SE 526 Software Security Assessment
Summary
Students in this course will learn how to conduct software security assessment to identify software vulnerabilities in software such as web applications and operating system services. Topics include: common software vulnerabilities and attack vectors; malicious payloads, including shell code structure; and application review techniques, including fuzzing and code auditing. Students will get hands-on experience identifying vulnerabilities in software.
Texts
Dowd, McDonald, Schuh, The Art of Software Security Assessment
# ISBN-10: 0321444426
# ISBN-13: 978-0321444424
Additional resources will be posted as links on COL.
Grading
Mid-term 15%
Final 35%
Assignments 20%
Project 30%
Prerequisites
CSC 435
General Topics
General topics will include:
* The Basics of Application Assessment
* Web Application Vulnerabilities and Exploitation
* Operating System Security
* Memory and Data Structures
* Shellcode Design
* Memory Corruption Vulnerabilities and Exploitation
The following topics will be covered if time permits:
* Remote Exploitation
* Advanced Shellcode Concepts
* Defeating Modern Protection Mechanisms
Projects
The main project of the course will be to assess real world applications for the types of vulnerabilities discussed in class and exploit the identified vulnerabilities. These vulnerabilities should be previously undisclosed security relevant conditions that exist within publically available applications. You may, if you choose, publicly disclose any of the vulnerabilities that you identify. However, responsible disclosure must be followed to allow vendors time to patch their product before public disclosure. For the purposes of this project, an application is defined as a piece of software, distributed as either source code or compiled binaries, which can be run on a physical or virtual machine that you either own or have been specifically granted access to attack. DO NOT assess or attack software running on systems that you do not own (for example popular websites).
This project will be broken into multiple stages with deadlines throughout the semester. These stages include:
* Application selection and threat modeling
* Vulnerability identification
* Vulnerability exploitation
This syllabus is subject to change as necessary during the quarter. If a change occurs, it will be thoroughly addressed during class, posted under Announcements in D2L and sent via email.
Evaluations are a way for students to provide valuable feedback regarding their instructor and the course. Detailed feedback will enable the instructor to continuously tailor teaching methods and course
content to meet the learning goals of the course and the academic needs of the students. They are a requirement of the course and are key to continue to provide you with the highest quality of teaching. The
evaluations are anonymous; the instructor and administration do not track who entered what responses. A program is used to check if the student completed the evaluations, but the evaluation is completely
separate from the student’s identity. Since 100% participation is our goal, students are sent periodic reminders over three weeks. Students do not receive reminders once they complete the evaluation.
Students complete the evaluation online in CampusConnect.
This course will be subject to the university's academic integrity policy. More information can be found at http://academicintegrity.depaul.edu/ If you
have any questions be sure to consult with your professor.
All students are expected to abide by the University's Academic Integrity Policy which prohibits cheating and other misconduct in student coursework. Publicly sharing or posting online any prior or current materials from this course (including exam questions or answers), is considered to be providing unauthorized assistance prohibited by the policy. Both students who share/post and students who access or use such materials are considered to be cheating under the Policy and will be subject to sanctions for violations of Academic Integrity.
All students are required to manage their class schedules each term in accordance with the deadlines for enrolling and withdrawing as indicated in the University Academic Calendar. Information on enrollment, withdrawal, grading and incompletes can be found at http://www.cdm.depaul.edu/Current%20Students/Pages/PoliciesandProcedures.aspx.
Students who feel they may need an accommodation based on the impact of a disability should contact the instructor privately to discuss their specific needs. All discussions will remain confidential.
To ensure that you receive the most appropriate accommodation based on your needs, contact the instructor as early as possible in the quarter (preferably within the first week of class), and make sure that
you have contacted the Center for Students with Disabilities (CSD) at:
Lewis Center 1420, 25 East Jackson Blvd.
Phone number: (312)362-8002
Fax: (312)362-6544
TTY: (773)325.7296