Homepage Syllabus Schedule Homework & Projects

CSCE 489/713: Software Security

Note: Dates and topics are approximate and subject to change.

Date Topics Reading
Week 1 (LOs)
01/14 Course Administrivia Syllabus, LOs
01/16 Introduction to Software Security SSBSI 1: Defining a Discipline
Security Basics
Security 101 (slides)
Week 2 (LOs)
01/21 HW 0 due by 8am 20 Jan
RVV: Security Requirements 		SSBSI 8: Abuse Cases
Security Requirements
3 ways abuse cases can drive security requirements
Are you making software security a requirement?
01/23 Requirements Activity: Swipr
Week 3 (LOs)
01/28 Quiz 1 due by 8am 27 Jan
HW 1.requirements due by 8am 27 Jan
RM: Risk Management Framework 		SSBSI 2: A Risk Management Framework
Risk Management
Testing (Review)
Risk Management in Software Projects Security Requirements Engineering
01/30 Risk Management Activity: Applying the RMF: KillerAppCo's iWare 1.0 Server
Week 4 (LOs)
02/04 Quiz 2 due by 8am 3 Feb
HW 1.tests due by 8am 3 Feb
D: Secure Design Principles 		Principles of Computer System Design, Ch. 11
Security Design Principles
Secure by Design – the Architect's Guide to Security Design Principles (slides)
02/06 Design Activity: Design Principle Lightning Presentations
Week 5 (LOs)
02/11 Quiz 3 due by 8am 10 Feb
HW 1.code due by 8am 10? Feb
SC: AMA about Magic Crypto Fairy Dust
02/13 T: Static Analysis
Bug Hunting and Linting Activity 		SSBSI 4: Code Review with a Tool
A Brief Introduction to Static Analysis by Sam Blackshear
Week 6 (LOs)
02/18 Quiz 4 due by 8am 17 Feb
SC: Risky Resource Management
demos.tar.gz 		24DSSS 5: Buffer Overruns, 6: Format String Problems, 7: Integer Overflows
CWE / SANS Top 25 Software Errors: Risky Resource Management
Monster Mitigations
02/20 Q&A Day
Week 7 (LOs)
02/25 RVV: Software Verification and Validation
Program Verification Activity 		Verification and Validation - MIT OpenCourseWare - MIT 16.842 Fundamentals of Systems Engineering (first ~25 minutes), slides
02/27 RVV: Software Verification and Validation The verifying compiler: A grand challenge for computing research (watch the lecture at Gresham College)
Hacker-Proof Coding
Week 8 (LOs)
03/03 RM: Architectural Risk Analysis / Threat Modeling SSBSI 5: Architectural Risk Analysis
STRIDE and DREAD
03/05 RM: Architectural Risk Analysis / Threat Modeling Planning Poker or How to avoid analysis paralysis while release planning
Protection Poker: The New Software Security "Game"
Week 9: Spring Break
03/10 No class. Have a safe and happy spring break
03/12 No class. Have a safe and happy spring break
Week 10
03/17 Do The Five: Help stop Coronavirus Do The Five (tips)
03/19 Wash Your Hands When and How to Wash Your Hands
How soap absolutely annihilates the coronavirus
Week 11 (LOs)
03/24 Build It due by 8am 23 Mar
D: Secure Design Patterns 		Software-Security Patterns: Degree of Maturity
03/26 D: Secure Design Patterns Secure Design Patterns
Week 12 (LOs)
03/31 T: Symbolic Execution
Symbolic Execution Activity 		Introducing Symbolic Execution
Symbolic Execution: A Little History
Basic Symbolic Execution
Symbolic Execution as Search and the Rise of Solvers
Symbolic Execution Systems
04/02 Project Work Day
Week 13 (LOs)
04/07 SC: Porous Defenses
Porous Defense Activity 		24DSSS 16: Executing Code with Too Much Privilege, 17: Failure to Protect Stored Data, 21: Using the Wrong Cryptography
04/09 SC: Porous Defenses
Porous Defense Activity
Week 14 (LOs)
04/14 SC: Insecure Interaction Between Components 24DSSS 1: SQL Injection, 2: Web Server-Related Vulnerabilities (XSS, CSRF, Response Splitting), 3: Web Client-Related Vulnerabilities (XSS)
04/16 Security Software is not Software Security
Adversarial Thinking
Case Study: Respondus LockDown Browser
Week 15 (LOs)
04/21 Break It due by 8am 20 Mar
Fuzzing 		Guided Fuzzing: AFL
Fuzzing NASM
04/23 Last day of class.