Teaching Web Engineering using a Project

Component

Daniel E. Krutz and Andrew Meneely

Rochester Institute of Technology
{dxkvse, axmvse}@rit.edu
Abstract—Web applications are an intricate part of the world quent course offerings. Our goal is to allow other instructors
today. Everything from banking to checking our Facebook status to learn from our experiences and to be able to enact a similar
may now be done through the use of web applications. Todays project in their own web engineering courses at their own
students need to balance numerous concerns in order to create institutions.
a web application that is robust, on time and on budget.
At the Department of Software Engineering at the Rochester II. M ETHOD
Institute of Technology, we created a course called Web Engineer-
ing. As part of this course, we developed an innovative project A significant aspect of our Web Engineering course was
component which focused on students following software engi- a project component. The main premise of the project was
neering principles such as elicitation, requirements generation, for each group to create a web application using both custom
testing and deployment. built and already existing components through web service and
Application Programming Interface (API) calls while adhering
I. I NTRODUCTION to proper security standards for several vulnerability categories.
Web applications represent a confluence of diverse tech- Some of which included authentication, message encryption,
nologies and numerous challenges. Some of which include authorization and session management.
networked environments, persistent storage, concurrency and The instructor took on two distinct roles for the project:
usability. Web engineering is defined as the systematic, dis- teacher and customer. The way the customer reacts to student
ciplined and quantifiable approach to development, operation questions significantly differs depending on what role the
and maintenance of web-based systems and applications [11] instructor is currently playing. While representing the role of
[7] [9]. While similar to software engineering, the concept of teacher, the instructor may give project advice and answer
web engineering differs in several key areas [3]. The planning technical questions wherever possible. As the customer, they
of continual growth and change has a higher significance in attempted to mimic a client in the real world and students were
web applications [2]. encouraged to clarify requirements with them. So students may
Last year, the Software Engineering Department at the understand which role the instructor is playing, students are
Rochester Institute of Technology (RIT) added a course en- encouraged to ask whenever they are unsure and begin their
titled Web Engineering to their curriculum which is typically inquisitions with As the customer or As the teacher.
comprised of upper level 3rd through 5th year students. A The goal of the project is to create a personalized web por-
signficant component to this course was a cross course col- tal that would be customized for each user. The user initially
laborative effort with a focus on security. The cooperation logs in with their Facebook account. Once the user logged into
is beneficial because it allows students to gain experience the application, they are exposed to several pieces of personal,
working with a an adjacent software team. Students will often customizable information. One of the most significant is a
collaborate in teams in industry, but are often unprepared to do section on the main page which is very similar to the wall in
so [6]. Additionally, focusing on security is valuable as web the traditional Facebook application. For this section, students
applications expose powerful technologies and assets to the were asked to again tie into the Facebook API to retrieve the
Internet. Application security is an area which students and necessary data. They were required to modify the appearance
even workers in industry are typically deficient in [12] [4]. of these items and utilize aspects of usability covered in the
This project component is also distinct in the way it mimics course. Various other Facebook APIs such as photo albums,
a real world project as closely as possible. Students are not chatting with friends and status updates were used in similar
handed a firm list of requirements. They are expected to elicit, ways. We selected these requirements not only because the
negotiate and comprehend changing requirements. This is an Facebook API was readily available, but because we felt that
area that is extremely important for students have proficiency, incorporating Facebook here would help to encourage student
but far too often lack [1] [10]. The project also utilized interest in the project.
contemporary web technologies that allowed students to create
Several other aspects of the project required the students
a final product which they were actually interested in using and
to write custom software to interact with extra data services
sharing with friends. This helped to foster student enthusiasm
or feeds. Students were asked to incorporate a stock viewing
in the project.
web page into their project. The user would initially enter
In the following experience report, we describe the project in a stock that they mythically purchased along with the
as well as future improvements to be implemented in subse- purchase price and number of shares. This information would

