CSSE 572 – Software Security (Writing Secure Code)
Spring 2008
Engr 304 , TH 6:00-8:40pm
Instructor: Dr. Roshanak Roshandel
Office Hours: Thursdays 5:00-6:00pm or by appointment
Office: ENGR 507, Tel: (206) 296-5512
E-mail: roshanak@seattleu.edu
Textbook
· Security in Computing, Fourth Edition, Pfleeger and Pfleeger, (ISBN: 0-13-23-9077-9)
· Software Security: Building Security In, McGraw, (ISBN: 0-321-35670-5)
Topics
· The Security Problem, Introduction to Cryptography, Security in programs, databases, networks, and operating systems
· Software Dependability: Security, Reliability, and Safety
· Security and the Software Development Life Cycle
· Security Analysis (Worm, Virus, Physical leak, Root kits, viruses, Trojans, …)
· Common exploits
· Legal and ethical issues
· Emerging topics in software security
Tentative
Schedule (subject to change)
Week |
Topic |
|
Presenters |
Assignments |
|
Week 1 4/3/2008 |
Introduction to Security Introduction to Cryptography Introduction to Project |
Pfleeger 1,2 |
Roshandel |
|
|
Week 2 4/10/2008 |
Security and Software Engineering Historical and Futuristic Perspectives Open Source and Security |
Pfleeger 3 Software Engineering for Security: a Roadmap, Devanbu, Stubblebine, Future of Software Engineering Track, ICSE 2000. Increased Security through Open Source, Hoepman and Jacobs, Communications of the ACM archive, Volume 50 , Issue 1 (January 2007) |
Roshandel Vijay Singary Fulya Mercan |
|
|
Week 3 4/17/2008 |
Protection in OS, DBs, and Networks Program
Security (Viruses, malicious code, etc.) |
Pfleeger 4, 5, 6 Historical Perspective Testing
Malware Detectors, M. Christodorescu and S. Jha, In Proceedings of the ACM SIGSOFT International Symposium on Software
Testing and Analysis (ISSTA’04), pages 34–44, Boston, MA, USA, July
11–14, 2004. Trust beyond security: An Expanded Trust Model, Hoffman J., Lawson-Jenkins K., Blum J., Communications of the ACM, Volume 49 , Issue 7 (July 2006). |
Roshandel Mohammad Alabdullah Suresh Batta Laura Nixon |
Project Proposals Due |
|
Week 4 4/24/2008 |
Security and SDLC Risk Management Process |
McGraw 1, 2 Towards a Structured Unified Process for Software Security, S. Ardi, D. Byers, N. Shahmehri, International Conference on Software Engineering archive, in Proceedings of the 2006 international workshop on Software engineering for secure systems, Shanghai, China, 2006. Toward
Agile Security Assurance: K. Beznosov and P. Kruchten, in Proceedings of New Security Paradigm
Workshop (NSPW'2004), White Point Beach, NS, 2004, ACM, pp. 47-54. Process Activities Supporting Security Principles, B. Koen; , R. Scandariato; J., Wouter, Computer Software and Applications Conference, 2007. COMPSAC 2007 - Vol. 2. 31st Annual International, Volume 2, Issue , 24-27 July 2007. |
Roshandel Hans Sebastian Allison Bokone Isaiah Paradise |
|
|
Week 5 5/1/2008 |
Process and Requirements |
McGraw 2,8, 10 Engineering
Security Requirements,
Donald G. Firesmith, Journal of Object Technology (Online at www.jot.fm).,
Vol. 2, No. 1, January-February 2003 Security
Requirements in Service Oriented Architectures for Ubiquitous Computing,
Cotroneo D. Graziano A., Russo S. Proceedings of the 2nd Workshop on
Middleware for Pervasive and Ad-hoc Computing. 172 – 177, A framework for Security Requirements Engineering, Haley C., Moffett J.D., Laney R., Nuseibeh B., In proceedings of the international workshop on Software engineering for secure systems, ICSE 2006.. |
Roshandel Chinwe
Okeke Bikramjit Gill Sapna Wason |
|
|
Week 6 5/8/2008 |
Workshop + Guest Speaker |
|
|
Take home
midterm Project Progress Reports Due |
|
Week 7 5/15/2008 |
Workshop + Guest Speaker |
Title: Basic Reference Model for Security Architecture -- A historic review of a nascent industry Wikipedia page on X.509 Data Communication Networks: Open Systems Interconnection (OSI); Security Structure and Applications (PDF) Requirements and Design workshop |
Banan |
|
|
Week 8 5/22/2008 |
