Emad Alsuwat

(502804-3) Software Security

Homepage and Syllabus

Disclaimer

This is the best information available as of today, Sunday March 6, 2022 at 8:50 p.m. KSA time. Changes will appear in this web page as the course progresses.

Meeting time and place

Section 9675: Monday 6:00 p.m. - 9:00 p.m. (in classroom 7104)

Instructor: Dr. Emad Alsuwat

Course Homepage: https://emadalsuwat.github.io/SoftwareSecurity-Spring2022.html
Office: W101 CIT
Office hours: Sunday 10:00 a.m. - 12:00 p.m.
Phone: NA
Email: Alsuwat@tu.edu.sa

Course Overview

This course presents the basic principles of software security. The course considers important software vulnerabilities and attacks that exploit them such as buffer overflows, SQL injection, and session hijacking and consider defenses that prevent or mitigate these attacks, including advanced testing and program analysis techniques. The course takes and considers techniques at each phase of the development cycle that can be used to strengthen the security of software systems. Also, the course presents the main techniques of secure software development, automated code review, and penetration testing.

Learning Outcomes

By the end of the course, students will be able to:

The ability to describe and understand the Software Security vulnerabilities and the defense methods against these attacks
Learn best practices set of Software Security.
Understand how to design and develop secure software systems.
Ability to apply the related knowledge of code writing and automated code review tools for secure software.
The ability to apply software security testing such as penetration testing and fuzzing testing.

Textbooks

Required: Software Security - Building Security In, Author: Gary McGraw, ISBN: 0321356705

Examinations

Midterm Exam: March 21, 2022 during class time
Final Exam: TBD

Grading

Participation and Quizzes: 5%
Homework Assignments and Labs: 20%
Research Project: 10% Bonus: 5%
Midterm Exam: 25%
Final Exam: 40%

Topics to be covered

Below are roughly the sections of the Gary McGraw book that I will cover. I may de-emphasize some topics and add others, but this is basically the list.

Topic	Text Reference
PART ONE SOFTWARE SECURITY FUNDAMENTALS
Overview Computer Security Concepts Security Attacks Security Services Security Mechanisms
Defining a Discipline	Chapter 1
Risk Management Framework	Chapter 2
PART TWO SEVEN TOUCHPOINTS FOR SOFTWARE SECURITY
Introduction to Software Security Touchpoints	Chapter 3
Code Review with a Tool	Chapter 4
Architectural Risk Analysis	Chapter 5
Software Penetration Testing	Chapter 6
Risk-Based Security Testing	Chapter 7
Abuse Cases	Chapter 8
Software Security Meets Security Operations	Chapter 9
PART THREE SOFTWARE SECURITY GROWS UP
An Enterprise Software Security Program	Chapter 10
Knowledge for Software Security	Chapter 11
A Taxonomy of Coding Errors	Chapter 12

Lecture Notes and Homework Assignments

Note that changes to the table below will appear week by week as the course progresses

Week	Topic	Slides	Assignment	Due Date
Week 1	Syllabus Week	-	-	-
Week 2	Introduction	Lecture 1	-	-
Week 3	Chapter 1: Defining a Discipline	Lecture 2	-	-
Week 4	Chapter 2: Risk Management Framework	Lecture 3	Homework 1	Feb 27, 2022
Week 5	Software Reliability (Theory and Practice)	Lecture 4	-	-
Week 6	Chapter 3: Software Security Touchpoints	Lecture 5	Homework 2	March 9, 2022
Week 7	Chapter 4: Code Review with a Tool	Lecture 6	Lab 1	March 26, 2022
Week 8	Access Control Models	Lecture 7 Lecture 8	Homework 3	April 2, 2022
Week 9	Midterm Exam + Chapter 5: Architectural Risk Analysis	Lecture 8	-	-
Week 10	Chapter 6: Software Penetration Testing	Lecture 9	-	-
Week 11	Chapter 7: Risk-Based Security Testing	Lecture 10	-	-
Week 12	Chapter 8: Abuse Cases	Lecture 11	-	-
Week 13	Chapter 9: Software Security Meets Security Operations Chapter 10: An Enterprise Software Security Program	Lecture 12 Lecture 13	-	-
Week 14	Chapter 11: Software Security Meets Security Operations Chapter 12: A Taxonomy of Coding Errors	Lecture 14 Lecture 15	-	-