978-1-4673-5261-1/13/$31.00 ©2013 IEEE

be stored in a student created relational database. For all each group was asked to give a 20 minute presentation about
of these simulated purchased stocks, information would be some of the major aspects and technologies used in their
retrieved from a third party web service and the page would be project. Other areas discussed were team roles and dynamics,
expected to display the current stock price, the day’s high and a short demonstration of their application and their plan for
low price, along with the amount of money the investment has the second release.
thus far made or lost for the buyer. A chart is also displayed for
the stock which is retrieved using an external feed of the groups Immediately after the initial release, each group is asked to
choice. Other aspects of the application include a weather work on a team self-reflection document. Components of this
based component and a chat feature based upon HTML5. paper include identifying areas of the project that went well,
The reason for this chat component is to both familiarize along with portions of the project which can be improved and
the students with HTML5 and to acquaint them with how how. Students are encouraged to deeply think and elaborate on
to properly place and utilize such an interactive element. In these areas of went well and what can be improved.
order to acclimate students to development environments like Ensuring an adequate level of security is an important
they would encounter in industry, several virtual machines aspect of web based applications [4]. A week after the first re-
were provided to each team. These were intended to act as lease, each group is asked to release their application to a group
development, staging and production environments. in a concurrent software security course. The security course,
During the ten week quarter, each team was expected entitled Engineering Secure Software, is a class designed to
to produce several deliverables. The first few weeks of the train students on the principles and practices incorporating
project aspect of the course focused on building up a base security into the entire software development lifecycle. One of
for understanding web engineering along with team formation. the class projects was the development of a web application
Teams of 4-6 students were created since this is often the size fuzz testing tool (fuzzer), that automates the discovery of
of groups in industry and has been found to be conducive inputs and potential vulnerabilities in websites. Students would
to student learning in previous projects [5] [8]. Several roles develop a set of scripts that would crawl a local website,
exist on each team. These included team, development and discover the inputs, and then attempt to exploit those inputs
testing coordinator. Since the course was comprised of upper using commonly-used attacks. Each fuzzer team was given a
level students, they were given the opportunity to self-appoint different web engineering product to fuzz, and was asked to
these roles. Students have indicated their satisfaction with this report their fuzzing results to the web engineering team.
freedom. However, if the class was primarily made up of more
novice students, the instructor may want to appoint team roles. The second and final release occurs during the last week
of the term and is conducted in a very similar fashion to the
In the third week of the quarter, the students were asked first release. The major difference is that the appearance and
to complete a requirements document and in the subsequent functionality are now both thoroughly evaluated. Additionally,
week, a design document. The expectation was laid out to each applications are expected to be mobile device friendly. On the
team that these were to be constantly evolving documents. The final day of class, each group again conducts a post mortem
grading on these initial deliverables was not aimed at ensuring and investigates what went well and why along with what may
that the students had a completely accurate document on their be improved upon.
first attempt. The main goal was for the students to have
followed the proper guidelines for producing these deliverables A goal of the project is to supply the groups with enough
and that an adequate effort was at least given to create them guidelines to provide them a solid direction, but allow them
as accurately as possible. During the second half of each class enough freedom in order to be creative. Additionally, the teams
session, teams were given the opportunity to meet with the were encouraged to work with the customer to formulate extra
instructor to ask requirement and general project questions. features for the project which would be beneficial for the
In these interactions, the students were also able to negotiate customer. This aspect was helpful in stimulating the students
expectations with the customer. They were encouraged to show ingenuity for the project, working on their elicitation skills and
prototypes, screenshots and anything else they desired to the in helping to add variability to each team’s final product.
customer. The goal was not to limit customer interaction, or
Future instructors are encouraged to deviate at moderate
punish inquisitions as long as they were reasonable. The aim
levels as they desire with the requirements for this project.
was to encourage customer interaction and elicitation.
These aberrations will not only keep the projects fresh and
The first software release was due in the sixth week of the allow for freedom from both the instructor and the students,
quarter. Teams were asked to deliver a fully functional version but will allow the instructor to explore and evaluate possible
of their application, but with only the functionality agreed alternative paths for the project so it may be enhanced in future
upon with the customer for the first release. Less emphasis iterations.
was placed upon appearance than functionality. Aspects such
as mobile compatibility and cross browser support were not
evaluated. Teams are also asked to provide updated require- III. O UTCOME
ments and design documentation, along with thorough test
Before the beginning of the term, students expressed their
plans with the implemented tests. Some of which include unit
excitement over the course and specifically for the project.
and acceptance tests.
They were interested in the real-world aspect of the project
