Syllabus for TCSS 483 A Su 22: Secure Coding Principles
You need to have JavaScript enabled in order to access this site. Dashboard TCSS 483 A Syllabus Skip To Content Dashboard Login Dashboard Calendar Inbox History Help Close My Dashboard TCSS 483 A Syllabus Summer 2022 Home Syllabus Modules Files Assignments Quizzes Pages Panopto Recordings UW Resources Course Syllabus Jump to Today TCSS 483: Secure Coding Principles Abbreviated Course Title: SECURE CODING PRINC Credit Hours: 5 credits Textbook (pdf provided): Howard, LeBlanc and Viega, 24 Deadly Sins of Software Security, Paperback ISBN: 978-0-07-162675-0 Course Description: Covers how to code defensively so software is resistant to attack. Examines input validation tools and techniques, cryptography tools to secure sensitive data, how to mitigate common web-based attacks, defense against different types of injection attacks, threat modeling and assessment, and current trends and events in software security. Additional Information: Students will have the opportunity to work in teams to solidify course content. Teams will present on a security topic to the rest of the class. Students will gain invaluable skills that will serve as a foundation for the code written and the software developed in industry. Students will write defensive code and attack the code from other teams. Guest speakers with security background will be a part of course lecture content. Prerequisites: A minimum grade of 2.0 in TCSS 342. In addition a minimum grade of 2.0 in TCSS 371 or permission from instructor. Preconditions Basic understanding of memory addressing Correctly employ programming language features by reading and interpreting the associated published API documentation Utilize modern software engineering tools (e.g., IDEs, static checkers, unit testing frameworks, revision control systems) in a team environment CSS Degree Student Learning Outcomes that this course contributes to Ability to analyze a problem, and identify and define the computing requirements appropriate to its solution Ability to design, implement and evaluate a computer-based system, process, component, or program to meet desired needs Ability to function effectively on teams to accomplish a common goal Understand professional, ethical and social responsibilities Recognition of the need for, and an ability to engage in, continuing professional development; Ability to use current techniques, skills, and tools necessary for computing practice. An ability to apply mathematical foundations, algorithmic principles, and computer science theory in the modeling and design of computer-based systems in a way that demonstrates comprehension of the tradeoffs involved in design choices. Course Learning Objectives: Students will be able to Use regular expressions to validate input. Correctly defend against buffer overflow attacks Correctly defend against cross site scripting attacks Correctly defend against cross site request forgery attacks Properly salt, hash and store passwords Utilize symmetric and asymmetric key exchange to securely transmit data Categorize threats to a piece of software and analyze severity of those threats Correctly defend against SQL Injection Analyze code written by others and identify security flaws ABET Student Outcomes (based on 2020-2021 Criteria for Accrediting Computing Programs): (1) Analyze a complex computing problem and to apply principles of computing and other relevant disciplines to identify solutions. (2) Design, implement, and evaluate a computing-based solution to meet a given set of computing requirements in the context of the program’s discipline. (5) Function effectively as a member or leader of a team engaged in activities appropriate to the program’s discipline. UWT Student Learning Goals that this course contributes to: Inquiry and Critical Thinking: Students will acquire skills and familiarity with modes of inquiry and examination from diverse disciplinary perspectives, enabling them to access, interpret, analyze, quantitatively reason, and synthesize information critically. Communication/Self-Expression: Students will gain experience with oral, written, symbolic and artistic forms of communication and the ability to communicate with diverse audiences. They will also have the opportunity to increase their understanding of communication through collaboration with others to solve problems or advance knowledge. Instructor Info Name: Tom Capaul Email: tcapaul@uw.edu Office: 206R Cherry Parkes Office phone: N/A Official Office hours: MW 12-1pm or M-F by appointment Zoom link: https://washington.zoom.us/j/2384123092 Additional Office hours: Available by appointment M-F (email to set up a time). I am also available all days of the week via email. If you email me later in the evening you likely won't hear from me until the morning. In