Class Schedule

Date Week Lecture Topics Activity Vulnerability of the Day Due or Released Reading
Jan 17, 19 1 Course Overview, What is Secure? Integer overflow CWE-190
Jan 22-26 2 Requirements: misuse & abuse cases, security requirements. Abuse & Misuse cases; Web applications SQL injection, XSS McGraw ch. 8, CWE-79, CWE-89
Jan 29 - Feb 2 3 Planning: risk assessment, test planning 12-minute test plans Buffer Overflow, Cross-site request forgery Fuzzer project released CWE-352, CSRF description, CWE-120
Feb 5 - 9 4 Design: threat modeling, distrustful decomposition Threat modeling (e.g. Feedly.tm4) OS command injection McGraw ch. 2,7, CWE-78
Feb 12 - 16 5 Implementation: defensive coding practices Log overflow, Path traversal Fuzzer round 0: Log in to DVWA. Due Monday by class CWE-400, CWE-779, CWE-770, CWE-22
Feb 19 - 23 6 Exam 1 Wed Feb 21
Study Guide
Fuzzer round 1: discover command. Due Monday by class.
Exam 1 Takehome portion (see myCourses).
McGraw ch. 5
Feb 26 - Mar 2 7 File system permissions, Code inspections Go over exam
Code inspection activity
Hardcoded credentials, Embedded DTDs Fuzzer round 2: test command. Due Monday by class. CWE-798, CWE-827, CWE-776, CWE-611
Mar 5 - 9 8 Cryptography: authentication, public-key, symmetric key
Go over exam
Work on History Project
Hashing without salt, Poor PRNG Seed Protection History project released CWE-759, CWE-338, VIDEO: How to find vulnerability fixes and introductions with git
Mar 11-16 Spring Break
Mar 19-23 9 Cryptography: SSH, SSL, PGP, side-channel attacks
SSH activity
Insecure PRNG Algorithms History project Part 1 Due Wednesday Friday by class
Mar 26-30 10 Usability and Security Usability activity
Case study recon
Time of Check Time of use, Log neutralization History project Part 2 Due Wednesday Friday by class
. Feedback to your cohort is due Friday Mar 30 by class. All revisions based on feedback due Apr 2nd by class.
CWE-367, CWE-117, CWE-93, CAPEC-93, OAuth Spec
Apr 2 - 6 11 Deployment & Distribution: patching, security managers Java security manager Java reflection abuse Case study proposal due Monday by class
Case study chapter 1 due Friday by class
McGraw ch. 4, Salting, CWE-470
Apr 9 - 13 12
Exam review, catch up
Exam 2 on Wednesday
Study Guide
Case study chapter 1 due Monday Apr 9 by class Case study chapter 1 feedback due Friday by class
Apr 16 - 20 13 Vulnerability Assessment: CVSS, CWSS
Team Design
Team Design Activity
CERT activity
Assessment Activity
Cache poisoning Case study chapter 1 feedback due Monday by class McGraw ch. 6
CVSS v3 spec, CAPEC-141
Apr 23 - 27 14 Security resource game, Case study talks Uncontrolled format string Case study chapter 2 due Monday by class
Case study chapter 2 feedback due Friday by class
McGraw ch. 12, CWE-134
Apr 30 15 Security resource game Compression bombs Final case study revision due last day of class CWE-409, libpng's compression bombs
Final Exam:
Section 1: May 2, 8:00am - 10am (GOL-1650)
Section 2: May 4, 10:15am - 12:15pm (GOL-1550)