The Software Engineering Department at RIT places a and how it interacted with contemporary technologies, tools
large emphasis on public speaking, presentation and overall and practices. Additionally, they were attracted to the freedom
communication skills for their students. For the first release, that the project structure would afford their teams.
 At the conclusion of the course, an anonymous process was spending more time acclimating students with various technical
used to gather student feedback and was only made visible to concepts of web engineering. Future research will be done
the instructor after final grades had been submitted. Generally, to discover how different technologies can be incorporated
the student feedback regarding both the course and project was into the project in order make it both more appealing to
positive. We feel that some of the reasons for dislike need to the students, but more educational as well. This information
be addressed in upcoming course iterations. Other issues are will be gathered from instructor observations, official student
ones which the students may not necessarily enjoy, but are feedback forms, and informal conversations with the students.
essential for a proper student learning. We hope that our work in creating and refining a project
based component can help others build a more educational
The students indicated that they felt the most beneficial
and enjoyable web engineering Course for their students.
learning aspect of the course was the project. Based upon
this feedback, we believe that we are on the correct path
with the project and feel it only needs tweaking in several R EFERENCES
areas. Student feedback also indicated several areas which [1] Martin L. Barrett. Simulating requirements gathering. SIGCSE Bull.,
they felt were beneficial. One of the most prevalent was the 29(1):310–314, March 1997.
use of APIs and web services from groups such as Facebook [2] Yogesh Deshpande, San Murugesan, Athula Ginige, Steve Hansen,
and Google. They enjoyed using current and well known Daniel Schwabe, Martin Gaedke, and Bebo White. Web engineering.
J. Web Eng., 1(1):3–17, October 2002.
technologies for both their allure and practicality. Students
[3] Athula Ginige. Web engineering: managing the complexity of web sys-
also appreciated beginning the project with a reasonable list tems development. In Proceedings of the 14th international conference
of requirements and not having to begin the elicitation phase on Software engineering and knowledge engineering, SEKE ’02, pages
from scratch. Other areas of positive feedback included the 721–729, New York, NY, USA, 2002. ACM.
availability of the customer and the ability to self-appoint [4] William Bradley Glisson, Andrew McDonald, and Ray Welland. Web
teams. The following are representative samples of written engineering security: a practitioner’s perspective. In Proceedings of
feedback we have received: the 6th international conference on Web engineering, ICWE ’06, pages
257–264, New York, NY, USA, 2006. ACM.
I really like this project because it is giving [5] Jiang Guo. Group projects in software engineering education. J.
us [software engineering students] experience with Comput. Sci. Coll., 24(4):196–202, April 2009.
technologies that companies are truly looking for [6] Terhi Kilamo, Imed Hammouda, and Mohamed Amine Chatti. Teaching
collaborative software development: a case study. In Proceedings of the
that without this class there was no formal way to 2012 International Conference on Software Engineering, ICSE 2012,
learn. It was really interesting because it covered pages 1165–1174, Piscataway, NJ, USA, 2012. IEEE Press.
multiple aspects of web development from using [7] Emilia Mendes. Applying the cognitive flexibility theory to teaching
certain frameworks, dealing with social aggregation, web engineering. In Proceedings of the fifth Australasian conference
hosting our own chat service, and also learning about on Computing education - Volume 20, ACE ’03, pages 113–117,
API’s etc. Also it allowed us to see how rapid web Darlinghurst, Australia, Australia, 2003. Australian Computer Society,
Inc.
development can be and how fast paced the field is
[8] Dragutin Petkovic, Gary Thompson, and Rainer Todtenhoefer. Teaching
After taking Web Engineering, I can confidently practical software engineering and global software engineering: evalu-
ation and comparison. SIGCSE Bull., 38(3):294–298, June 2006.
say: Why isn’t there more of this class in our
[9] Gerald Reif and Harald Gall. Weesa - web engineering for semantic
curriculum? As students living a web world, fast web applications, 2005.
requirement shifts and one-click deployment are the [10] Asma Sajid, Ayesha Nayyar, and Athar Mohsin. Modern trends towards
norms for modern software vendors. Companies are requirement elicitation. In Proceedings of the 2010 National Software
now, more than ever before, looking for students with Engineering Conference, NSEC ’10, pages 9:1–9:10, New York, NY,
skills like JavaScript, Web Application Frameworks, USA, 2010. ACM.
and third party web API’s. So far, this is the only [11] Till Schummer, Stephan Lukosch, and Joerg M. Haake. Teaching
class that has managed to capture the buzz that’s distributed software development with the project method. In Pro-
ceedings of th 2005 conference on Computer support for collaborative
ultimately here to stay. learning: learning 2005: the next 10 years!, CSCL ’05, pages 577–586.
International Society of the Learning Sciences, 2005.
IV. C ONCLUSION [12] James Walden. Integrating web application security into the it curricu-
lum. In Proceedings of the 9th ACM SIGITE conference on Information
This paper presents some early findings regarding a project technology education, SIGITE ’08, pages 187–192, New York, NY,
based component in a web engineering course. The primary USA, 2008. ACM.
areas of the project were discussed. These included the techni-
cal details, major deliverables and how the team was expected
to interact with the customer. A main goal of this activity is to
emulate a real world project situation as closely as possible.
The role of the instructor acting as the customer was also
conveyed. An interesting aspect of this project was the cross
course collaboration which occurred with an adjacent security
course. We will evolve and improve this collaboration in future
course offerings.
While the course and project component generally went
well, several areas can be improved upon. These include
altering project requirements to aid in security testing and