SE 431 - Software Security
(Spring 2020, Sections 1, 2, &3)
|Overview||Cheating & Collaboration||Grading Scheme||Textbook||Schedule|
Theory and practice of software security, focusing in particular on some common software security risks, including buffer overflows, race conditions, and on identification of potential threats and vulnerabilities early in design cycle. Emphasizes methodologies and tools for identifying and eliminating security vulnerabilities, techniques to prove absence of vulnerabilities, ways to avoid security holes in new software, and essential guidelines for building secure software: how to design software with security in mind from the ground up and to integrate analysis and risk management throughout the software life cycle.
Instructors: Ahmed Saleh Shatnawi
Instructor's Office Location: M2 L2
Instructor's Office Hours: Sunday: Monday: Tuesdays and Wednesday; anytime electronically; by appointment; after class
TA: Iqlema AlQuran (firstname.lastname@example.org )
Prerequisites: The course requires two courses SE 324 & CPE 200
All graded assignments must be your own work (your own words), but you may work with other people as
long as you list their names prominently on the first page of the assignment, and/or in a comment at the
top of the assignment, for example:
// Mohammad, Homework #6, SE 431
// I discussed this assignment with Mariam,
// and Amir. We looked at each other's design notes,
// but did not exchange the copies.
For this course, verbal communication and collaboration using non-code text or hand-written notes/code is permitted, as long as it is properly documented. Documentation must also be made for help from anyone not in the course, such as a tutor, friend, or relative, and for information off the Web.
Automatic copying of assignments (e.g. email, messaging, flash drive copies, printed hard copies, etc) is strictly forbidden. At the very least, you must write every word in your assignments. If you are unsure whether something is permitted, please check with me. If you turn in an assignment which is an electronic copy (or a minor variation of a copy) of other peoples work, then the source and people who give credit to the source will receive zero for the assignment, while those who do not give credit may be given an 'F' grade for the course. Do not send your assignment by email to other people!
Whether or not you have permission of the other person, submitting someone else's work as your own is plagiarism, a serious instance of academic misconduct. Everyone is responsible for learning the material themselves. Some of the assignments may be graded in person, especially in cases where the individual contribution to the assignment is not clear. If you are graded in person, you will be expected to demonstrate that you have mastered techniques used in the material you submitted.
Course letter grades will be assigned using JUST scale, unless we decide that this scale is too severe (in which case the scale will be adjusted).
Course percentage grades are broken down into the following categories
|Course Element||Fraction of Grade|
|Labs and Assignments||10 %|
|Midterm Exam||25 %|
|Final Exam||40 %|
Your Grades break down as follows:
- Quizzes:There will be a pop up quiz during lecture meetings. Quiz content will focus on material presented in lecture weeks prior. The lowest quiz score is dropped.
- Labs and Assignments:
There will be 7 or more Labs and assignments. No assignment grades are dropped, but students
wishing to replace their lowest assignment grade may attempt an optional assignment available at
the end of the semester.
Labs will cover the following topics:
- Buffer Overflow Vulnerability
- Format String Vulnerability
- Cross-Site Scripting Attack
- SQL Injection Attack
- Android Repackaging Attack
- Cross-Site Request Forgery Attack
- Cross-Site Scripting Attack
- SQL Injection Attack
- Project: I strongly encourage pairs. You will be graded in person, you will be expected to demonstrate that you have mastered techniques used in the project you submitted.
- Exams: You will be graded in person, you will be expected to demonstrate that you have mastered techniques used in the project you submitted have two exams and one cumulative final (with a strong emphasis on the materials covered after the midterm). Exams will take place during regular exam's period. Exam week lectures will be replaced by an ad-hoc review (you should come prepared with questions, or at the very least a vague sense of wonder).
Late homework will not be accepted.
Quizzes missed due to unforeseen and extreme circumstances may be made up within the same week during my office hours. Keep in mind that one quiz grade may be dropped.
The university has a responsibility to promote academic honesty and integrity and to develop procedures to deal effectively with instances of academic dishonesty. Students are responsible for the honest completion and representation of their work, for the appropriate citation of sources, and for respect of others' academic endeavors. A more detailed description of Student Academic Disciplinary Procedures may be found at this link.
If, due to a disability, you need special accommodations in order to meet any of the requirements of this course, you should contact me as soon as possible.
Phone calls, text messages, instant messages, email, and web surfing are highly disruptive to other students and hence not allowed during class time. Technology devices may only be used for the class purposes (e.g. following slides) Violators will be asked to leave the room. If you anticipate a call that you simply have to take (yes, that happens), please sit near the door, put your phone on vibrate, and leave quietly at the appropriate time. If you are disrupted by another student's violation of this policy, please bring the matter to my attention.
Required Textbooks: We will be using the textbook
- Computer Security: Principles and Practice, 4th Edition, by William Stallingsa and Lawrie Brown, Pearson, Dec 12, 2017. ( link), ISBN-13: 978-1292220611 ISBN-10: 1292220619.
- Security in Computing, 5th Edition, by Charles P. Pfleeger, Shari Lawrence Pfleeger, and Jonathan Margulies, Prentice Hall, Jan 14, 2015. ( link), ISBN-13: 978-0134085043 ISBN-10: 9780134085043.
This course outline is a "living document". It can be changed in response to events in the course. You'll be notified if major changes are made.
This version was last changed on April 24,2020.
The table below shows the schedule of readings and online lectures for the course.
|Weeks #||Topics||Handouts||Assignments & Quizzes||Videos||Resources|
|Week 1||Syllabus/ What to Expect|
|Week 3 & 4||Cryptography||Lab1|
|Week 5||Message Authentication||Quiz1|
|Week 6|| Digital Certificates
HTTPS & MITM attack
|Week 7||User Authentication|| Assignment1
|Week 8||User Authentication|| Lab2
|Midterm Examination (Date updated to account for COVID-19 closures)|
|Week 10 & 11||Access Controls|
|Week 12 & 13||Malicious Software|| Quiz4
|Week 14 & 15||Web Application Security|
|Week 16||Final project's discussion|
|Final Examination Period ( Date updated to account for COVID-19 closures)|
I welcome your feedback about the class (content, pace, organization) and about any other aspect of the course (lectures, tests, grading, etc.).