addition, if you email on the weekend you likely won't hear from me until Saturday or Sunday evening depending on what I have going on. Course lecture Zoom link: https://washington.zoom.us/j/98241580454 Mondays from 1-3:30pm: online synchronous lecture that will be recorded (so you do not have to attend lecture live if you cannot do so, but it highly recommended you do if you can Wednesday lectures are in person, but will be recorded via Zoom To view Zoom recordings go to the Zoom link on Canvas then choose the Cloud Recordings tab Grading: Homework Assignments (60%) Two Quizzes (15%) Final Project (25%) Assignments: There will be at least two individual assignments and at least three team-based assignments. You should begin working on your assignment the day it is assigned. Description of the assignment will be posted on Canvas and it will be due at the time and date specified on Canvas. Quizzes: There will be two quizzes. One at the end of week 4 and the other at the end of week 8. Information on quizzes will be distributed via Canvas Announcements and discussed in lecture. Final project: Each team will write a paper and present its findings to the rest of the class on a current code security-related topic. The final week of class will be used for these presentations. Final paper and materials will be due at the end of week 9. Assignments Each homework assignment will have an indication of its points and its grading criteria (rubric). Homework will be individual as well as team-based. Some homework will have extra credit. Find complete assignment details and due dates on the Assignments page. Grading Grade Scale The UW Tacoma numerical grading system will be used. Here is a breakdown of grade point based on percentage earned by the student GRADE SCORE GRADE SCORE GRADE SCORE GRADE SCORE 4.0 98-100 3.4 89 2.4 79 1.4 69 3.9 95-97 3.3 88 2.3 78 1.3 68 3.8 93-94 3.2 87 2.2 77 1.2 67 3.7 92 3.1 86 2.1 76 1.1 66 3.6 91 3.0 85 2.0 75 1.0 65 3.5 90 2.9 84 1.9 74 0.9 64 2.8 83 1.8 73 0.8 62-63 2.7 82 1.7 72 0.7 61 2.6 81 1.6 71 0.0 0-60 2.5 80 1.5 70 Late Assignments All assignments are due by 11:59PM on the labeled due date. Late assignments will be accepted up to 48 hours late -- after which they will not be accepted for points, but will count as turned in. A 10% penalty will be assessed for the 24-hour period the assignment is late. Please note that 1 minute late is the same as 23 hours 59 minutes late. Do not put yourself in a position where you are up against the 11:59PM deadline if at all possible. Set a mental deadline for yourself that is at least an hour before that to allow for internet connectivity and upload snafus/problems. Make-up Work No make-up work will be accepted unless under documented extreme circumstances. If you are having issues with the class, an assignment, or something else related to the course, contact the instructor ASAP to discuss whatever is at issue. Communicating with the instructor before something is due gives you a reasonable chance for extra time, depending on your circumstances. Communicating after the fact warrants far less flexibility on the part of the instructor. It is your grade thus it is your job to take care of it. Contesting Grades If you do not understand or agree with a grade on an assignment, test, or exam, you must ask about the issue within one week after the grade is posted on Canvas. Send questions via email and I will consider the issue and give a quick response. Note that while a grader may be used for assignments, the instructor has the final say on all scoring. Come to the instructor with any grading questions. General List of Topics The need for secure systems Principle of least privilege Self-reproducing programs: viruses, worms, trojans Buffer overflow: mechanics and defense Programming language inherent vulnerabilities (overflow conditions) Regular expressions SQL Injection Cross site scripting and request forgery Password security Symmetric and asymmetric key exchange Threat categorization and modeling Fuzz testing for vulnerability discovery Canonicalization and internationalization Code security resources (websites, papers, etc.) Weekly List of Topics and Activities: Week 1 Lecture topics The need for secure systems Principle of least privilege Basic vocabulary Self-reproducing programs: viruses, worms, trojans Activities Team formation Team assignment: Quine (self-reproducing program) Readings Paper: Ken Thompson Reflections on Trusting Trust 24: Chapter 16 Supplementary notes Week 2 Lecture topics Buffer overflow Dangerous C functions Prevention (language tools, compiler and OS options) In class example Other overflow (array and integer) Examination of support (defense) in common programming languages Activity Quine due Team assignment: Buffer overflow proof of concept exploit including payload to spawn shell