Homepage | Syllabus | Schedule | Homework & Projects |
Note: Dates and topics are approximate and subject to change.
Date | Topics | Reading |
---|---|---|
Week 1 (LOs) | ||
01/14 | Course Administrivia | Syllabus, LOs |
01/16 | Introduction to Software Security |
SSBSI 1: Defining a Discipline Security Basics Security 101 (slides) |
Week 2 (LOs) | ||
01/21 |
HW 0 due by 8am 20 Jan RVV: Security Requirements |
SSBSI 8: Abuse Cases Security Requirements 3 ways abuse cases can drive security requirements Are you making software security a requirement? |
01/23 | Requirements Activity: Swipr | |
Week 3 (LOs) | ||
01/28 |
Quiz 1 due by 8am 27 Jan HW 1.requirements due by 8am 27 Jan RM: Risk Management Framework |
SSBSI 2: A Risk Management Framework Risk Management Testing (Review) Risk Management in Software Projects Security Requirements Engineering |
01/30 | Risk Management Activity: Applying the RMF: KillerAppCo's iWare 1.0 Server | |
Week 4 (LOs) | ||
02/04 |
Quiz 2 due by 8am 3 Feb HW 1.tests due by 8am 3 Feb D: Secure Design Principles |
Principles of Computer System Design, Ch. 11 Security Design Principles Secure by Design – the Architect's Guide to Security Design Principles (slides) |
02/06 | Design Activity: Design Principle Lightning Presentations | |
Week 5 (LOs) | ||
02/11 |
Quiz 3 due by 8am 10 Feb HW 1.code due by 8am 10? Feb SC: AMA about Magic Crypto Fairy Dust |
|
02/13 |
T: Static Analysis Bug Hunting and Linting Activity |
SSBSI 4: Code Review with a Tool A Brief Introduction to Static Analysis by Sam Blackshear |
Week 6 (LOs) | ||
02/18 |
Quiz 4 due by 8am 17 Feb SC: Risky Resource Management demos.tar.gz |
24DSSS 5: Buffer Overruns, 6: Format String Problems, 7: Integer Overflows CWE / SANS Top 25 Software Errors: Risky Resource Management Monster Mitigations |
02/20 | Q&A Day | |
Week 7 (LOs) | ||
02/25 |
RVV: Software Verification and Validation Program Verification Activity |
Verification and Validation - MIT OpenCourseWare - MIT 16.842 Fundamentals of Systems Engineering (first ~25 minutes), slides |
02/27 | RVV: Software Verification and Validation |
The verifying compiler: A grand challenge for computing research (watch the lecture at Gresham College) Hacker-Proof Coding |
Week 8 (LOs) | ||
03/03 | RM: Architectural Risk Analysis / Threat Modeling |
SSBSI 5: Architectural Risk Analysis STRIDE and DREAD |
03/05 | RM: Architectural Risk Analysis / Threat Modeling |
Planning Poker or How to avoid analysis paralysis while release planning Protection Poker: The New Software Security "Game" |
Week 9: Spring Break | ||
03/10 | No class. | Have a safe and happy spring break |
03/12 | No class. | Have a safe and happy spring break |
Week 10 | ||
03/17 | Do The Five: Help stop Coronavirus | Do The Five (tips) |
03/19 | Wash Your Hands | When and How to Wash Your Hands How soap absolutely annihilates the coronavirus |
Week 11 (LOs) | ||
03/24 |
Build It due by 8am 23 Mar D: Secure Design Patterns |
Software-Security Patterns: Degree of Maturity |
03/26 | D: Secure Design Patterns | Secure Design Patterns |
Week 12 (LOs) | ||
03/31 |
T: Symbolic Execution Symbolic Execution Activity |
Introducing Symbolic Execution Symbolic Execution: A Little History Basic Symbolic Execution Symbolic Execution as Search and the Rise of Solvers Symbolic Execution Systems |
04/02 | Project Work Day | |
Week 13 (LOs) | ||
04/07 |
SC: Porous Defenses Porous Defense Activity |
24DSSS 16: Executing Code with Too Much Privilege, 17: Failure to Protect Stored Data, 21: Using the Wrong Cryptography |
04/09 |
SC: Porous Defenses Porous Defense Activity |
|
Week 14 (LOs) | ||
04/14 | SC: Insecure Interaction Between Components | 24DSSS 1: SQL Injection, 2: Web Server-Related Vulnerabilities (XSS, CSRF, Response Splitting), 3: Web Client-Related Vulnerabilities (XSS) |
04/16 |
Security Software is not Software Security Adversarial Thinking Case Study: Respondus LockDown Browser |
|
Week 15 (LOs) | ||
04/21 |
Break It due by 8am 20 Mar Fuzzing |
Guided Fuzzing: AFL Fuzzing NASM |
04/23 | Last day of class. |