Due by class means due at the time class starts. For example, if your section’s class starts at 1:00pm, then “Monday by class” means 1pm on Monday. This gives our TA an opportunity to spot-check the submissions and fix any submission issues when everyone’s together.

Schedule

• • Week
  • Dates
  • Lecture & Activities
  • Vulnerability of the Day
  • Due or Released
  • Reading
• • 1
  • Jan 12 - Jan 16
  • Introduction: Security Principles. Security Lifecycle. Course Overview. Design a Bad System activity
  • Integer Overflow. Buffer Overflow
  •  
  • CWE-190 CWE-120
• • 2
  • Jan 19 - Jan 23
  • No class Monday Jan 19 DVWA activity.
  • SQL injection. Cross-Site Scripting (XSS)
  • Fuzzer released.
  • CWE-89 CWE-79
• • 3
  • Jan 26 - Jan 30
  • Requirements: Misuse & Abuse Cases. Planning: risk assessment. Misuse & abuse cases activity.
  • OS command injection. Cross-site request forgery (CSRF)
  • Fuzzer iteration 0 due Friday by class
  • CWE-352 CSRF Description CWE-78
• • 4
  • Feb 2 - Feb 6
  • Environment: file system permissions. File system permissions activity. Penetration testing. Design: threat modeling.
  • Path traversal. Log overflow
  • Fuzzer iteration 1 due Friday by class
  • CWE-22 CWE-400 CWE-779 CWE-770
• • 5
  • Feb 9 - Feb 13
  • Threat modeling activity. Distrustful decomposition. Implementation: defensive coding practices.
  • XML embedded DTDs
  • Fuzzer iteration 2 due Friday by class.
  • CWE-827 CWE-776 CWE-611
• • 6
  • Feb 16 - Feb 20
  • Implementation: defensive coding practices. Exam review. Catch up.
  • Hardcoded credentials
  • File Permissions myCourses Quiz AND Practice Quiz due Friday by class. In-Class Exam 1 Friday Takehome exam released with in-class exam.
  • CWE-798 CVSS v3 Spec
• • 7
  • Feb 23 - Feb 27
  • Vulnerability assessment: CVSS. Career Fair Feb 25: in-class project work, no new material that day.
  • Time of Check Time of Use (TOCTOU). Log neutralization
  • Takehome portion of exam due Monday by class. Input handling project released.
  • CWE-367 CWE-117 CWE-93 CAPEC-93
• • 8
  • Mar 2 - Mar 6
  • CVSS activity. Cryptography: authentication, public & symmetric keys, SSH, SSL, PGP.
  • Hashing without salt, Poor PRNG seed protection
  • Input handling project parts 0, 1,2 due Monday by class. Input handling all parts due Friday by class.
  • CWE-759 Salting Guide
• • 9
  • Mar 9 - Mar 13
  • Spring break
• • 10
  • Mar 16 - Mar 20
  • Side-channel attacks. Deployment & Distribution: patching
  • Insecure PRNG algorithms, Regex DOS
  • IPC Project released
  • CWE-338 OAuth Spec
• • 11
  • Mar 23 - Mar 27
  • Usability and Security. Insider Threat. OAuth activity
  • Java reflection abuse, Uncontrolled format string
  • IPC project due Friday by class
  • CWE-470
• • 12
  • Mar 30 - Apr 3
  • Supply-chain attacks. Insider Threat Activity. Insider Threat Presentation
  • Case Study project released
  • CWE-134
• • 13
  • Apr 6 - Apr 10
  • Project work. Exam Review. Exam 2 Wednesday
  • Compression bombs
  • Case Study Proposal due Monday by class
  •  
• • 14
  • Apr 13 - Apr 17
  • Networking: OSI model, MitM attacks, poisoning. Cybersecurity policy and law
  • Cache poisoning. Open redirect. Dynamic library side-loading
  • Case Study Part 1 due Wednesday by class
  • CWE-409 Compression Bombs CAPEC-141 Video: DNS Cache Poisoning
• • 15
  • Apr 20 - Apr 24
  • Code Inspection. Case Study presentation
  • Case Study Peer Review due Monday by class. Case Study Part 2 due Friday by class
  •  
• • 16
  • Apr 27
  • Final Exam review
  •  
  •