Meneely Schedule

Due by class means due at the time class starts. For example, if your section’s class starts at 1:00pm, then “Monday by class” means 1pm on Monday. This gives our TA an opportunity to spot-check the submissions and fix any submission issues when everyone’s together.

Schedule

    • Week
    • Dates
    • Lecture & Activities
    • Vulnerability of the Day
    • Due or Released
    • Reading
    • 1
    • Aug 26 - Aug 30
    • Introduction: Security Principles, Security Lifecycle, Course Overview
    • Integer Overflow, Buffer Overflow
    •  
    • CWE-190 CWE-120
    • 2
    • Sep 2 - Sep 6
    • No class Monday Sep 2 (Labor Day) Web Security Overview. Testing: penetration testing. DVWA activity.
    • SQL injection, Cross-Site Scripting (XSS)
    • Fuzzer released.
    • CWE-89 CWE-79
    • 3
    • Sep 9 - Sep 13
    • Requirements: Misuse & Abuse Cases, Planning: risk assessment. Requirements & planning activity.
    • Cross-site request forgery (CSRF), OS command injection
    • Fuzzer iteration 0 due Friday by class
    • CWE-352 CSRF Description CWE-78
    • 4
    • Sep 16 - Sep 20
    • Environment: file system permissions, Design: threat modeling, distrustful decomposition. Threat modeling activity.
    • Path traversal, log overflow
    • Fuzzer iteration 1 due Friday by class
    • CWE-22 CWE-400 CWE-779 CWE-770
    • 5
    • Sep 23 - Sep 27
    • Implementation: defensive coding practices. Career Fair Sep 25: in-class review, no new material that day.
    • XML embedded DTDs
    • Fuzzer iteration 2 due Friday by class.
    • CWE-827 CWE-776 CWE-611
    • 6
    • Sep 30 - Oct 4
    • Catch up.
    • Hardcoded credentials
    • File Permissions myCourses Quiz AND Practice Quiz due Friday Oct 4 by class. In-Class Exam 1 Friday Oct 4 Takehome exam released with in-class exam.
    • CWE-798 CVSS v3 Spec
    • 7
    • Oct 7 - Oct 11
    • Vulnerability assessment: CVSS. CVSS activity.
    • Time of Check Time of Use (TOCTOU), Log neutralization
    • Takehome portion of exam due Monday by class. Input handling project released.
    • CWE-367 CWE-117 CWE-93 CAPEC-93
    • 8
    • Oct 14 - Oct 18
    • No class Monday Oct 14. Cryptography: authentication, public & symmetric keys, SSH, SSL, PGP, side-channel attacks
    • Hashing without salt, poor PRNG seed protection
    • Input handling project parts 0, 1,2 due Wednesday by class.
    • CWE-759 Salting Guide
    • 9
    • Oct 21 - Oct 25
    • Usability and Security. OAuth activity.
    • Insecure PRNG algorithms, Regex DOS
    • Input handling all parts due Wednesday by class.
    • CWE-338 OAuth Spec
    • 10
    • Oct 28 - Nov 1
    • Supply-chain attacks
    • Java reflection abuse
    • IPC Project released
    • CWE-470
    • 11
    • Nov 4 - Nov 8
    • Deployment & Distribution: patching.
    •  
    • IPC project due Friday by class
    •  
    • 12
    • Nov 11 - Nov 15
    • Exam Review. Exam 2 Friday Nov 15.
    • Catch up
    •  
    •  
    • 13
    • Nov 18 - Nov 22
    • Case study recon. Networking: OSI model, MitM attacks, poisoning. Networking activity. Insider Threat.
    • Uncontrolled format string, compression bombs.
    • Case Study Chapter 1 due Friday by class.
    • CWE-134 CWE-409 Compression Bombs
    • 14
    • Nov 25 - Nov 29
    • Case Study Chapter 1 Due Tuesday evening 11:59pm No class Wed or Fri
    •  
    •  
    •  
    • 15
    • Dec 2 - Dec 6
    • Cybersecurity policy and law. Case study peer review activity Friday
    • Cache poisoning, dynamic library side-loading
    • Case study chapter 2 due Wednesday Friday by class.
    • CAPEC-141 Video: DNS Cache Poisoning
    • 16
    • Dec 9
    • Monday Dec 9: Last day of class
    •  
    • Final Case study revisions due Monday by class. All makeup work due by class.
    •  
    •  
    • Dec 11
    • 4:15-6:45pm In-person, in GOL-3510
    • (unless you have arranged otherwise with Prof. Meneely)
    •  
    •