Class Schedule

Key:
Date Week Lecture Topics Activity Vulnerability of the Day Due or Released Reading
Aug 27-31 1 Course Overview, What is Secure? Integer overflow CWE-190
Sep 3-7 2 Requirements: misuse & abuse cases, security requirements. Abuse & Misuse cases; Web applications SQL injection, XSS McGraw ch. 8, CWE-79, CWE-89
Sep 10-14 3 Planning: risk assessment, test planning 12-minute test plans Buffer Overflow, Cross-site request forgery Fuzzer project released CWE-352, CSRF description, CWE-120
Sep 17-21 4 Design: threat modeling, distrustful decomposition Threat modeling (e.g. Feedly.tm4) OS command injection McGraw ch. 2,7, CWE-78
Sep 24-28 5 Implementation: defensive coding practices Log overflow, Path traversal Fuzzer round 0: Log in to DVWA. Due Monday by class CWE-400, CWE-779, CWE-770, CWE-22
Oct 1-5 6 File system permissions, Code inspections Code inspection activity Hardcoded credentials, Embedded DTDs Fuzzer round 1: discover command. Due Monday by class.
Exam 1 Takehome portion (see myCourses).
McGraw ch. 5, CWE-798, CWE-827, CWE-776, CWE-611
Oct 8-12 7 Exam 1 Fri Oct 12
Study Guide
Fuzzer round 2: test command. Due Wednesday by class.
Oct 15-19 8 Cryptography: authentication, public-key, symmetric key
Go over exam
Work on History Project
Hashing without salt, Poor PRNG Seed Protection History project released CWE-759, CWE-338, VIDEO: How to find vulnerability fixes and introductions with git
Oct 22-26 9 Cryptography: SSH, SSL, PGP, side-channel attacks
SSH activity
Insecure PRNG Algorithms History project Part 1 Due Friday by class
Oct 29 - Nov 2 10 Usability and Security Usability activity
Case study recon
Time of Check Time of use, Log neutralization History project Part 2 Due Friday by class
. Feedback to your cohort is due Friday by class.
CWE-367, CWE-117, CWE-93, CAPEC-93, OAuth Spec
Nov 5-9 11 Deployment & Distribution: patching, security managers Java security manager Java reflection abuse Case study proposal due Monday Wednesday by class
McGraw ch. 4, Salting, CWE-470
Nov 12-16 12 Case study chapter 1 due Wednesday by class
Nov 19-23 13 Vulnerability Assessment: CVSS, CWSS
Team Design
Team Design Activity
CERT activity
Assessment Activity
Cache poisoning Case study chapter 1 feedback due Wednesday by class
McGraw ch. 6
CVSS v3 spec, CAPEC-141
Nov 26-30 14 Exam 2 on Wednesday
Study Guide (Section 1,
Section 2)
Uncontrolled format string Murukannaiah: Java Security Manager project
Meneely: Java Security Manager project
McGraw ch. 12, CWE-134
Dec 3-7 15 Security resource game
Case study talks
Compression bombs Case study chapter 2 due Monday by class
Case study chapter 2 feedback due Wednesday by class
Final case study revision due last day of class
Java Security Manager Project due last day of class
Meneely: Reading Quizzes on myCourses due Dec 19th 11:59:59pm
Murukannaiah: Reading Quizzes on myCourses due Dec 17th 11:45pm
CWE-409, libpng's compression bombs
Final Exam:
Section 1: Dec 14, 10:45am - 1:15pm (GOL-1520)
Section 2: Dec 17, 10:45am - 1:15pm (GOL-1650)