(Subject to change -- referesh your browser frequently)

[2006.01.09] Spring semester begins. Introduction
[2006.01.11] Ch. 1

[2006.01.16] Martin Luther King Day
[2006.01.18] VLab & MS SQL Server tutorial

[2006.01.23] Quiz #1 and SQL #1 in ANGEL
[2006.01.25] Ch. 2 (PBL #1)
        + resource: PKI

[2006.01.30] Quiz #2 (about Ch. 1 and 2) in ANGEL
[2006.02.01] Ch. 4 (SQL Authorization)

[2006.02.06] Quiz #3 and SQL #2 in ANGEL
        + solution: Quiz #3
[2006.02.08] Ch. 4 (SQL Profiles and Password Policies)
        + password policy examples:, Penn State ITS
        + download: PGP Int'l, tutorial

[2006.02.13] Quiz #4 and SQL #3 in ANGEL
[2006.02.15] Project #1 (PGP), PBL #2 => Oracle.sql

[2006.02.20] Quiz #5 in ANGEL
[2006.02.22] Ch. 5 (App. Security Model)
        + download: PBL#2 solution

[2006.02.27] Ch. 5 (App. Security Model II) CLASSROOM
[2006.03.01] SQL #4 in ANGEL (ONLINE)

[2006.03.06] Spring Break
[2006.03.08] Spring Break

[2006.03.13] Quiz #6 in ANGEL
[2006.03.15] Data privacy & k-anonymity
        + article: k-Anonymity: A Model for Protecting Privacy
        + article: Achieving k-Anonymity Privacy Protection using Generalization and Suppression

[2006.03.20] Quiz #7 in ANGEL
[2006.03.22] Project #2

[2006.03.27] Security in statistical database
        + article: The tracker: a threat to statistical database security
[2006.03.29] Ch. 8 (Triggers)
        + lab: Actors Triggers

[2006.04.03] SQL #5 in ANGEL
[2006.04.05] Ch. 7 (Database auditing)

[2006.04.10] Quiz #8 in ANGEL
[2006.04.12] XML Access Controls, Project #2 (Part 1) Due 11am (EXTENDED)
        + example: Part 1 (by Jeff Konietzko and Nathan Bradley)

[2006.04.17] Quiz #9 in ANGEL
[2006.04.19] Privacy on the Web (P3P)

[2006.04.24] PrivacyBird Lab
        + download: Beta 1.3
[2006.04.26] Invited talk by Prof. John Bagby
        + presentation: Part 1 and Part 2

[2006.05.01] Final Week
[2006.05.03] Final Week, Project #2 (Part 2) Due 11am, 313A IST Bldg. jump to top


Modern (Web-based) database applications are under an ever increasing level of threat from various users. As trend to expose more applications and functionalities to the Web continues, the demand and requirements to make applications more secure increase inevitably. As a course to junior/senior IST students in the IA track, this course will provide comprehensive information that both developers and managers involved in (Web-based) database application project must know. In particular, the course will cover principle of information security, database application security models, virtual private database (VPD), database auditing, privacy and legal issues, and some of the latest security protocols. Also, this course will expose the pitfalls of database design, their means of identification and the methods of exploiting vulnerabilities.


We use (1) Microsoft SQL Server 2000 and/or (2) Oracle 10g in the Virtual Lab (VLab) environment of the IST 3C infrastructure. If you are within PSU IP domain, you can read related books from O'Reilly's Safari for free. Our choice of the DBMS has nothing to do with the superiority of the product. Therefore, by all means, if you are already familiar with one, you are free to use other DBMS for your projects (i.e., MySQL, PostgreSQL, mSQL, DB2, etc).

