CSC 495/693 - Spring 2022

This is a “special topics” class, and since it is not a regular class it has never been offered like this before. Because of this, the exact schedule and timing is uncertain and subject to change. This list will be adjusted as the semester progresses, and at any time the next two weeks should be pretty accurate.

Week 1: January 10 – January 14

Topics: Class introduction, security audits, bug bounties, exploit databases, ethics, and responsible disclosure
Handout: Syllabus
Reading:

vulnerability disclosure from TechTarget
Vulnerability Disclosure Cheat Sheet from OWASP
Guide to Responsible Disclosure and Bug Bounty from Detectify

Week 2: January 17 – January 21

Topics: A tour through the CWE Top 25 and OWASP Top 10
Reading: Familiarize yourself with the following

OWASP: main web page and about page and Top 10 Project
The CWE Top 25 project: About CWE and CWE Top 25 page (note that I originally also refered to SANS, but it seems like SANS is no longer collaborating on the “Top 25” list – the latest SANS list is from 2019, so in this class we will focus on the newer 2021 list linked here)

Week 3: January 24 – January 28

Topics: Memory safety vulnerabilities – Part 1

Week 4: January 31 – February 4

Topics: Memory safety vulnerabilities – Part 2

Week 5: February 7 – February 11

Topics: Other system security issues – integer overflow, permissions, …

Week 6: February 14 – February 18

Topics: Tools and testing – address sanitizer and fuzzing

Week 7: February 21 – February 25

Topics: Static analysis and symbolic execution

Week 8: February 28 – March 4

Tuesday: System-software security wrapup and review
Thursday: Mid-term Exam (tentative)

No class March 7 – March 11 (Spring Break)

Week 9: March 14 – March 18

Topic 1: Basic web application structure, threat model, and HTTP
Topic 2: HTTP servers, configurations, and cookies

Week 10: March 21 – March 25

Topic 1: Encryption/SSL overview and tool demo (ZAP and Burp Suite)
Topic 2: Same-origin policy, Content Security Policy, JavaScript and XSS.

Week 11: March 28 – April 1

Topic 1: Some server-side issues, and an overview of the OWASP Top 10, with “Broken Access Control”
Topic 2: More OWASP Top 10: Cryptographic Failures, Insecure Design

Note: Still tentative below here…

Week 12: April 4 – April 8

Topic: Injection, including Cross-site scripting, SQL injection, and OS command injection

Week 13: April 11 – April 15

Topic: Higher-level analysis techniques: Taint tracing, …

Week 14: April 18 – April 22

Topic: Advanced topics – TBD

Week 15: April 25 – April 27

Tuesday Topic: Class wrap-up and review
No class Thursday (Reading Day)

Final Exam

Tuesday, May 3, 3:30-6:30