Course Overview Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering Secure Software Benjamin S. Meyers 1
In-Person Procedures When you enter/leave the classroom: ● Grab a towel and wipe down your work station ○ Masks must be worn at all times ● No food/drinks in the classroom ● Seating chart ● Assigned seating ○ SWEN-331: Engineering Secure Software Benjamin S. Meyers 2
Logistics Instructor: Ben Meyers ● Email: bxmvse@rit.edu ○ Office: N/A ○ Office Hours: Tuesday/Thursday 1:00PM-3:00PM via Zoom ○ Course Assistant: Mihal Busho ● Email: mb5185@rit.edu ○ SWEN-331: Engineering Secure Software Benjamin S. Meyers 3
Vulnerability of the Day (VOTD) About twice a week we will cover a different type of code-level ● vulnerability Usually a demo ○ How to avoid, detect, and mitigate the issue ○ Most VOTD’s will link to the Common Weakness Enumeration ● (CWE) http://cwe.mitre.org ○ SWEN-331: Engineering Secure Software Benjamin S. Meyers 4
In-Class Activities Most days, we will cover a tool or technique ● Many activities are interactive and collaborative in nature ● … so attendance is necessary ○ Activities are for learning ● Formative feedback, not summative ○ Submitted on MyCourses; not always graded ○ Exams will have questions about these activities ○ SWEN-331: Engineering Secure Software Benjamin S. Meyers 5
Exams Three exams ● Exam 1 with take-home portion ○ Exam 2 (not cumulative) ○ Final Exam (cumulative) ○ Exams 1 and 2 in MyCourses during class period ○ Final Exam in MyCourses during final exam period (TBD) ○ Covers lecture material, VOTD, textbook, readings, and ● activities Exams are closed-book, closed-notes, closed-internet ● I can’t stop you from cheating (especially if remote) ○ Exams designed to take full 50 minutes of class time ○ SWEN-331: Engineering Secure Software Benjamin S. Meyers 6
Fuzz Testing Project We will have one larger programming project ● Build a tool for automated security testing ○ Web applications ○ Continuous Integration (CI) via GitLab ○ Individuals, no teams ○ Goal: ● How do we automate exploratory testing? ○ What can be automated easily, what cannot? ○ SWEN-331: Engineering Secure Software Benjamin S. Meyers 7
Case Study Project Choose a large software project to study ● Source code must be available (> 10,000 SLOC) ○ Domain must have security risks ○ History of vulnerabilities must be available ○ Instructor approved ○ Paper with chapters on: ● Security risks of the domain ○ Design risks ○ Code inspection results ○ Iterative paper writing ● Multiple submissions ○ Graded on the content and how you react to my feedback ○ SWEN-331: Engineering Secure Software Benjamin S. Meyers 8
Reading Quizzes McGraw has a different approach and perspective worth ● seeing Quizzes will be: ● Completed through MyCourses ○ On your own time ○ Open book ○ Multiple choice ○ Multiple attempts ○ SWEN-331: Engineering Secure Software Benjamin S. Meyers 9
Grading Exams (50%): Attendance is not required, ● ● Exam 1: 15% but if you don’t show ○ Exam 2: 15% ○ up/remote in, you can lose Final Exam: 20% ○ points for activities Projects (30%): ● ○ If you don’t show up/remote in, you Fuzzer: 20% ○ won’t learn as much Case Study: 10% ○ Activities (15%): ● Port Scanning: 5% ○ Nmap: 5% ○ Software Weaknesses: 5% ○ Reading Quizzes: 5% ● SWEN-331: Engineering Secure Software Benjamin S. Meyers 10 10
Recommend
More recommend
