Due by class means due at the time class starts. For example, if your section’s class starts at 1:00pm, then “Monday by class” means 1pm on Monday. This gives our TA an opportunity to spot-check the submissions and fix any submission issues when everyone’s together.

Schedule

• • Week
  • Dates
  • Lecture & Activities
  • Vulnerability of the Day
  • Due or Released
  • Reading
• • 1
  • Aug 25 - Aug 29
  • Introduction: Security Principles. Security Lifecycle. Course Overview. Design a Bad System activity
  • Integer Overflow. Buffer Overflow
  •  
  • CWE-190 CWE-120
• • 2
  • Sep 1 - Sep 5
  • No class Monday Sep 1 (Labor Day) Web Security Overview. DVWA activity.
  • SQL injection. Cross-Site Scripting (XSS)
  • Fuzzer released.
  • CWE-89 CWE-79
• • 3
  • Sep 8 - Sep 12
  • Requirements: Misuse & Abuse Cases. Planning: risk assessment. Requirements & planning activity.
  • OS command injection. Cross-site request forgery (CSRF)
  • Fuzzer iteration 0 due Friday by class
  • CWE-352 CSRF Description CWE-78
• • 4
  • Sep 15 - Sep 19
  • Environment: file system permissions. Penetration testing. Design: threat modeling.
  • Path traversal. Log overflow
  • Fuzzer iteration 1 due Friday by class
  • CWE-22 CWE-400 CWE-779 CWE-770
• • 5
  • Sep 22 - Sep 26
  • Threat modeling activity. Distrustful decomposition. Implementation: defensive coding practices.
  • XML embedded DTDs
  • Fuzzer iteration 2 due Friday by class.
  • CWE-827 CWE-776 CWE-611
• • 6
  • Sep 29 - Oct 3
  • Implementation: defensive coding practices. Catch up.
  • Hardcoded credentials
  • File Permissions myCourses Quiz AND Practice Quiz due Friday Oct 3 by class. In-Class Exam 1 Friday Oct 3 Takehome exam released with in-class exam.
  • CWE-798 CVSS v3 Spec
• • 7
  • Oct 6 - Oct 10
  • Vulnerability assessment: CVSS. Career Fair Oct 8: in-class review, no new material that day.
  • Time of Check Time of Use (TOCTOU). Log neutralization
  • Takehome portion of exam due Monday by class. Input handling project released.
  • CWE-367 CWE-117 CWE-93 CAPEC-93
• • 8
  • Oct 13 - Oct 17
  • No class Monday Oct 14. CVSS activity. Cryptography: authentication, public & symmetric keys, SSH, SSL, PGP.
  • Hashing without salt
  • Input handling project parts 0, 1,2 due Wednesday by class.
  • CWE-759 Salting Guide
• • 9
  • Oct 20 - Oct 24
  • OAuth activity. Side-channel attacks
  • Poor PRNG seed protection, Insecure PRNG algorithms, Regex DOS
  • Input handling all parts due Wednesday by class.
  • CWE-338 OAuth Spec
• • 10
  • Oct 27 - Oct 31
  • Deployment & Distribution: patching. Usability and Security
  • Java reflection abuse
  • IPC Project released
  • CWE-470
• • 11
  • Nov 3 - Nov 7
  • Insider Threat. Insider Threat Activity. Insider Threat Presentation
  • Uncontrolled format string
  • IPC project due Friday by class
  • CWE-134
• • 12
  • Nov 10 - Nov 14
  • Supply-chain attacks. Exam Review. Exam 2 Friday Nov 14.
  • Catch up
  •  
  •  
• • 13
  • Nov 17 - Nov 21
  • Case study recon. Networking: OSI model, MitM attacks, poisoning. Networking activity.
  • Compression bombs. Cache poisoning. Open redirect.
  •  
  • CWE-409 Compression Bombs CAPEC-141 Video: DNS Cache Poisoning
• • 14
  • Nov 24 - Nov 28
  • Cybersecurity policy and law. Case Study Chapter 1 Due Tuesday evening 11:59pm No class Wed or Fri
  • Dynamic library side-loading
  •  
  •  
• • 15
  • Dec 1 - Dec 5
  • Code Inspection. Case study peer review activity Friday
  •  
  • Case study chapter 2 due Friday by class.
  •  
• • 16
  • Dec 8
  • Monday Dec 8: Last day of class
  •  
  • Final Case study revisions due Monday by class. All makeup work due by class.
  •  
• •  
  • TBD
  • In-person
  •  
  •  
  •