SYLLABUS Course title and number CSCE 489/689: Special Topics in Software Security Term Fall 2017 Meeting times and location MWF 10:20am – 11:10am in HRBB 105 Instructor Information Name Philip Ritchey Telephone number (979) 458-1059 Email address [email protected] Office hours MWF 8am – 9am, MW 4pm – 6pm, and by appointment Office location HRBB 326 Course Description and Prerequisites Defects in software are sources of vulnerabilities, which in turn are the avenues used by attackers to create and deploy exploits against software. Software defects occur along a continuum between the implementation-level and the design-level. Implementation defects, or bugs, are errors in the source code of software that can result in undefined or incorrect behavior. Design defects, or flaws, are errors in the architecture of software. Software with a flaw will have vulnerabilities even when it is implemented exactly as designed. This course covers basic principles of design and implementation of defect-free software, code reviews including tool-assisted review by static and dynamic analysis, risk analysis and management, and methods for software security testing. Prerequisites: CSCE 315 or approval of instructor. Learning Outcomes Students will be able to… list the first principles of security and explain why each is important to security and how it enables the development of security mechanisms that can implement desired security policies. identify specific principles that have been violated in common security failures. identify appropriate design principles to apply in a given software development scenario. explain the interaction between security and system usability and importance of human-computer interfaces to system usability. explain the importance of secure software and the programming practices, development processes, and methodologies that lead to secure software. explain techniques for specifying program behavior, the classes of well-known defects, and how they manifest themselves in various languages. perform penetration testing on previously unknown software. analyze existing source code for functional correctness. analyze software for defects using industry standard tools. develop test cases that demonstrate the existence of defects. develop defect-free software components that satisfy their functional requirements.Textbooks Required: 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them, Howard, LeBlanc, Viega. ISBN-13: 978-0-07-162675-0. Software Security: Building Security In. McGraw. ISBN-13: 978-0-321-35670-3 Recommended: Secure Coding in C and C++, Seacord, 2nd edition. ISBN-13: 978-0-321-82213-0. Supplementary Material All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask). https://edmcman.github.io/papers/oakland10.pdf Avoiding the Top 10 Software Security Design Flaws. https://www.computer.org/cms/CYBSI/docs/Top-10-Flaws.pdf Best Kept Secrets of Peer Code Review. http://smartbear.com/SmartBear/media/pdfs/best-kept-secrets-of-peer-code-review.pdf Build It, Break It, Fix It. https://builditbreakit.org Burp Suite. https://portswigger.net/burp/ CERT Secure Coding Standards. https://www.securecoding.cert.org Coverity Scan. https://scan.coverity.com Crackstation. https://crackstation.net CWE/SANS Top 25 Most Dangerous Software Errors. https://www.sans.org/top25-software-errors Damn Vulnerable Web App. http://www.dvwa.co.uk IEEE Cybersecurity Initiative. http://cybersecurity.ieee.org/ KLEE. https://klee.github.io List of Static Analysis Tools. https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis Microsoft Security Development Lifecycle. https://www.microsoft.com/sdl Microsoft Trustworthy Computing Security Development Lifecycle. https://msdn.microsoft.com/en-us/library/ms995349.aspx NIST Computer Security Resource Center. http://csrc.nist.gov Offensive Security. https://www.offensive-security.com Open Web Application Security Project (OWASP). https://www.owasp.org SANS Secure Coding Reading Room. https://www.sans.org/reading-room/whitepapers/securecode Secure Programming HOWTO. http://www.dwheeler.com/secure-programs Security Engineering: A Guide to Building Dependable Distributed Systems. https://www.cl.cam.ac.uk/~rja14/book.html Smashing the Stack for Fun and Profit. http://phrack.org/issues/49/14.html#article Symbolic Execution for Finding Bugs. https://www.cs.umd.edu/~mwh/se-tutorial/symbolic-exec.pdf The Protection of Information in Computer Systems. http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1451869&isnumber=31196 US-CERT – Build Security In. https://buildsecurityin.us-cert.gov Ware Report. http://www.rand.org/pubs/reports/R609-1/index2.html WebGoat. https://github.com/WebGoat/WebGoat/releases489 Grading Weight Component Date 10% Participation Weekly 30% Homework Tentative: 22 September, 20 October, 17 November 10% Presentation As a group, at least once during the semester 50% Project Tentative: 13 October, 27 October, 3 November Final letter grades will be assigned according to the following cutoffs: 90+: A 80: B 70: C 60: D Less than 60: F 689 Grading Weight Component Date 30% Homework Tentative: 22 September, 20 October, 17 November 20% Presentations Twice during the semester 10% Annotation Project 8 December 40% Project Tentative: 13 October, 27 October, 3 November Final letter grades will be assigned according to the following ratings: Superior A Satisfactory B Needs Improvement C Unsatisfactory D Did Not Participate F Students are expected to read and provide a written summary of an academic article during the course. They are also expected to give a 15-minute presentation on their selected paper to the class. Students enrolled in CSCE 689 are expected to do this twice. The annotation project is an opportunity for students in CSCE 689 to explore a topic in software security in greater depth. Students will read a classic paper related to software security, and annotate that paper to make it accessible to a broader audience. More specifically, the annotation will give an in-depth account of the historical context of the work along with biographical accounts into the private lives of the author (or authors). The annotation should also help the reader understand the magnitude of the paper’s impact on the field of security. Finally, where appropriate, the annotation should include personal thoughts.Tentative
View Full Document
Unlocking...