Software Security

CRN

Course ID

CR

Days

Time

Room

Course Duration

3099

IT 4903/001

3.0

-M-W-

4:30pm – 5:45pm

J-131

01/14 – 05/01/2008

3100

IT 6903/001

3.0

-M-W-

4:30pm – 5:45pm

J-131

01/14 – 05/01/2008

Instructor:

Dr.

Office:

J –  360

Phone / Fax:

678-915-3153

E-mail:

clien@spsu.edu

Web URL:

cse.spsu.edu/clien

Office Hours:

Monday: 1:30pm – 4:30pm
Wednesday: 1:30pm – 4:30pm

Course Hours

Monday Wednesday 4:30pm – 5:45pm

Textbook

References:

Richard Sinn, “Software Security Technologies: A Programmatic Approach”, Course Technology, 2007.

• James Whittaker, How to Break Software: A Practical Guide to Testing, Pearson, 2003..
• Matt Bishop, Introduction to Computer Security, Addison Wesley, 2004. ISBN: 0-321-24744-2

Course Calendar (Spring 2008)

This calendar is tentative and subject to change when it is necessary.  Changes will be announced in class and/or on Web pages of the course. (Note: This course calendar was created on December 17th, 2007, when this syllabus was written. Please check web sites of the course to obtain the up-to-date calendar information.)

Course Outcomes:

Prerequisites: No. However, some amount of programming experience will be beneficial for conducting the assigned projects in this course.

Catalog Description:
Software security discusses the techniques that assure software will continue to function correctly under malicious attack. Software security provides a foundation for information security in general. Software engineers and IT professionals need to understand how to build secure software. This course aims to provide the fundamentals by exploring software security best practices. We will explain why today's software is vulnerable to attack, and various vulnerabilities that are common in software systems and applications. The proper design techniques and best practices for developing new applications that are inherently secure will be discussed. Moreover, this course will introduce how to embed security into the development lifecycle and how to implement a layered approach for application security. This course emphasizes hands-on practice with a series of practical exercises to apply practical programming language techniques and tools to improve security and trustworthiness of software products.  Some examples from real-world will be used to demonstrate the applicability of the techniques of information assurance.

Major Topics:
The topics of this course range from security concerns of software development phases, such as analysis, design, programming, and testing.  Among them, exercising the programming of attack and protection is emphasized. Students will be instructed in how to design and create attack and protection against software with tools or program codes. Teams of students will be constructed for playing the roles of attacker and defender. For graduate students, reading and assignments will also provide additional insight to selected topics during the semester.

Course Objectives:
The course covers a wide range of skills for software security. On completion of this course, students should meet the training standard NSTISSI 4011 [1] at both Awareness Level and Performance Level:

• Awareness Level: Create a sensitivity to the threats and vulnerabilities of software systems; Build a working knowledge of principles and practices in software security.
• Performance Level: Identify the key areas of software security and how they work; Learn the skill and ability to apply and evaluate software procedures and practices.

http://www.cnss.gov/Assets/pdf/nstissi_4011.pdf

Learning Outcomes:

• Fundamentals: Understand the goals of software security; the threats to security; and the basic control mechanisms to address those threats.
• Basic Cryptography: Understand how encryption works and how it is broken, including symmetric (secret key) encryption and asymmetric (public key) encryption.
• Trust and Threat Modes: Understand the importance of Trust and Threat Modes in secure software development.
• Fault Models and Attack Patterns: Introduce some typical fault models and attack patterns by which it is the best way to understand the software is not secure in the circumstances of real world.
• Security Concerns during Software Development: Analysis the benefits of applying security concerns to develop software with built-in security.
•  Security Programming: Practice the implementation of software security by programming languages.
• Skills of communication and cooperation:Communicate (written and verbally) about a complex, technical topic simply and coherently, and work and interact collaboratively in groups to examine, understand and explain key aspects of software security.

Course Requirements:

What you need to take this course:

1. Textbook: Richard Sinn, “Software Security Technologies: A Programmatic Approach”, Course Technology, 2007.
2. Some assignments and project work require a computer with special software packages. If you do not own a computer, the computer labs on campus will open during this semester.
3. You must have a working SPSU e-mail account as required by WebCT Vista. Due to email viruses and spams, Prof. Wang does not accept emails from unknown sources. When you submit your course work through email, you must use the subject “IT 6903/4903” and your full name typed in the message body, or the email may be ignored.
4. You must check your email regularly throughout the semester. Official announcements will be made by email or in class.
5. You are responsible for saving all assignments correctly, so you can turn them in electronically. All assignments will require you to use word processing or text editing software. No assignments will be accepted in handwritten form.

Academic  Conduct:

SPSU values academic integrity. Therefore all students must understand the meaning and consequences of cheating, plagiarism and other academic offenses. Work submitted for this course must represent your own efforts. Copying assignments or tests, or allowing others to copy your work, will not be tolerated. Note that introducing syntactic changes into a copied program is still considered plagiarism. The grade for all involved parties for any course work (homework, assignment, project, programming, or test) will be zero if plagiarism is evidenced.

Academic dishonesty is an extremely serious offense. All cases of academic dishonesty will be dealt with in accordance with the policies of the University as published in the Undergraduate Catalog and Graduate Student Handbook. Penalties may include expulsion from the University.

Assignments and Labs:

Assignments are individual work testing the understanding of the course materials. Students should complete their assignments independently and turn in their solutions in time according to the assignment requirements.

Grading Plan:
Individual  project:                                                                            15%  
Assignments:                                                                                    10%
Tests:                                                                                               70%
     -Test #1 (35%)
     -Test #2 (35%)

TOTAL:                                                                                             100%

                                           
Important Note: I reserve the right to change this grading system as the course progresses and various circumstances develop. If a presentation of assigned project is absent, the score of the related individual or team will be turned into an ‘F’grade. The particular schedules of projects will be adjusted in the class according to the responses of students. For every project, a final report should be submitted to teacher by zipped file.

Grading Scale:

90.0 -- 100%          A            
80.0 -- 89.9%         B            
70.0 -- 79.9%         C            
60.0 -- 69.9%         D            
00.0 -- 59.9%         F            

Class Participation:

Class participation includes class attendance, contributions during class discussion, feedback/survey, peer evaluation and sense of teamwork. Class participation will contribute to your overall grade up to 5%. Reasonable deadlines have been set to insure that you have adequate time to complete all assignments within the current session. Active participation in this class is required.

You are responsible for all course work. Being absent does not excuse work from the stated due dates. In addition to attendance, there will be a contribution grade to encourage class discussion and sense of teamwork. You can earn up to 5% in the whole semester by

• actively asking/answering questions
• being a good team player
• providing accurate feedback and peer evaluations

Coursework  Submission:

(1) All the writing assignments (essays, surveys, term paper, etc.) should be prepared using Microsoft Word following the instructions below:

• Write with your own words. Any quote must be indicated by a quotation mark and complete reference (author, publisher, source, date, URLs, etc.)
• Submit your assignment through Turnitin.com if required by the instructor for an originality rating.
• Use double space, 12-pt Times New Roman font.
• Send your coursework via email to the instructor at clien@spsu.edu with a subject line as “IT6903/4903 Assignment #n” and include your full name in your message body. Please note that my email spam filter will drop any messages without this subject line.

(2) For lab exercise or hands-on practice:

• You are encouraged to use your own laptop computer or home computer to complete the lab exercises. You may need to download some software to help you complete your lab exercises.
• Follow the instructions of the assignment – some assignment may require a submission of a zipped package, while others may ask you to submit program output, window captures, etc.

(3) For presentations, students should:

• Prepare a PPT file on the topic you are assigned;
• Arrange your presentation within the time limit;

Late Work:

All assignments and deliverables, including all project progress reports, source code, presentations, group reports, individual reports, homework assignments, surveys, feedback, and peer evaluations, are due by midnight, Eastern time, on the announced due date, unless specified otherwise.

Students should be responsible for their homework and coursework reaching the instructor in time. You are encouraged to submit your coursework early to avoid unpredictable downtime of computers or network connection.

Makeup  Work:

No makeup assignments, project-work (reports or presentations) are allowed.

Makeup tests are possible. You must contact the instructor prior to the test to explain your reasons for being absent in the test. The instructor will decide whether a makeup test is allowed or not. If your application for a makeup test is accepted, in any case, the makeup test must be done before the next scheduled class unless you could provide official documents from the Student Health Service or the Office of the Vice President for Academic Affairs for attending authorized and official University activities.

Students with Disabilities:

Students with disabilities who believe that they may need accommodations in this class are encouraged to contact the counselor working with disabilities at 678-915-3153 as soon as possible to better ensure that such accommodations are implemented in a timely fashion.

Course Web Sites:

Dr. Lien’s Web Server at cse.spsu.edu/clien

This server will be used as a supplement to the classroom teaching.

(A) If you are working on the SPSU campus (inside the SPSU firewall):

• Use your web browser to connect to cse.spsu.edu/cliendirectly.

(B) If you are working outside the SPSU campus (outside the firewall):

• Use your web browser to connect to connect.spsu.edu.
• Login using your SPSU email account username and password.
• Start a VPN Client Application session.
• After your VPN client connected, use your web browser to connect to cse.spsu.edu/clien