Department of Computer Science and Engineering
Monday, Wednesday 5:30 – 6:45 pm
Swearingen 1A20
Lectures
|
Date |
Topic |
Slides |
Reading |
|
|
|
|
|
|
January 9 |
Intro. to Information Security |
|
o CSCE 522 Information Security Principles, http://www.cse.sc.edu/~farkas/csce522-2011/csce522.htm |
|
January 11 |
Introduction to software security |
o McGraw: Chapter 1 Recommended: o CyberInsecurity: The Cost of Monopoly, http://cryptome.org/cyberinsecurity.htm Current news (recommended): o Kelly Jackson Higgins, Dark Reading, SQL Injection Hack Infects 1 Million Web Pages, InformationWeek, January 5, 2012, http://www.informationweek.com/news/security/attacks/232301355 o Gregg Keizer, Adobe plugs 6 critical holes in Reader, Computerworld, January 11, 2012, http://www.computerworld.com/s/article/9223344/Adobe_plugs_6_critical_holes_in_Reader o Gregg Keizer, Microsoft patches critical Windows drive-by bug, Computerworld, January 10, 2012, http://www.computerworld.com/s/article/9223326/Microsoft_patches_critical_Windows_drive_by_bug |
|
|
January 16 |
No Classes |
|
|
|
January 18 |
Risk Management Due: 01/25 |
o McGraw: Chapter 2 Recommended: o
Computer Security Incident Handling Guide, |
|
|
January 23 |
Software Development Process |
Read Only o The Software Development Life Cycle (SDLC), http://www.shellmethod.com/refs/SDLC.pdf o Practical UML™: A Hands-On Introduction for Developers, http://dn.codegear.com/article/31863 Recommended read: o J. Roman, Decade-Long Virus Infection Discovered, Bank Info Security, http://www.bankinfosecurity.com/articles.php?art_id=4418 o Stratfor web site on security breach at the end of 2011, http://www.stratfor.com/hacking-news |
|
|
January 25 |
Software Security Touchpoints |
o McGraw: Chapter 3 Recommended: o Kromholz: Assurance – A Case for the V-Model, https://syst.eui.upm.es/conference/sv03/papers/V-Chart%20200309Kromholz08.ppt |
|
|
January 30 |
Code Review |
o McGraw: Chapter 4 Recommended: o R. Berg, The Path to a Secure Application: A SOURCE CODE SECURITY REVIEW CHECKLIST, http://www.ouncelabs.com/writable//resources/file/path_to_secure_application.pdf |
|
|
February 1 |
Architectural Risk Analysis |
o McGraw: Chapter 5 |
|
|
February 6 |
Pre-recorded UML Security NO CLASS |
|
Required: o Lodderstedt et. al, SecureUML: A UML-Based Modeling Language for Model-Driven Security, http://kisogawa.inf.ethz.ch/WebBIB/publications-softech/papers/2002/0_secuml_uml2002.pdf Recommended: o Jan Jürjens, Towards Development of Secure Systems using UMLsec, http://citeseer.ist.psu.edu/536233.html o K. Alghathbar and D. Wijesekera, authUML: a three-phased framework to analyze access control specifications in use cases, http://portal.acm.org/citation.cfm?id=1035438 |
|
February 8 |
NO CLASS |
Work on Project |
|
|
February 13 |
Misuse Cases |
|
o McGraw: Chapter 8 Required: o I. Alexander, Misuse Cases: Use Cases with Hostile Intent, IEEE Software, vol. 20, no. 1, pp. 58-66, Jan./Feb. 2003. http://www.computer.org/portal/web/csdl/doi/10.1109/MS.2003.1159030 Recommended: o Pauli and Xu, Misuse Case-Based Design and Analysis of Secure Software Architecture, http://cs.ndsu.edu/~dxu/publications/pauli-xu-ITCC05.pdf o Steven and Peterson, Defining Misuse within the Development Process, http://csdl.computer.org/dl/mags/sp/2006/06/j6081.pdf |
|
February 15 |
Software Reliability Due: 02/22 |