Textbook (required) "Database Security and Auditing," by Hassan A. Afyouni, ISBN 0-619-21559-3

Time & Location

    Mon/Wed : 11:15A - 12:30P, 203 IST

     Instructor: Dongwon Lee, Email:, AIM: dongwon210
     Helpdesk: IST 201, x38803
     (This class has no TA)

Office Hour

     Wed: 3:00P - 5:00P (or by appointment), Dongwon Lee, 313A IST, Weekly Schedule

Grading (Hybrid Curved Policy)
     80-100: A/A- (25%)
     60-80: B+/B/B- (35%)
     40-60: C+/C (30%)
     0-40: D/F (10%)

Proportion (subject to change)

     Class attendance, discussion, and participation: 20%
     Quizzes and Homework: 35%
     Projects: 40%
     Presentation: 5%

     Web page password: to be announced in the first class
     jump to top


jump to top


jump to top

Course Conduct

Classes will start on time and end as scheduled. The un-announced quizzes will be given at the beginning of class, and thus if you are late to class, you get 0 for the quiz. No exception.

You are responsible for all the readings, even if the material is not explicitly covered in class. You should read the class materials prior to class and be prepared to discuss and ask questions about the readings and assignments. You should also re-read the material after class as not every topic will be covered during class time.

All work must be completed and turned in at the start of class on the assigned date. No late work will be accepted. Late means after the class has begun. Note that a computer's failure is not an excuse (it represents poor planning on your part).

If you miss a deadline or exam due to university recognized excuses, a written documentation (e.g., a doctor's note) must be handed to me at the end of a lecture. If you can't provide such, you get 0 for the missed work.

All assignment should be typed and printed properly by editing software (i.e., no hand-writing), except any drawings. Individual project must be done individually, and group project must be done by all members. If I become aware that you are not contributing to your group equally, I will intervene.

Students who participate in University-sanctioned events (such as athletics) must make prior arrangements and give ample notice. Similarly, seniors who need to travel for job interviews or such must notify to me first.

You can't get higher grade by offering doing an extra work. Similarly, in grading, instructor does not consider the status of students (whether s/he is a senior or freshman) -- just the performance of the student. An excuse like "I need to get C to graduate" will not be considered at all.

However, undergraduate students and graduate students, if any, will be graded separately. jump to top

PSU policy

Academic Integrity Academic integrity is a basic guiding principle for all academic activity at Penn State University, allowing the pursuit of scholarly activity in an open, honest, and responsible manner. In according with the University's Code of Conduct, you must not engage in or tolerate academic dishonesty. This includes, but is not limited to cheating, plagiarism, fabrication of information or citations, facilitating acts of academic dishonesty by others, unauthorized possession of examinations, submitting work of another person, or work previously used without informing the instructor, or tampering with the academic work of other students. Any violation of academic integrity will be investigated, and where warranted, punitive action will be taken. For every incident when a penalty of any kind is assessed, a report must be filed. This form is used for both undergraduate and graduate courses. This report must be signed by both the instructor and the student, and then submitted to the Senior Associate Dean.

Affirmative Action & Sexual Harassment The Pennsylvania State University is committed to a policy that all persons shall have equal access to programs, facilities, admission, and employment without regard to personal characteristics not related to ability, performance, or qualifications as determined by University policy or by Commonwealth or Federal authorities. Penn State does not discriminate against any person because of age, ancestry, color, disability or handicap, national origin, race, religious creed, gender, sexual orientation, or veteran status. Direct all inquiries to the Affirmative Action Office, 211 Willard Building.

Americans with Disabilities Act IST welcomes persons with disabilities to all of its classes, programs, and events. If you need accommodations, or have questions about access to buildings where IST activities are held, please contact us in advance of your participation or visit. If you need assistance during a class, program, or event, please contact the member of our staff or faculty in charge. Access to IST courses should be arranged by contacting the Office of the Senior Associate Dean, 002D Thomas Building: (814) 865-4457

An Invitation to Students with Learning Disabilities It is Penn State's policy to not discriminate against qualified students with documented disabilities in its educational programs. If you have a disability-related need for modifications in your testing or learning situation, your instructor should be notified during the first week of classes so that your needs can be accommodated. You will be asked to present documentation from the Office of Disability Services (located in 116 Boucke Building, 863-1807) that describes the nature of your disability and the recommended remedy. You may refer to the Nondiscrimination Policy in the Student Guide to University Policies and Rules. jump to top