Readings 24: Chapters 5 and 7 Paper: How gcc protects stack Paper: Smashing Stack for Fun and Profit by Aleph One Basic Integer Overflow: Phrack.org Supplementary notes on buffer overflow, integer overflow, and dangerous C functions Week 3 Lecture topics Scrubbing input Regular expressions Data flow through applications Establishing trust boundaries Activity Individual assignment: regular expressions to validate a variety of common data categories (email, url, etc.) Readings Java Regular Expression Tutorial at Oracle Supplementary notes (regular expressions) Paper: Regex Cheat Sheet Week 4 Lecture topics Password security Cryptographically secure random number generation Cryptographically secure hash functions Symmetric and asymmetric key exchange concepts and common algorithms, including those that are now considered broken (Diffie-Hellman, RSA, DES, AES, etc.) Activity Buffer overflow exploit due Quiz 1 Readings 24: Chapters 19 and 20 Supplementary notes on password security, how to safely generate random numbers, cryptographically secure hash functions, key exchange techniques Salted Password Hashing and How to Do It Right: codeproject.com RSA basics: Wikipedia.org Week 5 Lecture topics Threat modeling with STRIDE Categorizing threat severity (DREAD and newer) Threat trees Information leakage Study guide/review for midterm Activity Regular expression assignment due Team assignment: Build threat tree for existing app Readings 24: Chapter 12 Supplementary notes on STRIDE, DREAD, building threat trees Week 6 Lecture topics General injection attacks SQL Injection Cross Site Scripting Cross Site Request Forgery Deserialization dangers Activity Midterm Threat tree assignment due Team assignment: Defensive coding assignment (C and language of choice) Readings 24: Chapters 1, 2, 3, and 10 Deserialization of Untrusted Data: owasp.org Web based attacks: owasp.org Supplementary notes on XSS, XSRF, SQL Injection Week 7 Lecture topics Bug Discovery Code coverage metrics Fuzz testing Ethics in code and software security: White hat, Grey hat, Black hat Activity Team assignment: Security Topic choice for presentation Readings Supplementary notes on fuzzing to find bugs, code coverage metrics and tools, American Fuzzy Lop fuzz testing tool Ethical hacking papers Week 8 Lecture topics Canonicalization Internationalization Socket security concepts Activity Defensive code assignment due Team assignment: Attack other teams’ code from defensive coding assignment Quiz 2 Readings Supplementary notes on canonicalization, internationalization, socket security basics (very rudimentary ideas) 24: Chapters 22 and 23 Week 9 Lecture topics Review/catch up of earlier topics Activity Team Security Topic Presentations Preference for UW email: Be aware that the UW email policy (http://www.tacoma.uw.edu/information-technology/uw-tacoma-email-policy) states that "Faculty and staff are not obligated to respond to students using non-UW email accounts." I may choose to respond to email from other sources, but it is also possible the email from other source will be filtered as spam or that I will not respond for other reasons. I certainly will not discuss grades or anything else of a personal nature through email other than UW email (because I don't know if I am communicating with you or not). To assure that I receive and respond to your emails, please use your UW email address. Also, official announcements about this course will be sent to your UW email address, so check your UW email regularly. Emailing Instructor Directly From Canvas (do not do this): Please refrain from emailing me from Canvas if at all possible. Canvas does not cleanly maintain email threads, does not allow me to return/send files to you, and other problems. While it is a little inconvenient, please use your UW email for all email communication. Ultimately this is for your own good. Thanks in advance for your help with this! Attendance and Participation: Students are encouraged to attend classes or arrange absences in advance. To aid the learning process, students are required to participate in class discussion. I will regularly ask questions in lecture. Please do your best to pay attention and answer where appropriate. While no specific grades are given for attendance and participation please note that the more you attend and participate, the more I will get to know you. This matters for many reasons: At quarter's end I will consider your attendance and participation positively for your final grade. More specifically, I may bump your grade up for enhancing our learning environment by participating. You will likely want references on your resume for internships and/or full time jobs. If you contribute to my class, I am typically happy to serve as a reference for you. Ditto with regards to letters of recommendation for internships, jobs, or