Aug 26: Course Overview

Aug 27: SQL Injection

Readings:

• SQL Tutorial (if you don't know basic SQL)
• SQL Injection Attacks by Example. Steve Friedl

Aug 30: Cross-Site Scripting

Readings:

• HTTP Overview. (if you don't know how HTTP works)
• DOM Reference. (if you don't know what the DOM is)
• An XSS Attack Archive.
• Another XSS Attack Archive.
• OWASP's XSS Prevention Cheat Sheet

Aug 31: Request Forgery

Readings:

• CSRF Overview. Jesse Burns

Sept 2: Clickjacking

Readings:

• Overview by Robert Hansen (SecTheory) & Jeremiah Grossman (WhiteHat Security)
• Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites. Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson.

Sept 3: Session Management

Readings:

• Secure Session Management With Cookies for Web Applications. Chris Palmer
• Protecting Browser State from Web Privacy Attacks. Collin Jackson, Andrew Bortz, Dan Boneh, and John C. Mitchell

Sept 6-7: Authentication and Identity

Readings:

• The Laws of Identity. Kim Cameron
• Who Goes There? Authentication through the lens of privacy (chapter 5). National Academy of Sciences

Sept 9: Access Control

Readings:

• XML Security: Control information access with XACML. Manish Verma

Sept 10: Capabilities

Readings:

• What is a capability, anyway?. Jonathan Shapiro
• ACLs Don't. Tyler Close.
• Google Caja

Sept 13: Threat Modelling

Readings:

• Larry Osterman Blog--follow the first-sentence links.
• Uncover Security Design Flaws Using the STRIDE Approach. Shawn Herman and Scott Lambert and Tomasz Ostwald and Adam Shostack. (This is the tutorial we followed for lecture today)
• Software [In]security: Software Security Top 10 Surprises. Gary McGraw, Brian Chess, Sammy Migues

Sept 14: Case Study Presentations

Sept 16-17: Usability

Readings:

• Why Johnny Can't Encrypt. Alma Whitten and Doug Tygar
• User Interaction Design for Secure Systems. Ka-Ping Yee
• You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. Serge Egelman, Lorrie Faith Cranor, and Jason Hong.
• PhishGuru
• So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users Cormac Herley

Sept 20-21: Case Study Presentations

Sept 23: Cryptography

Readings:

• Wikipedia Overview
• Bruce Schneier's Cryptography links, includes essays and analyses of various algorithms and crypto techniques. His Applied Cryptography book is highly regarded.

Sept 24: Protocol Analysis (Professor Guttman Guest Lecture)

Sept 27-28: Case Study Presentations

Sept 30: Attacking C Code

Readings:

• Smashing the Stack for Fun and Profit. Aleph One
• Shellcoding for Linux and Windows Tutorial. Steve Hanna
• Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade. Crispin Cowan, et al.
• Exploiting Format String Vulnerabilities.
• Hacking: The Art of Exploitation (code link on page). Jon Erickson
• GDB quick reference

Oct 1: Robust C Programming

Readings:

• Robust Programming. Matt Bishop

October 4, 5, 7: Case Study Presentations

October 8: Security in the Cloud

Readings:

• Overview of Cloud Computing from NIST
• Amazon Web Services Security Overview
• Cloud Computing Guidance from the Cloud Security Alliance

October 11: Network Security (Guest Lecture, Phil Deneault, WPI NetOps)

October 12: Security Models

Readings:

• Looking Back at the Bell-La Padula Model. David Elliott Bell, 2005.
• On Protection in Operating Systems. Harrison, Ruzzo, and Ullman, 1975.
• A Comparison of Commercial and Military Computer Security Policies. David Clark and David Wilson. 1987 IEEE Symposium on Research in Security and Privacy.

October 14: Course Feedback Discussion; Course Evals