Development of Secure Software Systems (sec 010)

Course schedule overview

The scheduling and selection of lecture topics is subject to minor adjustment as the semester progresses, but the assignment and exam dates are not expected to change.

The "Lecture topic" links just link to the detailed information further down the page, so they may not seem to go anywhere if the detailed information is already visible in your window.

Date	Lecture topic	Assignments due
Tuesday 1/21	Logistics, intro to threat modeling
Thursday 1/23	Threat modeling diagrams
Tuesday 1/28	Threat modeling STRIDE
Thursday 1/30	Threat modeling and mitigation
Tuesday 2/ 4	Memory corruption 1	Homework 1
Thursday 2/ 6	Memory corruption 2
Tuesday 2/11	Mitigating memory corruption
Thursday 2/13	Defensive programming 1
Tuesday 2/18	Defensive programming 2	Homework 2
Thursday 2/20	Midterm 1 in class
Tuesday 2/25	OS security 1: overview, authentication
Thursday 2/27	OS security 2: access control
Tuesday 3/ 4	OS security 3: isolation and protection	Homework 3
Thursday 3/ 6	Network security 1: overview	Project 1 section draft
Tuesday 3/11	No class, spring break
Thursday 3/13	No class, spring break
Tuesday 3/18	Network security 2: attacks	Project part 1
Thursday 3/20	Network security 3: mitigations
Tuesday 3/25	Midterm 2 review	Homework 4
Thursday 3/27	Midterm 2 in class
Tuesday 4/ 1	Cryptography 1: primitives
Thursday 4/ 3	Cryptography 2: protocols and attacks
Tuesday 4/ 8	Cryptography 3: more protocols	Homework 5
Thursday 4/10	Web security 1
Tuesday 4/15	Web security 2	~~Project part 2~~
Thursday 4/17	Web security 3	Project part 2
Tuesday 4/22	Human factors 1
Thursday 4/24	Human factors 2
Tuesday 4/29	Human factors 3, responsible disclosure	Homework 6
Thursday 5/ 1	Final exam review (last lecture)
Monday 5/ 5		Project part 3
Saturday 5/10	Final exam, 4-6pm in 3-115 Keller

Detailed reading and lecture schedule

Tuesday, January 21st (8-up slides): Overview of course logistics, introduction to threat modeling.
Thursday, January 23rd (8-up slides): Threat modeling diagrams: data-flow and swimlane. Readings: Shostack, chapters 1-2.
Tuesday, January 28th (8-up slides, updated with announcements): Threat modeling threats with STRIDE. Reading: Shostack, chapter 3.
Thursday, January 30th (8-up slides, updated with announcements): From threat modeling to mitigation techniques. Reading: Shostack, chapters 4, 5, and 8.
Tuesday, February 4th (8-up slides, updated with reminders): Memory corruption attacks, part 1. Reading: Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade (IEEE version, some formatting issues) (local mirror of author's version), DISCEX 2000.
Thursday, February 6th (8-up slides, now with reminders): Memory corruption attacks part 2, attack strategies. No additional readings.
Tuesday, February 11th (8-up slides): Memory corruption attacks part 3, mitigations. Reading: David A. Wheeler, Secure Programming HOWTO, chapter 6.
Thursday, February 13th (8-up slides, updated with announcements): Defensive programming, part 1. Reading: David A. Wheeler, Secure Programming HOWTO, chapter 5, chapter 8, and chapter 9.
Tuesday, February 18th (8-up slides, now with announcements): Defensive programming, part 2. Reading: David A. Wheeler, Secure Programming HOWTO, chapter 7.
Tuesday, February 25th (8-up slides, updated): OS security 1, authentication. Reading: Shostack, chapter 14.
Thursday, February 27th (8-up slides, updated): OS security 2, access control. Reading: David A. Wheeler, Secure Programming HOWTO, chapter 3
Tuesday, March 4th (8-up slides, updated with reminders): OS security 3, isolation and protection. Reading: "Access Control", chapter 6 of Ross Anderson, Security Engineering, third edition.
Thursday, March 6th (8-up slides, updated with announcements): Network security: introduction to networks.
Tuesday, March 18th (8-up slides, updated with reminders): Network security: attacks against networks.
Thursday, March 20th (8-up slides): Network security: firewalls and intrusion detection.
Tuesday, March 25th (8-up slides): Network intrusion detection continued, and midterm 2 review.
Tuesday, April 1st (8-up slides, updated with announcements): Cryptography: primitives. Reading: Shostack chapter 16.
Thursday, April 3rd (8-up slides, updated with announcements): Cryptography: protocol-level attacks.
Tuesday, April 8th (8-up slides, updated to class): Cryptography: cryptography in network protocols.
Thursday, April 10th (8-up slides, updated with announcements): Web security part 1: basics and privacy. Reading: OWASP Top 10 - 2021: The Ten Most Critical Web Application Security Risks. Follow one level of links to the pages about the 10 categories A01 through A10.
Tuesday, April 15th (8-up slides, updated with announcements): Web security part 2: SQL injection, XSS, CSRF. Reading: W3Schools SQL Injection overview.
Thursday, April 17th (8-up slides, updated with announcements): Web security part 3: spoofing, tampering, information disclosure. No additional readings.
Tuesday, April 22nd (8-up slides, updated with announcements): Human factors part 1: functionality and attacks. Reading: Shostack, chapter 15.
Thursday, April 24th (8-up slides, updated with announcements and DNSSEC): Human factors part 2: general best practices. Reading: "Psychology and Usability", chapter 3 of Ross Anderson, Security Engineering, third edition.
Tuesday, April 29th (8-up slides, updated with announcements): Human factors part 3: detailed suggestions; and responsible disclosure. No additional readings.
Thursday, May 1st (8-up slides, updated with announcements): Final exam review. No additional readings.