Zhang Schedule

Due by class means due at the time class starts. For example, if your section’s class starts at 10:00am, then “Monday by class” means 10am on Monday. This gives our TA an opportunity to spot-check the submissions and fix any submission issues when everyone’s together.

Schedule

    • Week
    • Dates
    • Lecture & Activites
    • Vulnerability of the Day
    • Due or Released
    • Reading
    • 1
    • 01/15-01/19
    • Martin Luther King Jr. Day - No Classes (01/15) Course Overview; Introduction: Security Principles
    • Integer Overflow, Buffer Overflow
    •  
    • CWE-190 CWE-120
    • 2
    • 01/22-01/26
    • Web Security Overview; DVWA activity.
    • SQL injection, Cross-Site Scripting (XSS)
    • Fuzzer released.
    • CWE-89 CWE-79
    • 3
    • 01/29-02/02
    • Security Lifecycle; Testing: penetration testing; Requirements: Misuse & Abuse Cases
    • Cross-site request forgery (CSRF), OS command injection
    • Fuzzer iteration 0 due Wednesday by class
    • CWE-352 CSRF Description CWE-78
    • 4
    • 02/05-02/09
    • Planning: risk assessment. Requirements & planning activity. Environment: file system permissions,
    • Path traversal, log overflow
    • Fuzzer iteration 1 due Wednesday by class.;
    • CWE-22 CWE-400 CWE-779 CWE-770
    • 5
    • 02/12-02/16
    • File system permissions activity; distrustful decomposition; Design: threat modeling.
    • XML embedded DTDs
    • Fuzzer iteration 2 due Wednesday by class.
    • CWE-827 CWE-776 CWE-611
    • 6
    • 02/19-02/23
    • Threat modeling activity. Implementation: defensive coding practices, Defensive coding (cont’d)
    • Hardcoded credentials
    • SW Weaknesses Assignment (myCourses)
    • CWE-798 CVSS v3 Spec
    • 7
    • 02/26-03/01
    • Exam-1: Friday 03/01 Vulnerability assessment: CVSS; CVSS Activity
    • Time of Check Time of Use (TOCTOU), Log neutralization
    • SW Weakness assignment due Monday by class (See myCourses). Takehome exam released Friday (PDF on myCourses).
    • CWE-367 CWE-117 CWE-93 CAPEC-93 Video: Finding Vulnerability Fixes
    • 8
    • 03/04-03/08
    • Cryptography: authentication, public & symmetric keys, SSH, SSL, PGP, side-channel attacks
    • Hashing without salt, poor PRNG seed protection
    • Takehome exam due Monday by class. Input handling project released.
    • CWE-759 Salting Guide
    • 9
    • 03/11-03/15
    • Spring Break - No Classes
    •  
    •  
    •  
    • 10
    • 03/18-03/22
    • Usability and Security. OAuth activity; Deployment & Distribution: patching
    • Insecure PRNG algorithms, Java reflection abuse
    • Input handling project (Part 0, 1, 2) due Wednesday by class.
    • CWE-338 OAuth Spec
    • 11
    • 03/25-03/29
    • Activity: Case study recon - see Case Study
    •  
    • Input Handling project, remaining parts (Part 3, 4, 5); Case study released;
    • CWE-470
    • 12
    • 04/01-04/05
    • Exam review. Exam-2: Friday 04/05.
    •  
    • Case study proposal due Wednesday by class;
    •  
    • 15
    • 04/22-04/26
    • Cybersecurity policy & law; Case Study Presentations
    • Uncontrolled format string, compression bombs. If time: dynamic library side-loading
    • Networking assignment due Monday by class(See myCourses); Case study final version due Friday by class;
    • CWE-134 CWE-409 Compression Bombs
    • 16
    • 04/29-/05/01
    • Final Exam Review
    •  
    •  
    •  
    •  
    • Final Exam
    • Date: 05/01, Wednesday, 4:15pm-6:45pm
    • Loc: GOL-1520
    •  
    •