Information Technology
CIS 3615
Secure Software
Development
Spring 2013
3 Credit Hours
University of South Florida – Sarasota/Manatee Course Syllabus – Spring 2013
(Revised: 1/6/13)
Instructor: John Collins Office: N/A
E-Mail: johncollins@sar.usf.edu Office Hours: By Appointment
……… Course Number: CIS 3615
Course Name: Secure Software Development
Course Description: Information is power. It also has value. Thus, there is an incentive for unscrupulous individuals to steal
information. This course covers a number of different techniques to help developers to build enterprise-level systems that are secure and safe.
Instructor: Staff
Required Materials: Asoke K. Talukder and Manish Chaitanya, Architecting Secure Software Systems. CRC Press, 2009 ISBN-13: 978-1-4200-8784-0.
Masoud Kalali, Glassfish Security. Packt Publishing, 2010 ISBN-13: 978-1-847199-38-6.
Prerequisites: COP 3515 – Requirements and Program Design; COP 3601 – Systems Programming (Java EE)
Course Goals: The goal of this course is to provide students with the knowledge and skills to develop enterprise-level systems that are safer and more secure. The techniques presented
programs
Understand Networking and SOA-based Security Be able to implement Java Client-Side Security Be able to implement Mobile Application Security Be able to secure Web-Facing Applications
Be able to implement Java Server-Side Security Be able to construct Secured Web Services Attendance Policy: This course will be conducted entirely on-line. Students
are expected to log in to each Elluminate session. The course moves through the material at a rapid pace, and each topic builds on the ones that preceded it. However, the online class sessions will be recorded and retained so that students may review the class material.
Performance Evaluation and Grading
Student performance will be evaluated based on exercises and assignments.
A grade will be determined based on the total of possible points earned, as follows:
A+ 97-100 A 93-96.9 A- 90-92.9 B+ 87-89.9 B 83-86.9 B- 80-82.9 C+ 77-79.9 C 73-76.9 C- 70-72.9 D+ 67-69.9 D 63-66.9 D- 60-62.9 F 0-59.9
Class Schedule: (Revised: 10/15/10) Date Topic Week 1 (Jan 9) Course Introduction Readings:
Talukder – Chapter 1, “Security in Software Systems”
Week 2 (Jan 16)
Readings:
Talukder – Chapter 2, “Architecting Secure Software Systems”
Assignments Due:
* Setup an Eclipse IDE. Be sure to include these at the very least - a C/C++ compiler
- The CDT packages for your release (e.g. Juno) - ProGuard
- FindBugs -EclEmma - SVN
- GlassFish Integration
* Upload a screenshot of your IDE, with the Help > About Eclipse. There should be a set of tool icons.
Week 3 (Jan 23)
Readings:
Talukder – Chapter 3, “ Constructing Secured and Safe C/UNIX Programs”
* Upload the Use Case diagram and a threat model from one of the abuse cases you provided.
* Get a debugger (http://www.ollydbg.de/ or equivalent) and attach it to a running binary.
Take screen shots of the debugger after it is attached to a running program of functions including toggling a breakpoint, analyzing code, and viewing the call tree.
Week 4 (Jan 30)
Talukder – Chapter 4, “Constructing Secured Systems in .NET” is omitted purposely because we do not use .NET in any of our courses.
Readings:
Talukder – Chapter 5, “Networking and SOA-Based Security”
Assignments Due:
* Look at the code samples provided. Address any security concerns and fix the code where appropriate. Be sure your code compiles and runs.
Week 5 (Feb 6)
Readings:
Talukder – Chapter 6, “Java Client-Side Security”
Assignments Due:
* In Java, Create a class with a main method and a private static method that takes a String object, converts it to an integer and returns the result. Validate that the integer is between 1 to 10.
Create unit tests for bounds testing. Be sure to check negative infinity, a large negative, a small negative, everything on and next to the low bounds, a midrange value, etc. Don't forget to use encoded,
nonprintable, and character data in unit tests.
* Use Eclipse and Provide a screen shot and analysis of Eclemma
http://agile.csc.ncsu.edu/SEMaterials/tutorials/eclemma/
* Go find or make some poor code that causes results in FindBugs to generate results.
Week 6 (Feb 13)
Readings:
Talukder – Chapter 7, “Security in Mobile Applications”
Assignments Due:
Research how to sign a JAR with jar signer (part of the JDK). Write up the instructions for deployment of a signed JAR. Explain why you would do this and look at any issues that users may encounter.
