COSC835 - Doctoral Seminar in Computer Security
Web Security
Spring 2012
Georgetown University
Prof. Micah Sherr

Course Description

This doctoral seminar investigates current trends in web security. Students will examine case studies and read seminal research papers to better understand current threats and defenses. Topics include browser security, web privacy, injection attacks, cross site scripting and request forgery, and static and dynamic code analysis. The course requires students to engage in novel web security research, supervised by the instructor.

Prerequisites: You must be a current Ph.D. student to enroll in this course. The first few classes will recap basic computer and network security principles.

Jump to course schedule.

Class Organization

This will not be a lecture-oriented class in which I spew information that you will later regurgitate to me during exams. Classes will be discussion-focused and will be highly interactive. Participation will be a large component of students' grades. More information about grading is available below.

With the exception of the first two classes, each class will consist of two 45-minute paper presentations and a 10-minute project status update.

Who, What, and Where

Instructor: Prof. Micah Sherr
Email: click here (GPG/PGP key)
Office: St. Mary's Hall, Room 337
Office Hours: Wednesday 12pm, and by appointment

Classes are held every Monday from 12pm until 1:40pm in STM343.

Why (i.e., course goals)

This doctoral seminar will familiarize Ph.D. students with current research results in web security. The course will improve students' understanding of web security threats and defenses. Additionally, students will become acquainted with academic computer security research and advance their research and academic writing skills.


There is no required textbook for this doctoral seminar.

Be prepared to read a lot of academic computer security papers. This is a doctoral seminar: the time you save not doing homeworks or studying for exams should be spent carefully reading the course readings.

A major goal of this doctoral-level class is to explore the academic literature in web security. Students will read several seminal research papers throughout the semester. Reading assignments are listed below and should be completed three days before the class that covers the material.

Important: Seventy two hours (3 days) before each class, students should email answers to the following questions to the instructor:
  • "What problem does this paper address?"
  • "What is the contribution of this work?"
  • "What are the shortcomings of the proposed approach?"
  • "How could the paper be improved?"
  • "Was this a good paper to assign?"

The questions should be answered for each reading assignment. Your reading responses will be graded and will constitute a sizable percentage of your overall grade.

Course Resources / Listserv

We will make extensive use of the class listserv:

Students are expected to read every post to the listserv and to contribute to the discussion. Be prepared to receive a lot of email -- in my previous classes, several hundred listserv messages were posted in a single semester. At the start of the semester, please email me your preferred email address.

Grading and Other Class Policies
Class Presentations 30%
Participation* 20%
Reading Questions 15%
Course Project 35%

* Participation includes more than just attendance (although attendance is a must). Students should contribute to classroom and listserv discussions.

Other miscellaneous (but hopefully not arbitrary) policies:
  • Please turn off cell phones during class.
  • I will do my best to respond to emails within 24 hours. Please also consider posting your questions to the class listserv.
  • Behave civilly: don't be late for class; don't read newspapers/blogs/etc. during class; don't solve Sudoku puzzles during class; don't struggle with crossword puzzles during class; respect others' opinions, even if they are clearly wrong.
  • Adhere to good scientific principles and practices, and uphold the Georgetown Honor System.

A Note about Academic (Dis)Honesty

Please do not cheat. Dealing with cheating is by far the worst part of a professor's responsibilities, and it's one that I'd greatly like to avoid. If you are caught cheating, you will be referred to the Honor Council, without exception. It doesn't matter if you plagiarized one part of one answer in a homework assignment or outsourced your entire semester project to Telling me that I'm ruining your future/career/life will make me feel wicked bad, but won't stop me from referring you to the Honor Council.

The following -- taken from the Graduate Bulletin -- is a partial list of the things you cannot do: plagiarism; unacknowledged paraphrase; cheating, fabrication of data; fabrication, alteration, or misrepresentation of academic records; facilitating academic dishonesty; unauthorized collaboration; misuse of otherwise valid academic work; misuse of academic resources; depriving others of equal access to academic resources.

Please see Georgetown's Academic Regulations regarding the University's Honor System, as well as all the nasty things that will happen to you if you are caught cheating.

Bottom Line: If you are unsure whether or not something is permissible, ask me beforehand.


Students must participate in a novel research project related to web security. Projects that merely implement existing protocols or that attempt to solve problems that have existing, well-understood, and widely-accepted solutions will not be accepted. The topic and scope of the project must be approved by the instructor, and the project itself will be graded based on its novelty, student effort, technical depth and correctness, and the clarity of the project presentation. The output of the project should be a workshop-length paper that addresses a novel computer security research topic.

With the instructor's permission, students may work in groups, so long as the scope of the project is proportional to the size of the group. All students in a group will receive the same grade.

February 6th: The project proposal requirements have been posted.

April 21st: The project write requirements have been posted.

Syllabus and Schedule

Click here for the latest course schedule. The schedule is subject to change, although I will not modify reading assignments if they are less than one week away.

Note that the schedule is on a password protected page. The credentials for accessing the page will be dessiminated over the listserv after the first class.