Required: o B. Littlewood, P. Popov, L. Strigini, "Modelling software design diversity - a review", ACM Computing Surveys, Vol. 33, No. 2, June 2001, pp. 177-208, http://portal.acm.org/citation.cfm?doid=384192.384195 Recommended: o John C. Knight, Nancy G. Leveson, An Experimental Evaluation Of The Assumption Of Independence In Multi-Version Programming, http://sunnyday.mit.edu/papers/nver-tse.pdf o The Role of Software in Spacecraft Accidents by Nancy Leveson. AIAA Journal of Spacecraft and Rockets, Vol. 41, No. 4, July 2004. (PDF ) |
|
|
February 20 |
Penetration Testing Risk-Based Security Testing |
|
o McGraw: Chapter 6, 7 Required: o Schneier on Security, http://schneier.com/blog/archives/2007/05/is_penetration.html |
|
February 22 |
Security Operations DUE: HW2 |
o McGraw: Chapter 9 Recommended: o Proceedings of Workshop on Software Security Assurance Tools, Techniques, and Metrics, http://samate.nist.gov/docs/NIST_Special_Publication_500-265.pdf |
|
|
February 27 |
Taxonomy of Coding Errors |
o McGraw: Chapter 12 Required: o P. Meunier, Classes of Vulnerabilities and Attacks, Wiley Handbook of Science and Technology for Homeland Security, http://homes.cerias.purdue.edu/~pmeunier/aboutme/classes_vulnerabilities.pdf |
|
|
February 29 |
Summary Test 1 review Due: Proj. #5 |
Test 1 Review |
|
|
March 5, 7 |
Spring Break |
|
|
|
March 12 |
National Standards Due: Proj. #6 |
o US National Security Agency: System Security Engineering CMM (SSE CMM), http://www.sse-cmm.org/index.html o Certified Information Systems Security Professional (CISSP), http://www.isc2.org/cissp/default.aspx
|
|
|
March
14 |
TEST 1 |
|
|
|
March 19 |
Store and Protect Data Securely |
o Howard et al., 19 deadly sins: Chapters 6, 13, 12, 11 o Howard et al., 24 deadly sins: Chapters 11, 12, 17, 19 |
|
|
March 21 |
Failing to handle errors Security design patterns |
o Howard et al., 19 deadly sins: Chapters 6, 13, 12, 11 o Howard et al., 24 deadly sins: Chapters 11, 12, 17, 19 o Security Design Patterns, Black Hat Briefings, http://www.blackhat.com/presentations/bh-federal-03/bh-fed-03-peterson-up.pdf Recommended: o
Secure Design Patterns, Software
Engineering Institute, Carnegie Mellon, www.cert.org/archive/pdf/09tr010.pdf o Security Design Patterns, Black Hat Briefings, http://www.blackhat.com/presentations/bh-federal-03/bh-fed-03-peterson-up.pdf |
|
|
March 26 |
Buffer Overruns SQL Injection |
o Howard et al., 19 deadly sins: Chapters 1, 4 o Howard et al., 24 deadly sins: Chapters 5, 1 Recommended Reading 1. Embry-Riddle Aeronautical University, College of Engineering in Prescott, online buffer overflow demo, http://nsfsecurity.pr.erau.edu/bom/index.html 2. G. Hoglund and G.McGraw, Exploiting Software: How to Break Code, Chapter 7 -- Buffer Overflow, http://searchsecurity.techtarget.com/searchSecurity/downloads/ExploitingSoftware-Ch07.pdf |
|
|
March 28 |
Format string problems Integer overflow |
o Howard et al., 19 deadly sins: Chapters 2, 3 o Howard et al., 24 deadly sins: Chapters 6, 7 Recommended Reading 1. Common Weakness Enumeration Project, http://cwe.mitre.org/ 2. 2010 CWE/SANS Top 25 Most Dangerous Programming Errors, http://cwe.mitre.org/top25/index.html 3. Open Web Application Security Project, http://www.owasp.org/index.php/Main_Page 4. From CERT: https://www.securecoding.cert.org/confluence/download/attachments/ 3515/sd-west-integers-2up.pdf?version=1 |
|
|
April 2 |
Web Application Security |
|
|
|
April 4 |
Web server and client security REVIEW Bonus Homework Due |
o Howard et al., 19 deadly sins: Chapters 1, 4 o Howard et al., 24 deadly sins: Chapters 2,3,4 |
|
|
April 9 |
Class project 1, 2 |
|
1. PASS, W. Reade, B. Miley, M. Zimmermann, R. Bowen Question 1: Consider the application area of
university registrar that keeps personal information about the students. Group 1 members evaluated the privacy
issues related to this application.
