Due by class means due at the time class starts. For example, if your section’s class starts at 10:00am, then “Monday by class” means 10am on Monday. This gives our TA an opportunity to spot-check the submissions and fix any submission issues when everyone’s together.

Schedule

• • Week
  • Dates
  • Lecture & Activites
  • Vulnerability of the Day
  • Due or Released
  • Reading
• • 1
  • 01/16-01/20
  • Introduction: Security Principles, Security Lifecycle, Course Overview
  • Integer Overflow, Buffer Overflow
  •  
  • CWE-190 CWE-120
• • 2
  • 01/23-01/27
  • Web Security Overview. Testing: penetration testing. DVWA activity.
  • SQL injection, Cross-Site Scripting (XSS)
  • Fuzzer released.
  • CWE-89 CWE-79
• • 3
  • 01/30-02/03
  • Requirements: Misuse & Abuse Cases, Planning: risk assessment. Requirements & planning activity.
  • Cross-site request forgery (CSRF), OS command injection
  • Fuzzer iteration 0 due Wednesday Friday by class
  • CWE-352 CSRF Description CWE-78
• • 4
  • 02/06-02/10
  • Environment: file system permissions, Design: threat modeling, distrustful decomposition. Threat modeling activity.
  • Path traversal, log overflow
  •  
  • CWE-22 CWE-400 CWE-779 CWE-770
• • 5
  • 02/13-02/17
  • Implementation: defensive coding practices
  • XML embedded DTDs
  • Fuzzer iteration 1 due Wednesday by class.
  • CWE-827 CWE-776 CWE-611
• • 6
  • 02/20-02/24
  • Defensive coding (cont’d)
  • Hardcoded credentials
  • Fuzzer iteration 2 due Friday by class. Takehome exam released Friday (PDF on myCourses).
  • CWE-798 CVSS v3 Spec
• • 7
  • 02/27-03/03
  • Exam-1: Monday 2/27 Code inspections; Vulnerability assessment: CVSS SW Weaknesses Assignment (myCourses)
  • Time of Check Time of Use (TOCTOU), Log neutralization
  • Takehome exam due Monday by class.
  • CWE-367 CWE-117 CWE-93 CAPEC-93 Video: Finding Vulnerability Fixes
• • 8
  • 03/06-03/10
  • Cryptography: authentication, public & symmetric keys, SSH, SSL, PGP, side-channel attacks Career fair 03/08
  • Hashing without salt, poor PRNG seed protection
  • SW Weakness assignment due EOW (See myCourses). Input handling project released.
  • CWE-759 Salting Guide
• • 9
  • 03/13-03/17
  • Spring Break - No Classes
  • (Spring Break 03/12-03/19)
  •  
  •  
• • 10
  • 03/20-03/24
  • Usability and Security.
  • Insecure PRNG algorithms
  • Input handling project (Part 0, 1, 2) due next Monday before class. Quiz(zes) reminder!! (see myCourses)
  • CWE-338 OAuth Spec
• • 11
  • 03/27-03/31
  • Deployment & Distribution: patching, security managers. Insider Threat. Team activity.
  • Java reflection abuse
  • Input Handling project, remaining parts (Part 3, 4, 5) due next Monday before class. Fill in rest of time-tracking.
  • CWE-470
• • 12
  • 04/03-04/07
  • Exam review. Exam 2 Wed Apr 05. Activity: Case study recon.
  •  
  • Case study released. See myCourses.
  •  
• • 13
  • 04/10-04/14
  • Networking: OSI model, Networking assignment (Port Scans/ Wireshark)
  •  
  • Case study proposal due 4/14 by class; Networking assignment (Port Scans/ Wireshark) - see myCourses for due date
  •  
• • 14
  • 04/17-04/21
  • Networking: OSI model, MitM attacks, poisoning. nmap assignment
  • Cache poisoning
  • Case study chapter 1 - see myCourses. nmap assignment - See myCourses for due date
  • CAPEC-141 Video: DNS Cache Poisoning
• • 15
  • 04/24-04/28
  • Steganography; Case Study Presentations (4/28 and 5/01)
  • Uncontrolled format string, compression bombs. If time: dynamic library side-loading
  • Case study chapter 2 - see myCourses
  • CWE-134 CWE-409 Compression Bombs
• • 16
  • 05/01-05/05
  • Software Security Regulation
  •  
  • Case study presentations as needed in class. Last day of classes 05/01.
  •  
• •  
  • Final Exam
  • Date: Wednesday May 3rd 4:15pm-6:45pm
  • Loc: GOL-1520
  •  
  •