Course Overview Engineering Secure Software Last Revised: August - - PowerPoint PPT Presentation

SWEN-331: Engineering Secure Software Benjamin S. Meyers

Course Overview

Engineering Secure Software

Last Revised: August 19, 2020 1

SWEN-331: Engineering Secure Software Benjamin S. Meyers

In-Person Procedures

• When you enter/leave the classroom:

○ Grab a towel and wipe down your work station

• Masks must be worn at all times
• No food/drinks in the classroom
• Seating chart

○ Assigned seating

2

SWEN-331: Engineering Secure Software Benjamin S. Meyers

Logistics

• Instructor: Ben Meyers

○ Email: bxmvse@rit.edu ○ Office: N/A ○ Office Hours: Tuesday/Thursday 1:00PM-3:00PM via Zoom

• Course Assistant: Mihal Busho

○ Email: mb5185@rit.edu

3

SWEN-331: Engineering Secure Software Benjamin S. Meyers

Vulnerability of the Day (VOTD)

• About twice a week we will cover a different type of code-level

vulnerability

○ Usually a demo ○ How to avoid, detect, and mitigate the issue

• Most VOTD’s will link to the Common Weakness Enumeration

(CWE)

○ http://cwe.mitre.org

4

SWEN-331: Engineering Secure Software Benjamin S. Meyers

In-Class Activities

• Most days, we will cover a tool or technique
• Many activities are interactive and collaborative in nature

○ … so attendance is necessary

• Activities are for learning

○ Formative feedback, not summative ○ Submitted on MyCourses; not always graded ○ Exams will have questions about these activities

5

SWEN-331: Engineering Secure Software Benjamin S. Meyers

Exams

• Three exams

○ Exam 1 with take-home portion ○ Exam 2 (not cumulative) ○ Final Exam (cumulative) ○ Exams 1 and 2 in MyCourses during class period ○ Final Exam in MyCourses during final exam period (TBD)

• Covers lecture material, VOTD, textbook, readings, and

activities

• Exams are closed-book, closed-notes, closed-internet

○ I can’t stop you from cheating (especially if remote) ○ Exams designed to take full 50 minutes of class time

6

SWEN-331: Engineering Secure Software Benjamin S. Meyers

Fuzz Testing Project

• We will have one larger programming project

○ Build a tool for automated security testing ○ Web applications ○ Continuous Integration (CI) via GitLab ○ Individuals, no teams

• Goal:

○ How do we automate exploratory testing? ○ What can be automated easily, what cannot?

7

SWEN-331: Engineering Secure Software Benjamin S. Meyers

Case Study Project

• Choose a large software project to study

○ Source code must be available (> 10,000 SLOC) ○ Domain must have security risks ○ History of vulnerabilities must be available ○ Instructor approved

• Paper with chapters on:

○ Security risks of the domain ○ Design risks ○ Code inspection results

• Iterative paper writing

○ Multiple submissions ○ Graded on the content and how you react to my feedback

8

SWEN-331: Engineering Secure Software Benjamin S. Meyers

Reading Quizzes

• McGraw has a different approach and perspective worth

seeing

• Quizzes will be:

○ Completed through MyCourses ○ On your own time ○ Open book ○ Multiple choice ○ Multiple attempts

9

SWEN-331: Engineering Secure Software Benjamin S. Meyers

Grading

• Exams (50%):

○ Exam 1: 15% ○ Exam 2: 15% ○ Final Exam: 20%

• Projects (30%):

○ Fuzzer: 20% ○ Case Study: 10%

• Activities (15%):

○ Port Scanning: 5% ○ Nmap: 5% ○ Software Weaknesses: 5%

• Reading Quizzes: 5%

10 10

• Attendance is not required,

but if you don’t show up/remote in, you can lose points for activities

○ If you don’t show up/remote in, you won’t learn as much