Due by class means due at the time class starts. For example, if your section’s class starts at 1:00pm, then “Monday by class” means 1pm on Monday. This gives our TA an opportunity to spot-check the submissions and fix any submission issues when everyone’s together.

Schedule

• • Week
  • Dates
  • Lecture & Activities
  • Vulnerability of the Day
  • Due or Released
  • Reading
• • 1
  • Aug 25 — Aug 29
  • Course Overview, Introduction: Security Principles, Security Lifecycle
  • Integer Overflow
  •  
  • CWE-190 CWE-120
• • 2
  • Sep 01 - Sep 05
  • No class Monday Sep 01 (Labor Day) Security Lifecycle, Web Security Overview, Penetration testing. DVWA activity.
  • Buffer Overflow, SQL injection, Cross-Site Scripting (XSS)
  • Fuzzer released.
  • CWE-89 CWE-79
• • 3
  • Sep 08 - Sep 12
  • Requirements: Misuse & Abuse Cases, Planning: risk assessment. Requirements & planning activity.
  • Cross-site request forgery (CSRF), OS command injection
  • Fuzzer iteration 0 due Friday by class
  • CWE-352 CSRF Description CWE-78
• • 4
  • Sep 15 - Sep 19
  • Environment: file system permissions, Design: threat modeling.
  • Path traversal, log overflow
  • Fuzzer iteration 1 due Sunday EOD
  • CWE-22 CWE-400 CWE-779 CWE-770
• • 5
  • Sep 22 - Sep 26
  • Threat modeling activity. Design: distrustful decomposition. Implementation: defensive coding practices.
  • XML embedded DTDs
  • Fuzzer iteration 2 due Sunday EOD.
  • CWE-827 CWE-776 CWE-611
• • 6
  • Sep 29 - Oct 03
  • Implementation: defensive coding practices. Catch up.
  • Hardcoded credentials
  • File Permissions myCourses Quiz AND Practice Quiz due Thur Oct 2 by class. In-Class Exam 1 Thur Oct 2 Takehome exam released with in-class exam.
  • CWE-798 CVSS v3 Spec
• • 7
  • Oct 06 - Oct 10
  • Vulnerability assessment: CVSS. CVSS activity.
  • Time of Check Time of Use (TOCTOU), Log neutralization
  • Takehome portion of exam due Monday by class. Input Handling project released.
  • CWE-367 CWE-117 CWE-93 CAPEC-93
• • 8
  • Oct 13 - Oct 17
  • Fall Break (Oct 13-14) Cryptography: authentication, public & symmetric keys, SSH, SSL, PGP. Side-channel attacks.
  • Hashing without salt
  • Input Handling project parts 0, 1, 2 due Friday EOD.
  • CWE-759 Salting Guide
• • 9
  • Oct 20 - Oct 24
  • Cryptography: continued. Supply-chain attacks.
  • Poor PRNG seed protection, Insecure PRNG algorithms
  • Input Handling project all parts due Friday EOD. IPC Project released
  • CWE-338 OAuth Spec CWE-470
• • 10
  • Oct 27 - Oct 31
  • Deployment & Distribution: patching, security managers. Usability and Security; OAuth activity.
  • Regex DOS, Java reflection abuse
  • IPC Project due Sunday by EOD.
  •  
• • 11
  • Nov 03 - Nov 07
  • Insider Threat. Exam Review. Exam 2 Friday Apr 04.
  •  
  •  
  •  
• • 12
  • Nov 10 - Nov 14
• • 13
  • Nov 17 - Nov 21
  • Case Study recon. Networking: OSI model and MitM attacks, poisoning.
  • Uncontrolled format string. Compression bombs.
  •  
  • CWE-134 CWE-409 Compression Bombs
• • 14
  • Nov 24 - Nov 28
  • Case Study Chapter 1 Due Tuesday evening 11:59pm
  • Catch up
  •  
  •  
• • 15
  • Dec 01 - Dec 05
  • Cybersecurity policy and law. Case Study peer review activity Friday
  • Cache poisoning, dynamic library side-loading
  • Case Study chapter 2 due Wednesday by class. Case Study reviews due Friday EOD.
  • CAPEC-141 Video: DNS Cache Poisoning
• • 16
  • Dec 09
  • Tuesday Dec 09: Last day of class. Case Study presentations.
  •  
  • Final Case Study revisions due Monday by class. All makeup work due by class.
  •  
• •  
  • Dec 12
  • 10:45am-1:15pm In-person, in GOL-1550 (unless you have arranged otherwise with Prof. Basham)
  •  
  •  
  •