Due by class means due at the time class starts. For example, if your section’s class starts at 1:00pm, then “Monday by class” means 1pm on Monday. This gives our TA an opportunity to spot-check the submissions and fix any submission issues when everyone’s together.

Schedule

• • Week
  • Dates
  • Lecture & Activities
  • Vulnerability of the Day
  • Due or Released
  • Reading
• • 1
  • Jan 13 — Jan 17
  • Course Overview, Introduction: Security Principles, Security Lifecycle
  • Integer Overflow, Buffer Overflow
  •  
  • CWE-190 CWE-120
• • 2
  • Jan 20 - Jan 24
  • No class Monday Jan 20 (MLK Day) Web Security Overview. Testing: penetration testing. DVWA activity.
  • SQL injection, Cross-Site Scripting (XSS)
  • Fuzzer released.
  • CWE-89 CWE-79
• • 3
  • Jan 27 - Jan 31
  • Requirements: Misuse & Abuse Cases, Planning: risk assessment. Requirements & planning activity.
  • Cross-site request forgery (CSRF), OS command injection
  • Fuzzer iteration 0 due Friday by class
  • CWE-352 CSRF Description CWE-78
• • 4
  • Feb 03 - Feb 07
  • Environment: file system permissions, Design: threat modeling.
  • Path traversal, log overflow
  • Fuzzer iteration 1 due Sunday EOD
  • CWE-22 CWE-400 CWE-779 CWE-770
• • 5
  • Feb 10 - Feb 14
  • Threat modeling activity. Design: distrustful decomposition. Implementation: defensive coding practices.
  • XML embedded DTDs
  • Fuzzer iteration 2 due Sunday EOD.
  • CWE-827 CWE-776 CWE-611
• • 6
  • Feb 17 - Feb 21
  • Implementation: defensive coding practices. Catch up.
  • Hardcoded credentials
  • File Permissions myCourses Quiz AND Practice Quiz due Friday Feb 21 by class. In-Class Exam 1 Friday Feb 21 Takehome exam released with in-class exam.
  • CWE-798 CVSS v3 Spec
• • 7
  • Feb 24 - Feb 28
  • Vulnerability assessment: CVSS. CVSS activity.
  • Time of Check Time of Use (TOCTOU), Log neutralization
  • Takehome portion of exam due Monday by class. Input Handling project released.
  • CWE-367 CWE-117 CWE-93 CAPEC-93
• • 8
  • Mar 03 - Mar 07
  • Career Fair (Mar 5) Cryptography: authentication, public & symmetric keys, SSH, SSL, PGP. Side-channel attacks.
  • Hashing without salt
  • Input Handling project parts 0, 1, 2 due Friday EOD.
  • CWE-759 Salting Guide
• • 9
  • Mar 10 - Mar 14
  • Spring Break – No Classes
  •  
  •  
  •  
• • 10
  • Mar 17 - Mar 21
  • Cryptography: continued. Supply-chain attacks.
  • Poor PRNG seed protection, Insecure PRNG algorithms
  • Input Handling project all parts due Friday EOD. IPC Project released
  • CWE-338 OAuth Spec CWE-470
• • 11
  • Mar 24 - Mar 28
  • Deployment & Distribution: patching, security managers. Usability and Security; OAuth activity.
  • Regex DOS, Java reflection abuse
  • IPC Project due Sunday by EOD.
  •  
• • 12
  • Mar 31 - Apr 04
  • Insider Threat. Exam Review. Exam 2 Friday Apr 04.
  •  
  •  
  •  
• • 13
  • Apr 07 - Apr 11
  • Case Study recon. Networking: OSI model and MitM attacks, poisoning.
  • Uncontrolled format string. Compression bombs.
  •  
  • CWE-134 CWE-409 Compression Bombs
• • 14
  • Apr 14 - Apr 18
  • Case Study Chapter 1 Due Tuesday evening 11:59pm
  • Catch up
  •  
  •  
• • 15
  • Apr 21 - Apr 25
  • Cybersecurity policy and law. Case Study peer review activity Friday
  • Cache poisoning, dynamic library side-loading
  • Case Study chapter 2 due Wednesday by class. Case Study reviews due Friday EOD.
  • CAPEC-141 Video: DNS Cache Poisoning
• • 16
  • Apr 28
  • Monday Apr 28: Last day of class. Case Study presentations.
  •  
  • Final Case Study revisions due Monday by class. All makeup work due by class.
  •  
• •  
  • May 07
  • 8:00-10:30am In-person, in GOL-1550 (unless you have arranged otherwise with Prof. Basham)
  •  
  •  
  •