SE 526 Software Security Assessment

Spring 2009-2010

Class number: 35086

Section number: 910

Online Campus

Course homepage: https://col.cdm.depaul.edu

Summary

Students in this course will learn how to conduct software security assessment to identify software vulnerabilities in software such as web applications and operating system services. Topics include: common software vulnerabilities and attack vectors; malicious payloads, including shell code structure; and application review techniques, including fuzzing and code auditing. Students will get hands-on experience identifying vulnerabilities in software.

Texts

Dowd, McDonald, Schuh, The Art of Software Security Assessment
# ISBN-10: 0321444426
# ISBN-13: 978-0321444424

Additional resources will be posted as links on COL.

Grading

Mid-term 15%
Final 35%
Assignments 20%
Project 30%

Prerequisites

CSC 435

General Topics

General topics will include:

* The Basics of Application Assessment
* Web Application Vulnerabilities and Exploitation
* Operating System Security
* Memory and Data Structures
* Shellcode Design
* Memory Corruption Vulnerabilities and Exploitation

The following topics will be covered if time permits:

* Remote Exploitation
* Advanced Shellcode Concepts
* Defeating Modern Protection Mechanisms

Projects

The main project of the course will be to assess real world applications for the types of vulnerabilities discussed in class and exploit the identified vulnerabilities. These vulnerabilities should be previously undisclosed security relevant conditions that exist within publically available applications. You may, if you choose, publicly disclose any of the vulnerabilities that you identify. However, responsible disclosure must be followed to allow vendors time to patch their product before public disclosure. For the purposes of this project, an application is defined as a piece of software, distributed as either source code or compiled binaries, which can be run on a physical or virtual machine that you either own or have been specifically granted access to attack. DO NOT assess or attack software running on systems that you do not own (for example popular websites).

This project will be broken into multiple stages with deadlines throughout the semester. These stages include:

* Application selection and threat modeling
* Vulnerability identification
* Vulnerability exploitation

School policies:

Changes to Syllabus

This syllabus is subject to change as necessary during the quarter. If a change occurs, it will be thoroughly addressed during class, posted under Announcements in D2L and sent via email.

Online Course Evaluations

Evaluations are a way for students to provide valuable feedback regarding their instructor and the course. Detailed feedback will enable the instructor to continuously tailor teaching methods and course content to meet the learning goals of the course and the academic needs of the students. They are a requirement of the course and are key to continue to provide you with the highest quality of teaching. The evaluations are anonymous; the instructor and administration do not track who entered what responses. A program is used to check if the student completed the evaluations, but the evaluation is completely separate from the student’s identity. Since 100% participation is our goal, students are sent periodic reminders over three weeks. Students do not receive reminders once they complete the evaluation. Students complete the evaluation online in CampusConnect.

Academic Integrity and Plagiarism

This course will be subject to the university's academic integrity policy. More information can be found at http://academicintegrity.depaul.edu/ If you have any questions be sure to consult with your professor.

All students are expected to abide by the University's Academic Integrity Policy which prohibits cheating and other misconduct in student coursework. Publicly sharing or posting online any prior or current materials from this course (including exam questions or answers), is considered to be providing unauthorized assistance prohibited by the policy. Both students who share/post and students who access or use such materials are considered to be cheating under the Policy and will be subject to sanctions for violations of Academic Integrity.

Academic Policies

All students are required to manage their class schedules each term in accordance with the deadlines for enrolling and withdrawing as indicated in the University Academic Calendar. Information on enrollment, withdrawal, grading and incompletes can be found at http://www.cdm.depaul.edu/Current%20Students/Pages/PoliciesandProcedures.aspx.

Students with Disabilities

Students who feel they may need an accommodation based on the impact of a disability should contact the instructor privately to discuss their specific needs. All discussions will remain confidential.
To ensure that you receive the most appropriate accommodation based on your needs, contact the instructor as early as possible in the quarter (preferably within the first week of class), and make sure that you have contacted the Center for Students with Disabilities (CSD) at:
Lewis Center 1420, 25 East Jackson Blvd.
Phone number: (312)362-8002
Fax: (312)362-6544
TTY: (773)325.7296

ClassInfo