Due by class means due at the time class starts. For example, if your section’s class starts at 1:00pm, then “Monday by class” means 1pm on Monday. This gives our TA an opportunity to spot-check the submissions and fix any submission issues when everyone’s together.

Schedule

• • Week
  • Dates
  • Lecture & Activities
  • Vulnerability of the Day
  • Due or Released
  • Reading
• • 1
  • Jan 12 — Jan 16
  • Course Overview, Introduction: Security Principles, Security Lifecycle
  • Integer Overflow
  •  
  • CWE-190 CWE-120
• • 2
  • Jan 19 - Jan 23
  • No class Monday Jan 19 (MLK Jr Day) Security Lifecycle, Web Security Overview, Penetration testing. DVWA activity.
  • Buffer Overflow, SQL injection, Cross-Site Scripting (XSS)
  • Fuzzer released.
  • CWE-89 CWE-79
• • 3
  • Jan 26 - Jan 30
  • Requirements: Misuse & Abuse Cases, Planning: risk assessment. Requirements & planning activity.
  • Cross-site request forgery (CSRF), OS command injection
  • Fuzzer iteration 0 due Friday by class
  • CWE-352 CSRF Description CWE-78
• • 4
  • Feb 02 - Feb 06
  • Environment: file system permissions, Design: threat modeling.
  • Path traversal, log overflow
  • Fuzzer iteration 1 due Sunday EOD
  • CWE-22 CWE-400 CWE-779 CWE-770
• • 5
  • Feb 09 - Feb 13
  • Threat modeling activity. Design: distrustful decomposition. Implementation: defensive coding practices.
  • XML embedded DTDs
  • Fuzzer iteration 2 due Sunday EOD.
  • CWE-827 CWE-776 CWE-611
• • 6
  • Feb 16 - Feb 20
  • Implementation: defensive coding practices. Catch up.
  • Hardcoded credentials
  • File Permissions myCourses Quiz AND Practice Quiz due Wed Feb 18 by class. In-Class Exam 1 Fri Feb 20 Takehome exam released with in-class exam.
  • CWE-798 CVSS v3 Spec
• • 7
  • Feb 23 - Feb 27
  • Vulnerability assessment: CVSS. CVSS activity.
  • Time of Check Time of Use (TOCTOU), Log neutralization
  • Takehome portion of exam due Monday by class. Input Handling project released.
  • CWE-367 CWE-117 CWE-93 CAPEC-93
• • 8
  • Mar 02 - Mar 06
  • Cryptography: authentication, public & symmetric keys, SSH, SSL, PGP. Side-channel attacks.
  • Hashing without salt
  • Input Handling project parts 0, 1, 2 due Friday EOD.
  • CWE-759 Salting Guide
• • 9
  • Mar 09 - Mar 13
  • No classes this week
  •  
  •  
  •  
• • 10
  • Mar 16 - Mar 20
  • Cryptography: continued. Supply-chain attacks.
  • Poor PRNG seed protection, Insecure PRNG algorithms
  • Input Handling project all parts due Friday EOD. IPC Project released
  • CWE-338 OAuth Spec CWE-470
• • 11
  • Mar 23 - Mar 27
  • Deployment & Distribution: patching, security managers. Usability and Security; OAuth activity.
  • Regex DOS, Java reflection abuse
  • IPC Project due Sunday by EOD.
  •  
• • 12
  • Mar 30 - Apr 03
  • Catch up / Exam Review Wed / Exam 2 Fri Apr 03.
  •  
  •  
  •  
• • 13
  • Apr 06 - Apr 10
  • Insider Threat.
  • Compression bombs. Uncontrolled format string.
  • Case Study recon Wed Apr 08.
  • CWE-409 Compression Bombs
• • 14
  • Apr 13 - Apr 17
  • Networking: OSI model and MitM attacks, poisoning.
  • Cache poisoning
  • Case Study Chapter 1 due Wed by class; review in class
  • CWE-134 CAPEC-141 Video: DNS Cache Poisoning
• • 15
  • Apr 20 - Apr 24
  • Networking continued.
  • Dynamic library side-loading
  • Case Study Chapter 2 due Wed by class; review in class.
  •  
• • 16
  • Apr 27 - May 01
  • Mon Apr 27: Last day of class. Case Study presentations.
  •  
  • All makeup work due by Monday.
  •  
• •  
  • Fri May 01
  • 8:00am-10:30am In-person, in GOL-1650 (unless you have arranged otherwise with Prof. Basham)
  •  
  •  
  •