This course provides a foundation for building secure software by applying security principles to the software development lifecycle. Topics covered include: security in requirements engineering, secure designs, risk analysis, threat modeling, deploying cryptographic algorithms, defensive coding, penetration testing, fuzzing, static analysis, and security assessment. Students will learn the practical skills for developing and testing for secure software while also learning sound security fundamentals from real-world case studies.
At the completion of this course, students will be able to:
- Apply contemporary formal mathematical modeling techniques to model and analyze the security of a software system
- Identify project security risks & selecting risk management strategies.
- Use statistical methods to collect and analyze metrics for assessing and improving the security of a product, process, and project objectives.
- Describe and discuss security concerns designs at multiple levels of abstraction
- Comply with data privacy and security requirements when designing a software system.
- Design a software solution for secure access and protection of data.
- Use quality assurance activities and strategies that support early vulnerability detection and contribute to improving the development process.
- Software Security: Building Security In by Gary McGraw. Addison-Wesley, ISBN 978-321-35670-3
- (Optional)Software Security Engineering: A Guide for Project Managers by Julia H. Allen, Sean Barnum, Robert J. Ellison, Gary McGraw, and Nancy Mead. Addison-Wesley, ISBN 978-0-32-150917-8
- Lectures. You know what these are.
- Vulnerability of the Day. We will cover a common programming mistake that results in the system being vulnerable. These are live demonstrations with links to descriptions in outside other resources.
- Class Activities. We will cover a different practice or tool. Most of these require teams (i.e. people at your table), some are more individual. Some activities have a graded deliverable, but all will require in-class attendance.
- Vulnerability History Project You will be doing some historical analysis of vulnerabilities from one project to help security researchers.
- Case Study Project. You will be doing an in-depth case study of a large, open source software project.
- Web Application Fuzzer project. We will be building a web application fuzz testing tool for automating the discovery of common vulnerabilities in web applications.
- Readings. These are designed to supplement the lectures and in-class activities. Exams will be based on both readings and lectures, and the instructor reserves the right to ask exam questions that were only covered in the assigned readings.
- 10%: Fuzzer project
- 20%: Case Study project
- 10%: Vulnerability History project
- 5%: Class Activities
- 15%: Exam 1
- 15%: Exam 2
- 20%: Final exam (cumulative)
- Attendance (no component, but we strongly recommend it)
Regarding attendance, attendance is not required. But! The best way to succeed in this class is to come to class and take notes in the lectures. While we post the slides, the lectures will have key information that is not necessarily found in the slides. Also, some work is collaborative and your teammates need a time to see you in class to coordinate.
When assigning final grades, each instructor reserves the right to alter these division points as he or she deems necessary based on the overall evaluation of individual or class performance and effort.
Grading Letter Breakdown:
The following chart will be used to determine your letter grade at the conclusion of the term.
|A-||90 <= x < 93|
|B+||87 <= x < 90|
|B||83 <= x < 87|
|B-||80 <= x < 83|
|C+||77 <= x < 80|
|C||73 <= x < 77|
|C-||70 <= x < 73|
|D||60 <= x < 70|
Rounding is at the discretion of the instructor.
Note: The individual project grades may be adjusted in either direction from the team grade based on the assessment of your contribution by the instructor and your colleagues on the team.
Policy for late work will be handled by the instructor on a case-by-case basis. Do not assume that any accomodations will be made for late work.