Oct 27: Course Overview

Oct 29: SQL Injection

Readings:

• SQL Tutorial (if you don't know basic SQL)
• SQL Injection Attacks by Example. Steve Friedl

Oct 30: Cross-Site Scripting

Readings:

• HTTP Overview. (if you don't know how HTTP works)
• DOM Reference. (if you don't know what the DOM is)
• An XSS Attack Archive.
• Another XSS Attack Archive.

November 2: Request Forgery

Readings:

• CSRF Overview. Jesse Burns

November 3: Clickjacking

Readings:

• Overview by Robert Hansen (SecTheory) & Jeremiah Grossman (WhiteHat Security)

November 5: Session Management

Readings:

• Secure Session Management With Cookies for Web Applications. Chris Palmer
• Protecting Browser State from Web Privacy Attacks. Collin Jackson, Andrew Bortz, Dan Boneh, and John C. Mitchell

November 6: Authentication and Identity

Readings:

• The Laws of Identity. Kim Cameron
• Who Goes There? Authentication through the lens of privacy (chapter 5). National Academy of Sciences

November 9: Access Control

Readings:

• XML Security: Control information access with XACML. Manish Verma

November 10: Capabilities

Readings:

• What is a capability, anyway?. Jonathan Shapiro
• Google Caja

November 12: Attacking C Code

Readings:

• Smashing the Stack for Fun and Profit. Aleph One
• Shellcoding for Linux and Windows Tutorial. Steve Hanna
• Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade. Crispin Cowan, et al.
• Exploiting Format String Vulnerabilities.
• Hacking: The Art of Exploitation (code link on page). Jon Erickson
• GDB quick reference

November 13: Robust C Programming

Readings:

• Robust Programming. Matt Bishop

November 16-23: Case Study Presentations

November 24: Threat Modelling

Readings:

• Larry Osterman Blog--follow the first-sentence links.
• Uncover Security Design Flaws Using the STRIDE Approach. Shawn Herman and Scott Lambert and Tomasz Ostwald and Adam Shostack. (This is the tutorial we followed for lecture today)
• Software [In]security: Software Security Top 10 Surprises. Gary McGraw, Brian Chess, Sammy Migues

November 30: Cryptography

Readings:

• Wikipedia Overview
• Bruce Schneier's Cryptography links, includes essays and analyses of various algorithms and crypto techniques. His Applied Cryptography book is high regarded.

December 1: Protocol Analysis (Professor Guttman Guest Lecture)

December 3-4: Usability

Readings:

• Why Johnny Can't Encrypt. Alma Whitten and Doug Tygar
• User Interaction Design for Secure Systems. Ka-Ping Yee
• You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. Serge Egelman, Lorrie Faith Cranor, and Jason Hong.
• PhishGuru
• So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users Cormac Herley

December 7-10: Case Study Presentations

December 11: Security in the Cloud

Readings:

• Overview of Cloud Computing from NIST
• Amazon Web Services Security Overview
• Cloud Computing Guidance from the Cloud Security Alliance

December 14: Network Security (Guest Lecture, Phil Deneault, WPI NetOps)

December 15: Security Models

Readings:

• Looking Back at the Bell-La Padula Model. David Elliott Bell, 2005.
• On Protection in Operating Systems. Harrison, Ruzzo, and Ullman, 1975.
• A Comparison of Commercial and Military Computer Security Policies. David Clark and David Wilson. 1987 IEEE Symposium on Research in Security and Privacy.

December 17: Course Feedback Discussion; Course Evals