Due by class means due at the time class starts. For example, if your section’s class starts at 1:00pm, then “Monday by class” means 1pm on Monday. This gives our TA an opportunity to spot-check the submissions and fix any submission issues when everyone’s together.
Schedule
-
- Week
- Dates
- Lecture & Activities
- Vulnerability of the Day
- Due or Released
- Reading
-
- 3
- Sep 08 - Sep 12
- Requirements: Misuse & Abuse Cases, Planning: risk assessment. Requirements & planning activity.
- Cross-site request forgery (CSRF), OS command injection
- Fuzzer iteration 0 due Friday by class
- CWE-352 CSRF Description CWE-78
-
- 6
- Sep 29 - Oct 03
- Implementation: defensive coding practices. Catch up.
- Hardcoded credentials
- File Permissions myCourses Quiz AND Practice Quiz due Friday Feb 21 by class. In-Class Exam 1 Friday Feb 21 Takehome exam released with in-class exam.
- CWE-798 CVSS v3 Spec
-
- 7
- Oct 06 - Oct 10
- Vulnerability assessment: CVSS. CVSS activity.
- Time of Check Time of Use (TOCTOU), Log neutralization
- Takehome portion of exam due Monday by class. Input Handling project released.
- CWE-367 CWE-117 CWE-93 CAPEC-93
-
- 8
- Oct 13 - Oct 17
- Fall Break (Oct 13-14) Cryptography: authentication, public & symmetric keys, SSH, SSL, PGP. Side-channel attacks.
- Hashing without salt
- Input Handling project parts 0, 1, 2 due Friday EOD.
- CWE-759 Salting Guide
-
- 9
- Oct 20 - Oct 24
- Cryptography: continued. Supply-chain attacks.
- Poor PRNG seed protection, Insecure PRNG algorithms
- Input Handling project all parts due Friday EOD. IPC Project released
- CWE-338 OAuth Spec CWE-470
-
- 10
- Oct 27 - Oct 31
- Deployment & Distribution: patching, security managers. Usability and Security; OAuth activity.
- Regex DOS, Java reflection abuse
- IPC Project due Sunday by EOD.
-
- 11
- Nov 03 - Nov 07
- Insider Threat. Exam Review. Exam 2 Friday Apr 04.
-
- 12
- Nov 10 - Nov 14
-
- 13
- Nov 17 - Nov 21
- Case Study recon. Networking: OSI model and MitM attacks, poisoning.
- Uncontrolled format string. Compression bombs.
- CWE-134 CWE-409 Compression Bombs
-
- 14
- Nov 24 - Nov 28
- Case Study Chapter 1 Due Tuesday evening 11:59pm
- Catch up
-
- 15
- Dec 01 - Dec 05
- Cybersecurity policy and law. Case Study peer review activity Friday
- Cache poisoning, dynamic library side-loading
- Case Study chapter 2 due Wednesday by class. Case Study reviews due Friday EOD.
- CAPEC-141 Video: DNS Cache Poisoning
-
- 16
- Dec 09
- Tuesday Dec 09: Last day of class. Case Study presentations.
- Final Case Study revisions due Monday by class. All makeup work due by class.
-
- Dec 12
- 10:45am-1:15pm In-person, in GOL-1550 (unless you have arranged otherwise with Prof. Basham)