USF Sarasota-Manatee
CIS 3615: Secure Software Development Spring 2014 Wednesdays 6:00 – 9:00 PM EST Instructor: John Collins Office: N/A
E-Mail: [email protected] Office Hours: By Appointment Canvas will be used in this class for all sessions. Group chat rooms, assignments,
announcements, etc. will be handled via this application and the tools listed on it. Classes are Asynchronous and students are not required to attend live classes but are required to view the classes. Students must attend the first class or they will be automatically dropped. COURSE DESCRIPTION AND PURPOSE:
Information is power. It also has value. Thus, there is an incentive for unscrupulous individuals to steal information. This course covers a number of different techniques to help developers to build enterprise-level systems that are secure and safe. The goal of this course is to provide students with the knowledge and skills to develop enterprise-level systems that are safer and more secure. The techniques presented here will increase the effort needed by hackers to successfully launch attacks on enterprise software applications.
COURSE LEARNING OUTCOMES: On completing this course, students will:
Understand vulnerability and the variety of possible attacks Be able to apply the Security Development Lifecycle Be able to construct secure UNIX/Linux-based programs Understand Networking and SOA-based Security Be able to implement Java Client-Side Security Be able to implement Mobile Application Security Be able to secure Web-Facing Applications Be able to implement Java Server-Side Security Be able to construct Secured Web Services TEXT AND MATERIALS:
(Required) Asoke K. Talukder and Manish Chaitanya, Architecting Secure Software Systems. CRC Press, 2009 ISBN-13: 978-1-4200-8784-0.
(Required) Sunny Wear. Sunshine on Secure Software: Baking Security into your SDLC
Process. http://www.amazon.com/Sunshine-Secure-Software-Security-ebook/dp/B00CSWBL4W/ GRADING, EVALUATION AND ATTENDANCE POLICIES:
Student performance will be evaluated based on the practical assignments due. This is a hands on class and skills must be demonstrated.
A grade will be determined based on the total of possible points earned, as follows: A+ 97-100
A 93-96.9 A- 90-92.9 B+ 87-89.9
B 83-86.9 B- 80-82.9 C+ 77-79.9 C 73-76.9 C- 70-72.9 D+ 67-69.9 D 63-66.9 D- 60-62.9 F 0-59.9
Notice: permission to sell or redistribute notes or tapes of class lectures is forbidden. Do not replicate or pass along any items related to this course.
COP 3515 – Requirements and Program Design; COP 3601 – Systems Programming (Java EE)
COURSE SCHEDULE:
Week 1 (Jan 8)
Course Introduction
Readings to be done by start of lecture:
Talukder – Chapter 1, “Security in Software Systems”
Week 2
(Jan 15) Assignments due by end of class (10 points): * Setup an Eclipse IDE. Be sure to include - ProGuard
- FindBugs - EclEmma -Tomcat
If you are not able to attend the lab class email me a screenshot of your IDE, with the Help > About Eclipse. There should be a set of tool icons. Also attach a screen shot of the Tomcat server running. This is due before the conclusion of class.
Week 3 (Jan 22)
Readings to be done by start of lecture:
Talukder – Chapter 2, “Architecting Secure Software Systems” Readings to be done by start of lecture:
Talukder – Chapter 3, “ Constructing Secured and Safe C/UNIX Programs”
Week 4
(Jan 29) Readings to be done by start of lecture:
Week 5
(Feb 5) Assignments due by the conclusion of class (20 points):
* In Java, Create a class with a main method, which takes a String object, converts it to an integer and returns the result. Validate that the integer is between 1 to 10.
* Create unit tests for bounds testing. Be sure to check negative infinity, a large negative, a small negative, everything on and next to the low bounds, a midrange value, etc. Don't forget to use encoded, nonprintable, and character data in unit tests. What is notable about infinite numbers in Java?
* Use Eclipse and Provide a screen shot and analysis of Eclemma http://agile.csc.ncsu.edu/SEMaterials/tutorials/eclemma/
* Go find or make some poor code that causes results in FindBugs to generate results.
Week 6 (Feb 12)
Readings to be done by start of lecture: Talukder – Chapter 6, “Java Client-Side Security”
Week 7 (Feb 19)
Readings to be done by start of lecture:
Talukder – Chapter 7, “Security in Mobile Applications”
Week 8 (Feb 26)
Assignments due by the conclusion of class (20 points):
Research how to sign a JAR with jar signer (part of the JDK). Write up the instructions for deployment of a signed JAR. Explain why you would do this and look at any issues that users may encounter.
