Useful links:
Key:
| Date | Lecture | Lecture Topic | Activity | VotD | Due or Released | Reading |
|---|---|---|---|---|---|---|
| Mar. 4 | 1-1 | Course Overview, What is Secure? | Discussion | Buffer overflow | ||
| Mar. 6 | 1-2 | Requirements: abuse & misuse cases, security requirements | Abuse & Misuse Cases | Integer overflow | Allen ch. 1-3, McGraw ch. 8 | |
| Mar. 11 | 2-1 | Gary McGraw Lecture | 12 minute test plans | Case study choice due by class | Allen ch. 7 | |
| Mar. 13 | 2-2 | Class cancelled | McGraw ch. 2,7 | |||
| Mar. 18 | 3-1 | Planning: risk assessment | Protection Poker | OS command injection & Hardcoded credentials |
Allen ch. 4 | |
| Mar. 20 | 3-2 | Design: secure design patterns, test planning | Work on project | SQL injection | Domain analysis due by |
McGraw ch. 5 |
| Mar. 25 | 4-1 | Design: architectural risk & threat modeling | Threat Modeling | Log overflow & Path traversal | ||
| Mar. 27 | 4-2 | Implementation: defensive coding practices | Work on project | XSS | Allen ch. 5.1-5.3, McGraw ch. 4 | |
| Apr. 1 | 5-1 | Implementation: defensive coding practices | Web applications | Cross-Site Request Forgery | Design analysis due by class | Allen ch. 5.3-5.6, McGraw ch. 6 |
| Apr. 3 | 5-2 | Code Inspections | More web application practice | Open redirect | ||
| Apr. 8 | 6-1 | Midterm exam | ||||
| Apr. 10 | 6-2 | File system permissions | Get started with fuzzer project | Log neutralization | Fuzzer project released | McGraw ch. 12 |
| Apr. 15 | 7-1 | Go over exam | Work on projects | Embedded DTDs | ||
| Apr. 17 | 7-2 | Presentations of case studies | Code inspection due by class | Allen ch. 6, McGraw ch. 9 | ||
| Apr. 22 | 8-1 | Cryptography: authentication, public-key, symmetric key, SSH | SSH Activity | Hashing salt | ||
| Apr. 24 | 8-2 | Cryptography: SSL, PGP, side-channel attacks | Work on projects | PRNGs | ||
| Apr. 29 | 9-1 | Deployment & Distribution: patching, security managers | Java security manager | Java reflection abuse | Fuzzer Round 1 due | |
| May 1 | 9-2 | Insider Threat | Insiders across domains | Cache Poisoning | ||
| May 6 | 10-1 | Assessment: CVSS, CWSS | Vulnerability Assessment | Time of Check, Time of Use | ||
| May 8 | 10-2 | Black box testing | Wrap-up,Exam review | Uncontrolled format string | Fuzzer Round 2 due | |
| 11 | Final exam. Thursday, May 16th 2013, 8:00am-10:00am, GOL-1650 |