This course introduces a variety of topics on implementing secure software using different programming languages. The primary focus is given to design and development techniques used to avoid the most common software errors by using defensive coding techniques, managing resources securely, and creating secure interaction between components.
Textbook and other things you will need
- 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them by Howard, LeBlanc, and Viega. McGraw-Hill Education, 2009, ISBN 0071626751
- A Google account to access the Google Cloud Shell
- Access to a laptop computer that can be brought to class on a regular basis
- Instructor's web site available at http://www.cs.ccsu.edu/~stan/
- Course project document
- In-class code examples on GitHub
Course learning outcomes
Program educational objectives and student outcomes are supported by the following course learning outcomes achieved by students upon a successful completion of this course:
- Understand the basics of secure programming;
- Understand the most frequent programming errors leading to software vulnerabilities;
- Identify and analyze security problems in software;
- Understand and protect against security threats and software vulnerabilities;
- Effectively apply their knowledge to the construction of secure software systems.
Please take care of yourselves and your loved ones. Your physical and mental well-being is the most important thing. It has always been (or should have been) so, even before the current pandemic. Please email/message me to check in if I won’t see you or hear from you on a day we have class or an assignment is due.
Week 1: January 19-21
- Introduction: The Big Picture
Topic (C/C++): The Role of C/C++ in Computer Security
Week 2: January 24-28
- Topic (C/C++): Programming Review
- Topic (C/C++): Programming Review, cont.
Week 3: January 31 - February 4
- Topic (C/C++): Buffer Overruns
- Topic (C/C++): Format String Problems
Week 4: February 7-11
- Topic (C/C++): Integer Overflows
- Topic (C/C++): Integer Overflows, cont.
Homework assignment 1 is due
Week 5: February 14-18
- Topic (C/C++): C++ Catastrophes
- Topic (C/C++): C++ Catastrophes, cont.
Week 6: February 21-25
- Topic (C/C++): Catching Exceptions
- Topic (C/C++): Command Injection
Week 7: February 28 - March 4
- Topic (C/C++): Failure to Handle Errors Correctly
- Topic (C/C++): Information Leakage
Course project: Proposal is due
Week 8: March 7-11
- Topic (C/C++): Race Conditions
- Topic (C/C++): Poor Usability
Homework assignment 2 is due
Week 9: March 14-18
- Spring break
Week 10: March 21-25
- Topic (C/C++): Not Updating Easily
- Midterm exam
Week 11: March 28 - April 1
- Topic (C/C++): Executing Code with Too Much Privilege
- Topic (C/C++): Failure to Protect Stored Data
Week 12: April 4-8
- Topic (Crypto): Use of Weak Password-Based Systems
- Topic (Crypto): Weak Random Numbers
Week 13: April 11-15
- Topic (Crypto): Using Cryptography Incorrectly
- Topic (Web): SQL Injection
Homework assignment 3 is due
Week 14: April 18-22
- Student presentation (Web): Server–Related Vulnerabilities (XSS, XSRF, and Response Splitting)
- Student presentation (Web): Client–Related Vulnerabilities (XSS)
Course project: Implementation is due
Week 15: April 25-29
- Student presentation (Web): Use of Magic URLs, Predictable Cookies, and Hidden Form Fields
- Student presentation (Net): Failing to Protect Network Traffic
Week 16: May 2-6
- Student presentation (Net): Improper Use of PKI, Especially SSL
- Student presentation (Net): Trusting Network Name Resolution
Course project: Analysis is due
Week of final exams
- Final exam: Tuesday, May 10, 1030-1230
Safety and contingencies
CCSU developed a blueprint outlining a number of important requirements and guidelines concerning the campus safely with regard to the pandemic. Specifically, masks must be worn at all times while we are in class--no exceptions.
In case the instructor becomes ill and can no longer attend classes, steps will be taken by the department to ensure consistent delivery of course content and enable students to complete the course during the scheduled timeframe. Adjustments may include moving the course to synchronous online, to asynchronous online, or keeping the course in its current format and assigning a new instructor to take over the class until the regular instructor can return. Each course is evaluated on a case-by-case basis as there are many factors to consider before making a transition from one-course format to another. If a course is unable to meet on-ground due to university requirements, then the department will follow university policies in place.
Midterm and final exams
Each test will focus on the most recent material. However, each test will very likely include some questions aimed at the material covered by the earlier test(s). Make-up tests may only be given if a student can provide a written proof of a serious reason for missing a test (such as illness or accident).
A project is the focal point of this course. Working in small teams, students will implement a secure and robust application that successfully addresses a number of vulnerabilities discussed in this course. All course project deliverables must be submitted using Blackboard in three separate increments.
Homework assignments are to be completed individually and submitted via Blackboard. Students will have at least one week to complete each homework assignment.
All students are expected to demonstrate integrity in the completion of their coursework. Academic integrity means doing one's own work and giving proper credit to the work and ideas of others. It is the responsibility of each student to become familiar with what constitutes academic dishonesty and plagiarism and to avoid all forms of cheating and plagiarism. Students who engage in plagiarism and other forms of academic misconduct will face academic and possibly disciplinary consequences. Academic sanctions can range from a reduced grade for the assignment to a failing grade for the course. From a disciplinary standpoint, an Academic Misconduct Report may be filed and a Faculty Hearing Board may impose sanctions such as probation, suspension or expulsion.
All students are expected to attend class sessions regularly. However, recognizing individual differences, each student is responsible for his/her own attendance and for making-up any missed study or work. Limited assistance will be offered to those with plausible reasons for absences; unexcused absences will result in the student being totally responsible for the make-up process.
Students with disabilities
Central Connecticut State University provides reasonable accommodations in accordance with the Americans with Disabilities Act and Section 504 of the Rehabilitation Act for students with documented disabilities on an individualized basis. If you are a student with a documented disability, and would like to request academic accommodations, you are encouraged to contact Student Disability Services (SDS) at 860-832-1952, or email email@example.com. Please visit the SDS website to download an Intake form and documentation requirements. Once approved, SDS suggests that students discuss their approved accommodations with their professors, as well as any other additional medical emergency needs. Temporary impairments may also qualify for accommodations. Please note that accommodations are not retroactive and must be requested each semester.
Here's a link to a document containing information about other policies and resources.
Grades and evaluation
Students will be evaluated regularly during the semester and should be aware of their progress continuously during the semester. The final course grade will be reported according to the stated University policy.
The final course grade will be calculated according to the following distribution of points:
|Homework assignments (3 x 5 pts each)||15|
Course letter grade will be determined as follows: