• No results found

CIS 3615 Secure Software Development

N/A
N/A
Protected

Academic year: 2021

Share "CIS 3615 Secure Software Development"

Copied!
9
0
0

Loading.... (view fulltext now)

Full text

(1)

Information Technology

CIS 3615

Secure Software

Development

Spring 2013

3 Credit Hours

(2)

University of South Florida – Sarasota/Manatee Course Syllabus – Spring 2013

(Revised: 1/6/13)

Instructor: John Collins Office: N/A

E-Mail: johncollins@sar.usf.edu Office Hours: By Appointment

……… Course Number: CIS 3615

Course Name: Secure Software Development

Course Description: Information is power. It also has value. Thus, there is an incentive for unscrupulous individuals to steal

information. This course covers a number of different techniques to help developers to build enterprise-level systems that are secure and safe.

Instructor: Staff

Required Materials: Asoke K. Talukder and Manish Chaitanya, Architecting Secure Software Systems. CRC Press, 2009 ISBN-13: 978-1-4200-8784-0.

Masoud Kalali, Glassfish Security. Packt Publishing, 2010 ISBN-13: 978-1-847199-38-6.

Prerequisites: COP 3515 – Requirements and Program Design; COP 3601 – Systems Programming (Java EE)

Course Goals: The goal of this course is to provide students with the knowledge and skills to develop enterprise-level systems that are safer and more secure. The techniques presented

(3)

programs

 Understand Networking and SOA-based Security  Be able to implement Java Client-Side Security  Be able to implement Mobile Application Security  Be able to secure Web-Facing Applications

 Be able to implement Java Server-Side Security  Be able to construct Secured Web Services Attendance Policy: This course will be conducted entirely on-line. Students

are expected to log in to each Elluminate session. The course moves through the material at a rapid pace, and each topic builds on the ones that preceded it. However, the online class sessions will be recorded and retained so that students may review the class material.

Performance Evaluation and Grading

Student performance will be evaluated based on exercises and assignments.

A grade will be determined based on the total of possible points earned, as follows:

A+ 97-100 A 93-96.9 A- 90-92.9 B+ 87-89.9 B 83-86.9 B- 80-82.9 C+ 77-79.9 C 73-76.9 C- 70-72.9 D+ 67-69.9 D 63-66.9 D- 60-62.9 F 0-59.9

(4)

Class Schedule: (Revised: 10/15/10) Date Topic Week 1 (Jan 9) Course Introduction Readings:

Talukder – Chapter 1, “Security in Software Systems”

Week 2 (Jan 16)

Readings:

Talukder – Chapter 2, “Architecting Secure Software Systems”

Assignments Due:

* Setup an Eclipse IDE. Be sure to include these at the very least - a C/C++ compiler

- The CDT packages for your release (e.g. Juno) - ProGuard

- FindBugs -EclEmma - SVN

- GlassFish Integration

* Upload a screenshot of your IDE, with the Help > About Eclipse. There should be a set of tool icons.

Week 3 (Jan 23)

Readings:

Talukder – Chapter 3, “ Constructing Secured and Safe C/UNIX Programs”

(5)

* Upload the Use Case diagram and a threat model from one of the abuse cases you provided.

* Get a debugger (http://www.ollydbg.de/ or equivalent) and attach it to a running binary.

Take screen shots of the debugger after it is attached to a running program of functions including toggling a breakpoint, analyzing code, and viewing the call tree.

Week 4 (Jan 30)

Talukder – Chapter 4, “Constructing Secured Systems in .NET” is omitted purposely because we do not use .NET in any of our courses.

Readings:

Talukder – Chapter 5, “Networking and SOA-Based Security”

Assignments Due:

* Look at the code samples provided. Address any security concerns and fix the code where appropriate. Be sure your code compiles and runs.

Week 5 (Feb 6)

Readings:

Talukder – Chapter 6, “Java Client-Side Security”

Assignments Due:

* In Java, Create a class with a main method and a private static method that takes a String object, converts it to an integer and returns the result. Validate that the integer is between 1 to 10.

Create unit tests for bounds testing. Be sure to check negative infinity, a large negative, a small negative, everything on and next to the low bounds, a midrange value, etc. Don't forget to use encoded,

nonprintable, and character data in unit tests.

* Use Eclipse and Provide a screen shot and analysis of Eclemma

http://agile.csc.ncsu.edu/SEMaterials/tutorials/eclemma/

* Go find or make some poor code that causes results in FindBugs to generate results.

(6)

Week 6 (Feb 13)

Readings:

Talukder – Chapter 7, “Security in Mobile Applications”

Assignments Due:

Research how to sign a JAR with jar signer (part of the JDK). Write up the instructions for deployment of a signed JAR. Explain why you would do this and look at any issues that users may encounter.

Week 7 (Feb 20)

Readings:

Talukder – Chapter 8, “ Security in Web-Facing Applications”

Week 8 (Feb 27)

Readings:

Talukder – Chapter 9, “Server-Side Java Security”

* Create an example of SQL Injection and Cross Site Scripting. Once you are done, encode the attacks using UTF-8 and URL encoding.

Week 9 (Mar 6)

Readings:

Talukder – Chapter 10, “Constructing Secured Web Services”

Assignments Due:

The Servlet API states that Servlets are single threaded. Write a Servlet that demonstrates how improperly scoped variables can expose user data, test your code with 2 browser sessions to see if you can get one sessions data from the other. Submit the code and a screen shot.

Week 10 (Mar 13)

Spring Break No Class, next week's homework is somewhat involved. I recommend getting started soon.

(7)

*Create a server certificate and configure the Web Server with it to allow for HTTPS. Include the CSR creation steps and provide all the instructions used

* Create a Client certificate and load it in the Browser. Include a screen shot of the imported certificate.

* Configure HTTPS SSL Client Authentication. Include a screen shot of the HTTPS connection to the server. This may require you to setup RBAC and setup the deployment descriptor for a protected resource.

Week 12 (Mar 27)

Readings:

Kalali – Chapter 3, “Designing and Developing Secure Java EE Applications”

Chapter 4, “Securing Glassfish Environment”

Week 13 (Apr 3)

Readings:

Kalali – Chapter 5, “Securing Glassfish”

Chapter 6, “Introducing OpenDS: Open Source Directory Service”

Assignments Due:

* Create an EJB project that uses RBAC and a login page that uses a JDBC realm. Submit the EAR or WAR (your choice of deployment)

* Sign the code using the certificate you created in week 10

* Write up a sample security/policy manager to allow your code to run in your container. Describe the configuration.

Week 14 (Apr 10)

Readings:

Kalali – Chapter 7, “OpenSSO: The Single Sign-On Solution”

Chapter 8, “Securing Java EE Applications Using OpenSSO”

Week 15 (Apr 17)

Readings:

Kalali – Chapter 9, “Securing Web Services by OpenSSO”

(8)

Religious Observances

The University recognizes the right of students and faculty to observe major religious holidays. Students who anticipate the necessity of being absent from class for a major religious observance must provide notice of the date(s) to the instructor, in writing, by the second week of classes.

http://generalcounsel.usf.edu/policies-and-procedures/pdfs/policy-10-045.pdf

Disabilities Accommodation

Students are responsible for registering with the Office of Students with Disabilities Services (SDS) in order to receive academic accommodations. Reasonable notice must be given to the SDS office (typically 5 working days) for accommodations to be arranged. It is the responsibility of the student to provide each instructor with a copy of the official Memo of Accommodation. www.sarasota.usf.edu/Students/Disability/

Contact Information: Pat Lakey, Coordinator 941-359-4714 plakey@sar.usf.edu

Academic Dishonesty

The University considers any form of plagiarism or cheating on exams, projects, or papers to be unacceptable behavior. Please be sure to review the university’s policy in the catalog, USFSM Undergraduate Catalog or USFSM Graduate Catalog and the USF Student Code of Conduct.

Undergraduate: http://www.sarasota.usf.edu/Academics/Catalogs/ Graduate: http://www.sarasota.usf.edu/Academics/Catalogs/ USF Student Code of Conduct: http://www.sa.usf.edu/srr/page.asp?id=88

Academic Disruption

The University does not tolerate behavior that disrupts the learning process. The policy for addressing academic disruption is included with Academic Dishonesty in the catalog:, USFSM Undergraduate Catalog or USFSM Graduate Catalog and the USF Student Code of Conduct.

Undergraduate: http://www.sarasota.usf.edu/Academics/Catalogs/ Graduate: http://www.sarasota.usf.edu/Academics/Catalogs/ USF Student Code of Conduct: http://www.sa.usf.edu/srr/page.asp?id=88

(9)

Emergency Preparedness

It is strongly recommended that you become familiar with the USF Sarasota-Manatee Emergency Action Plan on the Safety Preparedness site

http://www.sarasota.usf.edu/facilities/SafetyPreparedness.php

Fire Alarm Instructions

At the beginning of each semester please note the emergency exit maps posted in each classroom. These signs are marked with the primary evacuation route (red) and secondary evacuation route (orange) in case the building needs to be evacuated.

References

Related documents

experience of exploring the hero 'sjourney through the process of qualitative research (heuristic and arts-based) and Drama Therapy (self-revelatory performance, dramatic

A research purpose is creation of the scientifically grounded mechanism of determination of level of production potential of the production system (country, region,

Auction means the functionality on the System for an order matching facility at a fixed price and for defined periods to be determined by Tradition SEF in

At any th level, we see that uncertainty regions are more extended and fragmented in 2008 than in 1976, as an indication that urban sprawl in the metropolitan area around Bologna

Objective 4.4: Develop and deliver programs that increase awareness of water quality and. conservation issues to influence future youth behaviors to conserve and protect

Minimum of 5 years of experience with increasing responsibilities for management and support of healthcare information systems and information technology, direct management of

The Sea Eagle FCCT director performance has been optimised to meet the requirements for the precise tracking of dynamic surface and air targets in the worldwide naval environment..

For more information on Analytic Functions, see Appendix C which lists Analytic Functions discussed in the presentation Expressions in Query: An In-Depth Exploration into