Meneely Schedule

Due by class means due at the time class starts. For example, if your section’s class starts at 1:00pm, then “Monday by class” means 1pm on Monday. This gives our TA an opportunity to spot-check the submissions and fix any submission issues when everyone’s together.

Schedule

    • Week
    • Dates
    • Lecture & Activities
    • Vulnerability of the Day
    • Due or Released
    • Reading
    • 1
    • Aug 25 - Aug 29
    • Introduction: Security Principles, Security Lifecycle, Course Overview, Design a Bad System
    • Integer Overflow, Buffer Overflow
    •  
    • CWE-190 CWE-120
    • 2
    • Sep 1 - Sep 5
    • No class Monday Sep 1 (Labor Day) Web Security Overview. DVWA activity.
    • SQL injection, Cross-Site Scripting (XSS)
    • Fuzzer released.
    • CWE-89 CWE-79
    • 3
    • Sep 8 - Sep 12
    • Requirements: Misuse & Abuse Cases, Planning: risk assessment. Requirements & planning activity.
    • OS command injection, Cross-site request forgery (CSRF)
    • Fuzzer iteration 0 due Friday by class
    • CWE-352 CSRF Description CWE-78
    • 4
    • Sep 15 - Sep 19
    • Environment: file system permissions, Penetration testing. Design: threat modeling.
    • Path traversal, log overflow
    • Fuzzer iteration 1 due Friday by class
    • CWE-22 CWE-400 CWE-779 CWE-770
    • 5
    • Sep 22 - Sep 26
    • Threat modeling activity, Distrustful decomposition. Implementation: defensive coding practices.
    • XML embedded DTDs
    • Fuzzer iteration 2 due Friday by class.
    • CWE-827 CWE-776 CWE-611
    • 6
    • Sep 29 - Oct 3
    • Implementation: defensive coding practices. Catch up.
    • Hardcoded credentials
    • File Permissions myCourses Quiz AND Practice Quiz due Friday Oct 3 by class. In-Class Exam 1 Friday Oct 3 Takehome exam released with in-class exam.
    • CWE-798 CVSS v3 Spec
    • 7
    • Oct 6 - Oct 10
    • Vulnerability assessment: CVSS. CVSS activity. Career Fair Oct 8: in-class review, no new material that day.
    • Time of Check Time of Use (TOCTOU), Log neutralization
    • Takehome portion of exam due Monday by class. Input handling project released.
    • CWE-367 CWE-117 CWE-93 CAPEC-93
    • 8
    • Oct 13 - Oct 17
    • No class Monday Oct 14. Cryptography: authentication, public & symmetric keys, SSH, SSL, PGP. Side-channel attacks
    • Hashing without salt, poor PRNG seed protection
    • Input handling project parts 0, 1,2 due Wednesday by class.
    • CWE-759 Salting Guide
    • 9
    • Oct 20 - Oct 24
    • Usability and Security. OAuth activity.
    • Insecure PRNG algorithms, Regex DOS
    • Input handling all parts due Wednesday by class.
    • CWE-338 OAuth Spec
    • 10
    • Oct 27 - Oct 31
    • Supply-chain attacks
    • Java reflection abuse
    • IPC Project released
    • CWE-470
    • 11
    • Nov 3 - Nov 7
    • Deployment & Distribution: patching.
    •  
    • IPC project due Friday by class
    •  
    • 12
    • Nov 10 - Nov 14
    • Exam Review. Exam 2 Friday Nov 14.
    • Catch up
    •  
    •  
    • 13
    • Nov 17 - Nov 21
    • Case study recon. Networking: OSI model, MitM attacks, poisoning. Networking activity. Insider Threat.
    • Uncontrolled format string, compression bombs.
    •  
    • CWE-134 CWE-409 Compression Bombs
    • 14
    • Nov 24 - Nov 28
    • Case Study Chapter 1 Due Tuesday evening 11:59pm No class Wed or Fri
    •  
    •  
    •  
    • 15
    • Dec 1 - Dec 5
    • Cybersecurity policy and law. Case study peer review activity Friday
    • Cache poisoning, dynamic library side-loading
    • Case study chapter 2 due Friday by class.
    • CAPEC-141 Video: DNS Cache Poisoning
    • 16
    • Dec 8
    • Monday Dec 8: Last day of class
    •  
    • Final Case study revisions due Monday by class. All makeup work due by class.
    •  
    •  
    • Dec 11
    • In-person GOL 1650 (our usual class space). 10:45am-1:15pm
    • (unless you have arranged otherwise with Prof. Meneely)
    •  
    •