Due by class means due at the time class starts. For example, if your section’s class starts at 11:00am, then “Monday by class” means 10am on Monday. This gives our TA an opportunity to spot-check the submissions and fix any submission issues when everyone’s together.

Schedule

- Week
- Dates
- Lecture & Activites
- Vulnerability of the Day
- Due or Released
- Reading
- 1
- 01/15-01/19
- Martin Luther King Jr. Day - No Classes (01/15) Course Overview; Introduction: Security Principles
- Integer Overflow, Buffer Overflow
- CWE-190 CWE-120
- 2
- 01/22-01/26
- Web Security Overview; DVWA activity.
- SQL injection, Cross-Site Scripting (XSS)
- Fuzzer released.
- CWE-89 CWE-79
- 3
- 01/29-02/02
- Security Lifecycle; Testing: penetration testing; Requirements: Misuse & Abuse Cases
- Cross-site request forgery (CSRF), OS command injection
- Fuzzer iteration 0 due Wednesday by class
- CWE-352 CSRF Description CWE-78
- 4
- 02/05-02/09
- Planning: risk assessment. Requirements & planning activity. Environment: file system permissions,
- Path traversal, log overflow
- Fuzzer iteration 1 due Thursday EOD.;
- CWE-22 CWE-400 CWE-779 CWE-770
- 5
- 02/12-02/16
- File system permissions activity; distrustful decomposition; Design: threat modeling.
- XML embedded DTDs
- Fuzzer iteration 2 due Thursday EOD.
- CWE-827 CWE-776 CWE-611
- 6
- 02/19-02/23
- Threat modeling activity. Implementation: defensive coding practices
- SW Weaknesses Assignment (myCourses)
- CWE-798 CVSS v3 Spec
- 7
- 02/26-03/01
- Defensive coding (cont’d), Exam-1: Friday 03/01
- Hardcoded credentials
- Takehome exam released Friday (PDF on myCourses).
- CWE-367 CWE-117 CWE-93 CAPEC-93
- 8
- 03/04-03/08
- Vulnerability assessment: CVSS;
- Time of Check Time of Use (TOCTOU), Log neutralization
- Takehome exam due Monday by class. SW Weakness assignment due Friday EOD (See myCourses). Input handling project released.
- 9
- 03/11-03/15
- Spring Break - No Classes
- 10
- 03/18-03/22
- CVSS Activity; Cryptography: authentication, public & symmetric keys, SSH, SSL, PGP, side-channel attacks
- Hashing without salt; poor PRNG seed protection
- Input handling project (Part 0, 1, 2) due Wednesday by class.
- CWE-759 CWE-338 Salting Guide
- 11
- 03/25-03/29
- Usability and Security. OAuth activity.
- Insecure PRNG algorithms; Java reflection abuse
- Input Handling project, remaining parts (Part 3, 4, 5) due Wednesday by class;
- OAuth Spec CWE-470
- 12
- 04/01-04/05
- Deployment & Distribution: patching; Insider Threat. Exam-2: Friday 04/05.
- Case study released;
- 13
- 04/08-04/12
- Networking: OSI model, MitM attacks. Activity: Case study recon - see Case Study
- Cache poisoning
- Case study proposal due Friday by class
- CAPEC-141 Video: DNS Cache Poisoning
- 14
- 04/15-04/19
- Dependency & Supply Chain; Supply-chain attacks;
- Uncontrolled format string
- Case study chapter 1 due Wednesday by EOD; Networking assignment (Port Scans/ Wireshark) - see myCourses for due date
- 15
- 04/22-04/26
- Cybersecurity policy & law; Case Study Presentations
- Compression bombs. If time: dynamic library side-loading
- Case study chapter 2 due Wednesday by EOD;
- CWE-134 CWE-409 Compression Bombs
- 16
- 04/29-/05/01
- Final Exam Review
- Case study final version due Wednesday by class;
- Final Exam
- Date: 05/01, Wednesday, 4:15pm-6:45pm
- Loc: GOL-1640