even scholarships. Perhaps you would like to earn money by working as a lab assistant/tutor or a grader. If I know you I will consider/promote your ability as necessary for these roles. Academic Integrity and Collaboration Policy: Both the value and the success of any academic activity, as well as the entire academic enterprise, have depended for centuries on the fundamental principle of absolute honesty. Students assume full responsibility for the content and integrity of the academic work that they submit. Although students are encouraged to discuss ideas and analyses with others, individual written assignments must reflect only the individual’s efforts. A complete list of Academic Standards is published in the University of Washington Tacoma Catalog. A student who violates Academic Standards for an assignment will receive no credit for that assignment. Review expectations, policies, and consequences at http://www.tacoma.uw.edu/node/38211. Homework assignments must be completed individually (unless it is specified as a team assignment), must reflect your own understanding of course concepts, and be your own work. However, a limited amount of collaboration is permitted. You may collaborate by discussing the concepts pertinent to an assignment with others. You must not copy the work of others or allow others to copy your work, in full or in part, for any reason. In addition, you are expected to acknowledge those individuals with whom you discussed the homework by writing something like "I discussed this problem with XXX" in your assignment submission. If you wish to incorporate code written by others (for example, code samples from the Internet), you must first ask for permission from the instructor and then you must clearly document the source of the borrowed code in your submission. Failure to give proper credit for the ideas and/or work of others will result in severe grade penalties. The following actions are acceptable: Contacting the instructor for help with, or clarification on, an assignment. Posting messages to the class discussion forum about parts of the assignment, without posting actual code. Discussing the assignment in general terms with other students, without sharing code or algorithmic details. Assisting another student with technical details (setting up the Java JDK, setting up an IDE, etc.). The following actions are NOT acceptable: Sharing your homework solution with another student. Helping another student by "walking them through" how to solve the problem in detail. Coming up with a solution to an assignment together with another student. Discussing the algorithm for completing an assignment or large portions of an assignment in detail. Receiving source code from other students, the Internet, or other sources and submitting it as your own work. Note: this includes collaborating with students who have taken this course in previous quarters, as well as looking at solutions from previous quarters. Retrieving another student's solution from email, from their user account, or from a hardcopy printout, and using it as a basis for your own work. If you are repeating this course, it is unacceptable for you to submit work that you did in a previous quarter. It will benefit you to start each assignment from scratch with a fresh mind and a new outlook. When in doubt, ask the instructor whether a behavior violates the spirit and/or intent of this policy. Instructor The instructor is responsible for providing structure with regards to all course content. Expectations, deadlines, grading criteria, and availability should be made clear to students from the inception of the course. The instructor should be available during specified office hours as well as any scheduled appointments with the student. Grades should be returned in a timely fashion, typically within one week of the due date. Depending on class size and content of what is being graded, grading may take longer. If an assignment has content from a previous assignment that was not returned before the current assignment was due, and a student loses points on the previous assignment for that content, the student will not be held accountable for those points on the current assignment (in most cases). The instructor is here to guide and mentor students on not only course content, but also computer science and software development topics (both technical and soft skills). The instructor is here to educate you and help you grow as a student and as an individual. The instructor is not here to intimidate you or show you up -- please do the same for the instructor in this regard! UW Policies and Expectations: For Inclement weather, academic honesty, email policy, disability support services, etc., please visit http://www.tacoma.uw.edu/teaching-learning-technology/e-syllabus-campus-information-resources-policies-expectations