* Create an example of SQL Injection and Cross Site Scripting. Once you are done, encode the attacks using UTF-8 and URL encoding.
Week 9 (Mar 5)
Readings to be done by start of lecture:
Talukder – Chapter 8, “ Security in Web-Facing Applications”
Week 10 (Mar 12)
Spring Break No Class, next week's homework is somewhat involved. I recommend getting started soon.
Week 11 (Mar 19) *** LAST DAY TO DROP WITH A W IS MAR 22 2014 !!! ***
Assignments due by end of class (20 points):
The Servlet API states that Servlets are single threaded. Write a Servlet that demonstrates how improperly scoped variables can expose user data, test your code with 2 browser sessions to see if you can get one sessions data from the other. Submit the code and a screen shot.
Week 12 (Mar 26)
Readings to be done by start of lecture: Talukder – Chapter 9, “Server-Side Java Security”
Week 13
(Apr 2) Assignments due by end of class (10 points):
* Create a self signed certificate and add it to your Browser’s trust store, provide the instructions you used and a screen shot.
*Create a server certificate and configure the Web Server with it to allow for HTTPS. Include creation steps and provide all the instructions used. * Configure HTTPS SSL Client Authentication. Include a screen shot of the HTTPS connection to the server. Provide a screen shot of the 2 way SSL connection.
Week 14 (Apr 9)
Readings to be done by start of lecture:
Talukder – Chapter 10, “Constructing Secured Web Services”
Week 15
(Apr 16) Course Wrap-up and final assignments due by end of class (20 points): * Create a project that uses RBAC and a login page that uses a JDBC realm. Submit the deployment.
RELIGIOUS OBSERVANCES:
The University recognizes the right of students and faculty to observe major religious holidays. Students who anticipate the necessity of being absent from class for a major religious observance must provide notice of the date(s) to the instructor, in writing, by the second week of classes. http://generalcounsel.usf.edu/policies-and-procedures/pdfs/policy-10-045.pdf
DISABILITIES ACCOMMODATION:
Students are responsible for registering with the Office of Students with Disabilities Services (SDS) in order to receive academic accommodations. Reasonable notice must be given to the
SDS office (typically 5 working days) for accommodations to be arranged. It is the responsibility of the student to provide each instructor with a copy of the official Memo of Accommodation.
http://www.sarasota.usf.edu/Students/Disability/
Contact Information: Pat Lakey, Coordinator 941-359-4714 [email protected] ACADEMIC DISHONESTY:
The University considers any form of plagiarism or cheating on exams, projects, or papers to be unacceptable behavior. Please be sure to review the university’s policy in the catalog, USFSM Undergraduate Catalog or USFSM Graduate Catalog and the USF Student Code of Conduct. Undergraduate: http://www.sarasota.usf.edu/Academics/Catalogs/ Graduate: http://www.sarasota.usf.edu/Academics/Catalogs/ USF Student Code of Conduct: http://www.sa.usf.edu/srr/page.asp?id=88
ACADEMIC DISRUPTION:
The University does not tolerate behavior that disrupts the learning process. The policy for addressing academic disruption is included with Academic Dishonesty in the catalog:, USFSM Undergraduate Catalog or USFSM Graduate Catalog and the USF Student Code of Conduct. Undergraduate: http://www.sarasota.usf.edu/Academics/Catalogs/
Graduate: http://www.sarasota.usf.edu/Academics/Catalogs/
USF Student Code of Conduct: http://www.sa.usf.edu/srr/page.asp?id=88 CONTINGENCY PLANS:
In the event of an emergency, it may be necessary for USFSM to suspend normal operations. During this time, USFSM may opt to continue delivery of instruction through methods that include but are not limited to: CANVAS, Elluminate, Skype, and email messaging and/or an alternate schedule. It’s the responsibility of the student to monitor the class site for each class for course specific communication, and the main USFSM and College websites, emails, and MoBull
messages for important general information. The USF hotline at 1 (800) 992-4231 is updated with pre-recorded information during an emergency.
EMERGENCY PREPAREDNESS:
It is strongly recommended that you become familiar with the USF Sarasota-Manatee Emergency Action Plan on the Safety Preparedness site
http://www.sarasota.usf.edu/facilities/SafetyPreparedness.php FIRE ALARM INSTRUCTIONS:
At the beginning of each semester please note the emergency exit maps posted in each classroom. These signs are marked with the primary evacuation route (red) and secondary evacuation route (orange) in case the building needs to be evacuated.