Basham Schedule


Due by class means due at the time class starts. For example, if your section’s class starts at 1:00pm, then “Monday by class” means 1pm on Monday. This gives our TA an opportunity to spot-check the submissions and fix any submission issues when everyone’s together.

Schedule

    • Week
    • Dates
    • Lecture & Activities
    • Vulnerability of the Day
    • Due or Released
    • Reading
    • 1
    • Aug 25 — Aug 29
    • Course Overview, Introduction: Security Principles, Security Lifecycle
    • Integer Overflow
    •  
    • CWE-190 CWE-120
    • 2
    • Sep 01 - Sep 05
    • No class Monday Sep 01 (Labor Day) Security Lifecycle, Web Security Overview, Penetration testing. DVWA activity.
    • Buffer Overflow, SQL injection, Cross-Site Scripting (XSS)
    • Fuzzer released.
    • CWE-89 CWE-79
    • 3
    • Sep 08 - Sep 12
    • Requirements: Misuse & Abuse Cases, Planning: risk assessment. Requirements & planning activity.
    • Cross-site request forgery (CSRF), OS command injection
    • Fuzzer iteration 0 due Friday by class
    • CWE-352 CSRF Description CWE-78
    • 4
    • Sep 15 - Sep 19
    • Environment: file system permissions, Design: threat modeling.
    • Path traversal, log overflow
    • Fuzzer iteration 1 due Sunday EOD
    • CWE-22 CWE-400 CWE-779 CWE-770
    • 5
    • Sep 22 - Sep 26
    • Threat modeling activity. Design: distrustful decomposition. Implementation: defensive coding practices.
    • XML embedded DTDs
    • Fuzzer iteration 2 due Sunday EOD.
    • CWE-827 CWE-776 CWE-611
    • 6
    • Sep 29 - Oct 03
    • Implementation: defensive coding practices. Catch up.
    • Hardcoded credentials
    • File Permissions myCourses Quiz AND Practice Quiz due Friday Feb 21 by class. In-Class Exam 1 Friday Feb 21 Takehome exam released with in-class exam.
    • CWE-798 CVSS v3 Spec
    • 7
    • Oct 06 - Oct 10
    • Vulnerability assessment: CVSS. CVSS activity.
    • Time of Check Time of Use (TOCTOU), Log neutralization
    • Takehome portion of exam due Monday by class. Input Handling project released.
    • CWE-367 CWE-117 CWE-93 CAPEC-93
    • 8
    • Oct 13 - Oct 17
    • Fall Break (Oct 13-14) Cryptography: authentication, public & symmetric keys, SSH, SSL, PGP. Side-channel attacks.
    • Hashing without salt
    • Input Handling project parts 0, 1, 2 due Friday EOD.
    • CWE-759 Salting Guide
    • 10
    • Oct 27 - Oct 31
    • Deployment & Distribution: patching, security managers. Usability and Security; OAuth activity.
    • Regex DOS, Java reflection abuse
    • IPC Project due Sunday by EOD.
    •  
    • 11
    • Nov 03 - Nov 07
    • Insider Threat. Exam Review. Exam 2 Friday Apr 04.
    •  
    •  
    •  
    • 12
    • Nov 10 - Nov 14
    • 14
    • Nov 24 - Nov 28
    • Case Study Chapter 1 Due Tuesday evening 11:59pm
    • Catch up
    •  
    •  
    • 16
    • Dec 09
    • Tuesday Dec 09: Last day of class. Case Study presentations.
    •  
    • Final Case Study revisions due Monday by class. All makeup work due by class.
    •  
    •  
    • Dec 12
    • 10:45am-1:15pm In-person, in GOL-1550 (unless you have arranged otherwise with Prof. Basham)
    •  
    •  
    •