Evaluate the reliability needs
of the application and recommend a method to support this need. (Consider the
Littlewood paper) Question 2: Describe an attack against the PASS application that was not described during the test but an attacker may try to attempt. Recommend a mitigation strategy against this attack. 2. XSS, B. Stancel, B. Moore, M. Szarka |
|
April 11 |
Class projects 3, 4 |
|
3. Mobile Health, J. Benton, L. Gibbs, A. Stephenson Question 1: Digital ecosystem have been shown promising to model the interactions among information system components. Consider the applicability of this approach to represent security interactions among the mobile health system components and rank the importance of the security requirements. For example, an application to support interaction about prescription information between a physician and a pharmacy will become successful if it guarantees integrity and availability, even at the cost of loss of confidentiality. Question 2: As ecosystems change, only those species that are capable of adapting to the changed environment will survive. Explain how this aspect of biological ecosystems relates to the digital ecosystem, where the species are the computing industry, users, sellers, etc. For example, consider the survivability of mainframe computer manufacturers vs. manufacturers of mobile devices. 4. Android permissions, J. McCall, B. Alleman, W. Galloway Question 1: Improper authorization is one of the main software security problems. Access control models allow to express both positive (permission) and negative (denial) access privileges. Briefly explain the widely used Discretionary Access Control (DAC) model. Question 2: Obtaining unneeded privileges is one of the main concerns when downloading applications to mobile devices. Consider the Discretionary Access Control (DAC) model that is extended with the “need-to-know” restrictions. We can express application-level constraints, by requiring that (1) each application inherits the access privileges based on the trust-level of the application developer, and (2) each application has a “need-to-know” permissions, based on the permissions required by similar applications. Would this approach be feasible to enhance mobile device security? Why/Why not? |
|
April 16 |
Class
projects 5, 6 NEW! Final project report
due date is extended to April 25th |
|
5. Google Chrome Extensions, M. Nenov,
T. Hussey, C. Hui Same questions as for group 4. 6. Software Security for Digital Ecosystems, C.
Leonhardt, S. Strohmeier Same questions as for group 3. |
|
April 18 |
Class projects 7, 8 |
|
7. Static Analysis Tools, K. Denmark, W. Goss, R.
Moyer Question 1: What does false positive and false negative rates mean with respect to code review using a static analysis tool. Question 2: Consider the scenario that your supervisor asks you to evaluate the security of the application developed by your research group. After running a state-of-the-art static analysis tool on the application code, and finding only minor problems, you declare the application safe. What is wrong with this scenario? 8. Password-based security, N. Lognworth,
M. Shoppell, R. Brown Question 1: Briefly describe three recommendations that the application developers should follow when implementing a password-based authentication. Question 2: One of the common error application developer make is storing passwords as an unencrypted file. Evaluate, whether the proposed password management method, presented by the research group, is vulnerable to the same error. Why/why not? |
|
April 23 |
Class
projects 9, 10 Final
Exam Review |
|
9. DRM Protected audio risk, B. Wells Question 1: Show how to extend the security touch points to support DRM requirements. Question 2: Consider DRM. Would you consider the legal requirements functional or non-functional requirements? Justify your answer. 10. Android Security, C. Le, E. Samson, M. Scofield Same questions as for group 4. |
|
April 25 |
5:30 -7:30 pm |
Room 2A15 |
FINAL EXAM NEW! Due: Proj.
#9 – Bring a hard copy of the final project report to the class! |