Week 7 (Feb 20)
Readings:
Talukder – Chapter 8, “ Security in Web-Facing Applications”
Week 8 (Feb 27)
Readings:
Talukder – Chapter 9, “Server-Side Java Security”
* Create an example of SQL Injection and Cross Site Scripting. Once you are done, encode the attacks using UTF-8 and URL encoding.
Week 9 (Mar 6)
Readings:
Talukder – Chapter 10, “Constructing Secured Web Services”
Assignments Due:
The Servlet API states that Servlets are single threaded. Write a Servlet that demonstrates how improperly scoped variables can expose user data, test your code with 2 browser sessions to see if you can get one sessions data from the other. Submit the code and a screen shot.
Week 10 (Mar 13)
Spring Break No Class, next week's homework is somewhat involved. I recommend getting started soon.
*Create a server certificate and configure the Web Server with it to allow for HTTPS. Include the CSR creation steps and provide all the instructions used
* Create a Client certificate and load it in the Browser. Include a screen shot of the imported certificate.
* Configure HTTPS SSL Client Authentication. Include a screen shot of the HTTPS connection to the server. This may require you to setup RBAC and setup the deployment descriptor for a protected resource.
Week 12 (Mar 27)
Readings:
Kalali – Chapter 3, “Designing and Developing Secure Java EE Applications”
Chapter 4, “Securing Glassfish Environment”
Week 13 (Apr 3)
Readings:
Kalali – Chapter 5, “Securing Glassfish”
Chapter 6, “Introducing OpenDS: Open Source Directory Service”
Assignments Due:
* Create an EJB project that uses RBAC and a login page that uses a JDBC realm. Submit the EAR or WAR (your choice of deployment)
* Sign the code using the certificate you created in week 10
* Write up a sample security/policy manager to allow your code to run in your container. Describe the configuration.
Week 14 (Apr 10)
Readings:
Kalali – Chapter 7, “OpenSSO: The Single Sign-On Solution”
Chapter 8, “Securing Java EE Applications Using OpenSSO”
Week 15 (Apr 17)
Readings:
Kalali – Chapter 9, “Securing Web Services by OpenSSO”
Religious Observances
The University recognizes the right of students and faculty to observe major religious holidays. Students who anticipate the necessity of being absent from class for a major religious observance must provide notice of the date(s) to the instructor, in writing, by the second week of classes.
http://generalcounsel.usf.edu/policies-and-procedures/pdfs/policy-10-045.pdf
Disabilities Accommodation
Students are responsible for registering with the Office of Students with Disabilities Services (SDS) in order to receive academic accommodations. Reasonable notice must be given to the SDS office (typically 5 working days) for accommodations to be arranged. It is the responsibility of the student to provide each instructor with a copy of the official Memo of Accommodation. www.sarasota.usf.edu/Students/Disability/
Contact Information: Pat Lakey, Coordinator 941-359-4714 plakey@sar.usf.edu
Academic Dishonesty
The University considers any form of plagiarism or cheating on exams, projects, or papers to be unacceptable behavior. Please be sure to review the university’s policy in the catalog, USFSM Undergraduate Catalog or USFSM Graduate Catalog and the USF Student Code of Conduct.
Undergraduate: http://www.sarasota.usf.edu/Academics/Catalogs/ Graduate: http://www.sarasota.usf.edu/Academics/Catalogs/ USF Student Code of Conduct: http://www.sa.usf.edu/srr/page.asp?id=88
Academic Disruption
The University does not tolerate behavior that disrupts the learning process. The policy for addressing academic disruption is included with Academic Dishonesty in the catalog:, USFSM Undergraduate Catalog or USFSM Graduate Catalog and the USF Student Code of Conduct.
Undergraduate: http://www.sarasota.usf.edu/Academics/Catalogs/ Graduate: http://www.sarasota.usf.edu/Academics/Catalogs/ USF Student Code of Conduct: http://www.sa.usf.edu/srr/page.asp?id=88
Emergency Preparedness
It is strongly recommended that you become familiar with the USF Sarasota-Manatee Emergency Action Plan on the Safety Preparedness site
http://www.sarasota.usf.edu/facilities/SafetyPreparedness.php
Fire Alarm Instructions
At the beginning of each semester please note the emergency exit maps posted in each classroom. These signs are marked with the primary evacuation route (red) and secondary evacuation route (orange) in case the building needs to be evacuated.