Religious Accommodations Washington state law requires that UW develop a policy for accommodation of student absences or significant hardship due to reasons of faith or conscience, or for organized religious activities. The UW’s policy, including more information about how to request an accommodation, is available at Religious Accommodations Policy (https://registrar.washington.edu/staffandfaculty/religious-accommodationspolicy/ ). Accommodations must be requested within the first two weeks of this course using the Religious Accommodations Request form (https://registrar.washington.edu/students/religious-accommodationsrequest/ ). Institute Support Please maintain communication with the Institute advisors regarding your studies and notify them of any personal or learning struggles. It’s important to reach out early. http://www.tacoma.uw.edu/institute-technology/academic-advising. Campus Support http://www.tacoma.uw.edu/teaching-learning-technology/e-syllabus-campus-information-resources-policies-expectations Resources The e-Syllabus: Campus Information, Resources, Policies and Expectations The syllabus page shows a table-oriented view of the course schedule, and the basics of course grading. You can add any other comments, notes, or thoughts you have about the course structure, course policies or anything else. To add some comments, click the "Edit" link at the top. Syllabus Description:
Show Course Summary Cancel Update Syllabus Course Summary: Date Details Due Prev month Next month June 2022 6 Calendar Sunday Monday Tuesday Wednesday Thursday Friday Saturday 29 May 2022 29 Previous month Next month Today Click to view event details 30 May 2022 30 Previous month Next month Today Click to view event details 31 May 2022 31 Previous month Next month Today Click to view event details 1 June 2022 1 Previous month Next month Today Click to view event details 2 June 2022 2 Previous month Next month Today Click to view event details 3 June 2022 3 Previous month Next month Today Click to view event details 4 June 2022 4 Previous month Next month Today Click to view event details 5 June 2022 5 Previous month Next month Today Click to view event details 6 June 2022 6 Previous month Next month Today Click to view event details 7 June 2022 7 Previous month Next month Today Click to view event details 8 June 2022 8 Previous month Next month Today Click to view event details 9 June 2022 9 Previous month Next month Today Click to view event details 10 June 2022 10 Previous month Next month Today Click to view event details 11 June 2022 11 Previous month Next month Today Click to view event details 12 June 2022 12 Previous month Next month Today Click to view event details 13 June 2022 13 Previous month Next month Today Click to view event details 14 June 2022 14 Previous month Next month Today Click to view event details 15 June 2022 15 Previous month Next month Today Click to view event details 16 June 2022 16 Previous month Next month Today Click to view event details 17 June 2022 17 Previous month Next month Today Click to view event details 18 June 2022 18 Previous month Next month Today Click to view event details 19 June 2022 19 Previous month Next month Today Click to view event details 20 June 2022 20 Previous month Next month Today Click to view event details 21 June 2022 21 Previous month Next month Today Click to view event details 22 June 2022 22 Previous month Next month Today Click to view event details 23 June 2022 23 Previous month Next month Today Click to view event details 24 June 2022 24 Previous month Next month Today Click to view event details 25 June 2022 25 Previous month Next month Today Click to view event details 26 June 2022 26 Previous month Next month Today Click to view event details 27 June 2022 27 Previous month Next month Today Click to view event details 28 June 2022 28 Previous month Next month Today Click to view event details 29 June 2022 29 Previous month Next month Today Click to view event details 30 June 2022 30 Previous month Next month Today Click to view event details 1 July 2022 1 Previous month Next month Today Click to view event details 2 July 2022 2 Previous month Next month Today Click to view event details 3 July 2022 3 Previous month Next month Today Click to view event details 4 July 2022 4 Previous month Next month Today Click to view event details 5 July 2022 5 Previous month Next month Today Click to view event details 6 July 2022 6 Previous month Next month Today Click to view event details 7 July 2022 7 Previous month Next month Today Click to view event details 8 July 2022 8 Previous month Next month Today Click to view event details 9 July 2022 9 Previous month Next month Today Click to view event details Assignments are weighted by group: Group Weight Assignments 65% Quizzes 15% Project 20% Total 100%