Architecture and Design Security Patterns |
McGraw 5 A Secure Software Architecture Description Language: Ren J, Taylor R.,In Proceedings of the Workshop on Software Security Assurance Tools, Techniques, and Metrics, Long Beach, California, USA, November 7-11, 2005. Matching Attack Patterns for Security Vulnerabilities in Software Intensive System Designs, Michael Gegick, Laurie Williams, Proceedings of the 2005 workshop on Software engineering for secure systems (SESS), ICSE 2005. |
Roshandel Irwin Liem Peter Walsh |
RMF – Team Assignment 1 due RMF – Team Assignment 2 due |
|
Week 9 5/29/2008 |
Implementation, Testing and Verification Legal and Ethical issues Emerging Topics |
Pfleeger 11 McGraw 4, 6, 7 Protecting
Mobile Code in the Wild, Zachary J.M., IEEE. Internet Computing, vol. 7,
no. 2, Mar./Aprl. 2003, pp. 78–82. An
Aspect-Oriented Approach to Security, Requirements Analysis. Dianxiang
Xu, Vivek Goel, Kendall E. Nygard: COMPSAC 2006:79-82 Web Application
Security Assessment by Fault Injection and Behavior Monitoring, Huang et
al., In Proceedings of WWW'2003. pp.148~159. Model-based
Security Analysis for Mobile Communications, An Industrial Application of
UMLsec. Jürjens, J. Schreck, P. Bartmann, in proceedings of the 30th International Conference on
Software Engineering (ICSE 2008), Leipzig, Germany, May 2008. |
Roshandel Roshandel Steve Lanehome Tim Jackson Jeremiah Weeden |
|
|
Week 10 6/5/2008 |
Project Presentations |
|
|
|
|
Final Exam Week |
|
|
|
SMF – Team Assignment 3 due |
Course Requirements
Students are required to:
· Read assigned papers and other reading materials and propose two questions/discussion points for each paper every week
· Lead discussions on a particular topic introduced by assigned papers
· Participate in class discussions
· Complete a midterm exam
· Complete a group project
Grading Policy
· Homework and community-based Projects 20%
· Midterm Exam 20%
· Final Project 40%
· Presentations 15%
· Discussion question and class participation 5%
Attendance Policy
You are responsible for the materials covered in class, assignments announced and modified, and other changes to the schedule. There may also be quizzes and in-class assignments.
All take-home assignments and paper reviews are due before the start of class on the due date. No late submission will be accepted.
Class Format
Each week, we will focus on a specific set of topics. Students and instructor presentations, class discussions, and in-class assignments will be related to the topic. You are expected to read assigned materials in advance of the relevant class (papers and textbook). You are required to read assigned papers and post 2 questions/discussion points for each paper every week on Angel by Tuesday (Noon). You may miss one week of questions without any penalty.
Each presenter must be prepared to respond the questions and/or discuss the issues raised by the students.
You are encouraged to participate in various class activities, ask questions, discuss and test your ideas. You are also highly encouraged to ask questions either during office hours or by email.
There will be a single midterm exam and a final group project.
Academic Integrity
Plagiarism is the unacknowledged use of the work or
intellectual property of other persons, published or unpublished, presented as
one’s own work. All students are expected to work on all individual assignments
independently. Collaboration on individual assignments is considered cheating
and will be penalized accordingly. Other examples of behavior that is not
tolerated in this class include copying all or part of someone else’s work and
submitting it as your own, sharing your assignment solution with other students
in the class, consulting with another student during an exam, and copying text
from published literature without proper attribution. If you have questions
about what is allowed, please discuss it with the instructor. All students are
responsible for reading and following the