Aug 23: Course Overview

Readings:

• Anderson (2nd edition), Chapter 1 especially the framework in section 1.2

Aug 24: SQL Injection

Readings:

• SQL Tutorial (if you don't know basic SQL)
• SQL Injection Attacks by Example. Steve Friedl

Aug 27: Cross-Site Scripting

Readings:

• HTTP Overview (if you don't know how HTTP works)
• DOM Reference (if you don't know what the DOM is)
• OWASP's XSS Prevention Cheat Sheet
• Google Code XSS overview
• An XSS Attack Archive
• Another XSS Attack Archive

Handouts:

• Javascript samples
• Attack handout

Aug 28: Request Forgery

Readings:

• CSRF Overview. Jesse Burns

Handouts:

• Case study questions from class

Aug 30: Clickjacking

Readings:

• Overview by Robert Hansen (SecTheory) & Jeremiah Grossman (WhiteHat Security)
• Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites. Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson.
• The source version of the in-class example
• OWASP on Clickjacking

Aug 31: "Think Like a Thief" Day

Readings:

• Inside the Twisted Mind of the Security Professional. Bruce Schneier.

Handouts:

• Discussion Question

Sept 3: Labor Day Holiday (No Class)

Sept 4: Threat Modelling

Readings:

• Larry Osterman Blog--follow the first-sentence links.
• Uncover Security Design Flaws Using the STRIDE Approach. Shawn Herman and Scott Lambert and Tomasz Ostwald and Adam Shostack. (A tutorial with a different example than the one we did in class)
• Software [In]security: Software Security Top 10 Surprises. Gary McGraw, Brian Chess, Sammy Migues

Handouts:

• Literary Magazine Case Study
• Data Flow Diagrams for LitMag Threat Modeling

Sept 6-10: Cryptography

Readings:

• Wikipedia Overview
• Bruce Schneier's Cryptography links, includes essays and analyses of various algorithms and crypto techniques. His Applied Cryptography book is highly regarded.

Sept 11-13: Session Management

Readings:

• Secure Session Management With Cookies for Web Applications. Chris Palmer
• Protecting Browser State from Web Privacy Attacks. Collin Jackson, Andrew Bortz, Dan Boneh, and John C. Mitchell

Sept 13-14: Authentication and Identity

Readings:

• The Laws of Identity. Kim Cameron
• Who Goes There? Authentication through the lens of privacy (chapter 5). National Academy of Sciences

Sept 14: Passwords

Readings: [Starred readings cover class material, others for interest/edification]

• **Our password hashing has no clothes by Troy Hunt
• **Why passwords have never been weaker—and crackers have never been stronger by Dan Goodin
• Lessons in website security anti-patterns by Tesco by Troy Hunt (lots of other clear articles under his "passwords" tag)

Contributions from the Class:

• xkcd on passwords (many recommendations)
• http://www.pctools.com/guides/password/
• Last Pass
• KeePass

Sept 17: Attacking C Code

Readings:

• Smashing the Stack for Fun and Profit. Aleph One
• Shellcoding for Linux and Windows Tutorial. Steve Hanna
• Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade. Crispin Cowan, et al.
• Exploiting Format String Vulnerabilities.
• Hacking: The Art of Exploitation (code link on page). Jon Erickson
• GDB quick reference

Sept 18: Robust C Programming

Readings:

• Robust Programming. Matt Bishop

Sept 20: Access Control

Readings:

• XML Security: Control information access with XACML. Manish Verma

Handouts:

• Health record requirements example

Sept 21: Capabilities

Readings:

• What is a capability, anyway?. Jonathan Shapiro
• ACLs Don't. Tyler Close.
• Google Caja

Handouts:

• EHR authentication: Java examples

Sept 24-25: Usability

Readings:

• Why Johnny Can't Encrypt. Alma Whitten and Doug Tygar
• User Interaction Design for Secure Systems. Ka-Ping Yee
• You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. Serge Egelman, Lorrie Faith Cranor, and Jason Hong.
• PhishGuru
• So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users Cormac Herley

Sept 27: Social Engineering

Readings:

• How Apple and Amazon Security Flaws Led to My Epic Hacking. Mat Honan
• Cosmo, the Hacker ‘God’ Who Fell to Earth. Mat Honan
• The Ultimate Guide to Social Engineering. CSO Online

October 1: Network Security (Guest Lecture, Phil Deneault, WPI Chief Information Security Officer)

October 2: Security in the Cloud

Readings:

• Overview of Cloud Computing from NIST
• Amazon Web Services Security Overview
• Cloud Computing Guidance from the Cloud Security Alliance

October 4: Mobile Phone Application Security

Readings:

• Android Security Overview
• iOS Security Overview
• A Window into Mobile Device Security: Examining the security approaches employed in Apple's iOS and Google's Android, Carey Nachenberg

October 5: Security Models

Readings:

• Looking Back at the Bell-La Padula Model. David Elliott Bell, 2005.
• On Protection in Operating Systems. Harrison, Ruzzo, and Ullman, 1975.
• A Comparison of Commercial and Military Computer Security Policies. David Clark and David Wilson. 1987 IEEE Symposium on Research in Security and Privacy.