly describe it. What vulnerabilities does it mitigate? How widely adopted is it? What are the primary barriers to adoption? Do you believe that its use will be more common in the future?

As a reminder, your posts should not repeat others’ content. For example, if someone has already described GitHub’s REST API, then you should not also describe it unless your post comprises new information that was not present in the original post.

Submission

Submit your posts using the Blackboard discussion board for your section.

Due to the way that Blackboard is configured (i.e., one site per course instead of one site per section), the main “Discussion Board” is visible to all students. Thus, it might be difficult for those posting later to avoid rehashing the same content.

Consequently, each section has its own discussion forum, which is accessible only to students in that section. You can access the discussion forum for your section in the following ways:

• Groups > Section ? > Group Tools > Group Discussion Board
• My Groups > Section ? > Group Discussion Board

where ? is a placeholder for the section number (e.g., M3A).

Be sure to document any sources that you used when writing your posts.

Grading

Grading is largely based on completion, but posts should demonstrate effort commensurate with the expected duration for this activity. Citing multiple references, drawing connections among others’ posts, additional responses, etc. all demonstrate effort that is appropriate or even exceeds the expectation. Conversely, summarizing the first paragraph of a Wikipedia article, poor spelling and grammar, off-topic posts, etc. demonstrate lack of effort.

Posts that express simple (dis)agreement will be ignored for the purpose of grading. For example,

I agree.

may be appropriate in the context of a conversation but does not satisfy the requirements when responding to someone else’s post. (A good rule of thumb might be that fewer than 20 words does not qualify as a “post.”) Nevertheless, several short posts (e.g., 100 words) may collectively sum to the level of effort expected.

Rubric

The specific grading rubric is as follows:

Initial post

Exceeds standard (100%)

Fully addresses prompt and expands upon it

Meets standard (90%)

Fully addresses prompt

Nearly meets standard (75%)

Addresses most, but not all, of the prompt

Below standard (50%)

Post is obviously incomplete or off-topic

Missing (0%)

Post does not address the prompt or is missing entirely

Response

Exceeds standard (100%)

Contributes to the discussion in a meaningful way (e.g., adds new information to that previously presented)

Meets standard (90%)

Contributes to the discussion

Nearly meets standard (75%)

Response is on-topic but does not further the discussion

Below standard (50%)

Response is off-topic or inappropriate or may not be relevant to the larger discussion

Missing (0%)

Response is limited to simple (dis)agreement or missing entirely

As indicated by the rubric, earning all the points requires exceeding the standard. Simply addressing the prompt and contributing to the discussion will only earn 90% of the available points.