Due by class means due at the time class starts. For example, if your section’s class starts at 11:00am, then “Monday by class” means 11am on Monday. This gives our TA an opportunity to spot-check the submissions and fix any submission issues when everyone’s together.

Schedule

• • Week
  • Dates
  • Lecture & Activites
  • Vulnerability of the Day
  • Due or Released
  • Reading
• • 1
  • 01/13-01/17
  • Course Overview; Introduction: Security Principles
  • Integer Overflow, Buffer Overflow
  •  
  • CWE-190 CWE-120
• • 2
  • 01/20-01/24
  • Martin Luther King Jr. Day - No Classes (01/20), Activity: DVWA Setup.
  • SQL injection, Cross-Site Scripting (XSS)
  • Fuzzer released.
  • CWE-89 CWE-79
• • 3
  • 01/27-02/31
  • Security Lifecycle; Testing: penetration testing; Requirements: Misuse & Abuse Cases
  • Cross-site request forgery (CSRF), OS command injection
  • Fuzzer iteration 0 due Wednesday by class
  • CWE-352 CSRF Description CWE-78
• • 4
  • 02/03-02/07
  • Activity: Abuse & Misuse Cases, Planning: risk assessment. Design: threat modeling.
  • Path traversal, log overflow
  • Fuzzer iteration 1 due Wednesday by class.;
  • CWE-22 CWE-400 CWE-779 CWE-770
• • 5
  • 02/10-02/14
  • Activity: threat modeling. Design: Distrustful decomposition; Environment: file system permissions
  • XML embedded DTDs
  • Fuzzer iteration 2 due Wednesday by class.
  • CWE-827 CWE-776 CWE-611
• • 6
  • 02/17-02/21
  • File system permissions activity; Exam review; Exam-1: Friday 02/21
  • Hardcoded credentials
  • Takehome exam released Friday (PDF on myCourses).
  • CWE-798 CVSS v3 Spec
• • 7
  • 02/24-02/28
  • Implementation: defensive coding practices, Defensive coding (cont’d);
  • Time of Check Time of Use (TOCTOU), Log neutralization
  • Takehome exam due Monday by class. SW Weaknesses Assignment (myCourses)
  • CWE-367 CWE-117 CWE-93 CAPEC-93 Video: Finding Vulnerability Fixes
• • 8
  • 03/03-03/07
  • Career Fair (3/5) Vulnerability assessment: CVSS; CVSS Activity;
  • SW Weakness assignment due Monday by class (See myCourses). Input handling project released.
  • CWE-759 Salting Guide
• • 9
  • 03/10-03/14
  • Spring Break - No Classes
  •  
  •  
  •  
• • 10
  • 03/17-03/21
  • Cryptography: authentication, public & symmetric keys, SSH, SSL, PGP, side-channel attacks
  • Hashing without salt, poor PRNG seed protection, Insecure PRNG algorithms
  • Input handling project (Part 0, 1, 2) due Wednesday by class.
  • CWE-338 OAuth Spec
• • 11
  • 03/24-03/28
  • Usability and Security. OAuth activity; Deployment & Distribution: patching Activity: Case study recon - see Case Study
  •  
  • Input Handling project, remaining parts (Part 3, 4, 5); Case study released;
  • CWE-470
• • 12
  • 03/31-04/04
  • Exam review; Insider Threat; Exam-2: Friday 04/04.
  •  
  • Case study proposal due Wednesday by class;
  •  
• • 13
  • 04/07-04/11
  • Insider Threat Team activity. Networking: OSI model; exam 2 solution;
  •  
  • Case study chapter 1 due Friday by class;
• • 14
  • 04/14-04/18
  • MitM attacks; Dependency & Supply Chain; Supply-chain attacks;
  • Cache poisoning; Uncontrolled format string, compression bombs.
  • Peer Review of Chapter 1 due Wednesday by class; Case study chapter 2 due Friday by class;
  • CAPEC-141 Video: DNS Cache Poisoning
• • 15
  • 04/21-04/25
  • Cybersecurity policy & law; Case Study Presentations;
  • dynamic library side-loading
  • Networking assignment (Port Scans/ Wireshark) (See myCourses); Peer Review of Chapter 2 due Wednesday by class; Case study final version due Friday by class;
  • CWE-134 CWE-409 Compression Bombs
• • 16
  • 04/28
  • Final Exam Review; Last Day
  •  
  • Networking assignment due Monday by class(See myCourses);
  •  
• •  
  • Final Exam
  • Date: 05/07, Wednesday Time: 08:00am-10:30am
  • Loc: GOL-1650
  •  
  •