CS 4401:
Software Security Engineering

Figure 1: Exploits of a Mom from XKCD

1  Place and time

We meet in FL 320 on Monday, Tuesday, Thursday, and Friday, 2 -- 2:50 pm.

2  Description

An introduction to pitfalls and sound practices for building secure software applications. Topics include web security, secure software development, defensive programming, threat-modeling and human-computer interaction issues that affect security. The course focuses on the application level, with little attention to operating-system level security or to network-level security. Assignments will involve uncovering security holes in software, implementing secure applications, and presenting a case study on security technology. The course is intended for upper-level Computer Science majors who expect to be writing applications with a security component. All students will be required to sign a pledge of responsible conduct at the start of the course.

3  Recommended Background

CS3733 and CS3013 or their equivalents are essential. The course assumes nontrivial experience with C and Unix; familiarity with operating systems and filesystems; and a basic understanding of client-server architectures.

4  Contact information

You can reach the course staff as follows:

Professor
Joshua Guttman. You can reach me at mailto:guttman@wpi.edu. For prompt replies, mention [cs4401] in the subject line.
Student Assistants
Randall Crock and Ryan Price.
Staff mailing list
Don't send mail to cs4401@cs.wpi.edu, because that doesn't work. Remember to insert -staff after the course number. This is a small spam protection maneuver.
Course web site
The course web site is accessible via: http://web.cs.wpi.edu/~guttman/cs4401_website/ and http://web.cs.wpi.edu/~cs4401/a11/index.html.

Generally speaking, email works very well for communication. I try to respond very quickly to course-related email, especially when you mention [cs4401] in the subject line. When you email me or the -staff list, please take a moment to think what information we'll need to give you a useful reply. Messages that are fairly short but have the right details get the fastest and best replies.

5  Office hours

You can find me in my office, FL 137, at these times at least:

Monday, 11 am     Tuesday, 3 pm     Thursday, 10 am

You can email me mailto:guttman@wpi.edu (mentioning [cs4401] in the subject line) to set up meetings at other times also. The SA office hours in FL A22 are:

Randall Crock:   Wednesday, 6 pm      Friday, 11 am
Ryan Price:Wednesday, noonThursday, noon

6  Course topics

We will focus on five main topics, probably treating the last only very briefly:

Vulnerability and protection
We will survey kinds of vulnerabilities and countermeasures in (a) the web, and (b) C code.
Identification, authentication, and access control
Methods for associating requests with persons and other entities, and deciding whether to grant those requests or not.
Authentication and confidentiality
in distributed systems: Cryptography and cryptographic protocols.
Modeling
threats and security goals; usability issues.
Security APIs
Security applications programming interfaces for security co-processors and hardware modules.

Thanks very much to Professor Fisler, for allowing me to borrow liberally from her editions of this course.

We will not use a textbook for this class. You may want to read parts of Ross Anderson's Security Engineering book (published by Wiley). The current edition is the second; the first edition is available freely on line at http://www.cl.cam.ac.uk/~rja14/book.html. Also convenient for web security is Dafydd Studdard and Marcus Pinto's Web Application Hacker's Handbook; see http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470170778.html.

Our first readings and class-by-class topics are at initial_readings.html.

7  Assignments and Grading

Assignments are at URL assigns.html.

Accommodations for Disabilities.

If you need course adaptations or accommodations because of a disability, or if you have medical information to share with me, please make an appointment with me as soon as possible. Students with disabilities who believe that they may need accommodations in this class are encouraged to contact the Office of Disability Services (ODS) so that accommodations can be made promptly.

ODS is in the West St. House at 157 West St. Their phone is 508 831 4908.

Contents

This document was translated from LATEX by HEVEA.