Information Technology CIS 3615 Secure Software Development Spring 2013 3 Credit Hours University of South Florida Sarasota/Manatee 8350 North Tamiami Trail, Sarasota, FL 34243
University of South Florida Sarasota/Manatee Course Syllabus Spring 2013 (Revised: 1/6/13) Instructor: John Collins Office: N/A E-Mail: johncollins@sar.usf.edu Office Hours: By Appointment Course Number: CIS 3615 Course Name: Course Description: Instructor: Required Materials: Secure Software Development Information is power. It also has value. Thus, there is an incentive for unscrupulous individuals to steal information. This course covers a number of different techniques to help developers to build enterprise-level systems that are secure and safe. Staff Asoke K. Talukder and Manish Chaitanya, Architecting Secure Software Systems. CRC Press, 2009 ISBN-13: 978-1-4200-8784-0. Masoud Kalali, Glassfish Security. Packt Publishing, 2010 ISBN-13: 978-1-847199-38-6. Prerequisites: Course Goals: Performance Objectives: COP 3515 Requirements and Program Design; COP 3601 Systems Programming (Java EE) The goal of this course is to provide students with the knowledge and skills to develop enterprise-level systems that are safer and more secure. The techniques presented here will increase the effort needed by hackers to successfully launch attacks on enterprise software applications. On completing this course, students will: Understand vulnerability and the variety of possible attacks Be able to apply the Security Development Lifecycle Be able to construct secure UNIX/Linux-based 2
programs Understand Networking and SOA-based Security Be able to implement Java Client-Side Security Be able to implement Mobile Application Security Be able to secure Web-Facing Applications Be able to implement Java Server-Side Security Be able to construct Secured Web Services Attendance Policy: Performance Evaluation and Grading This course will be conducted entirely on-line. Students are expected to log in to each Elluminate session. The course moves through the material at a rapid pace, and each topic builds on the ones that preceded it. However, the online class sessions will be recorded and retained so that students may review the class material. Student performance will be evaluated based on exercises and assignments. A grade will be determined based on the total of possible points earned, as follows: A+ 97-100 A 93-96.9 A- 90-92.9 B+ 87-89.9 B 83-86.9 B- 80-82.9 C+ 77-79.9 C 73-76.9 C- 70-72.9 D+ 67-69.9 D 63-66.9 D- 60-62.9 F 0-59.9 3
Class Schedule: (Revised: 10/15/10) Date Week 1 (Jan 9) Course Introduction Topic Talukder Chapter 1, Security in Software Systems Week 2 (Jan 16) Talukder Chapter 2, Architecting Secure Software Systems * Setup an Eclipse IDE. Be sure to include these at the very least - a C/C++ compiler - The CDT packages for your release (e.g. Juno) - ProGuard - FindBugs -EclEmma - SVN - GlassFish Integration * Upload a screenshot of your IDE, with the Help > About Eclipse. There should be a set of tool icons. Week 3 (Jan 23) Talukder Chapter 3, Constructing Secured and Safe C/UNIX Programs * Create a UML Use Case diagram for an AMT (or nontrivial system) of your choice. Include at least 3 use cases and 2 abuse cases (e.g. for an ATM time-of-check, time-of-use attacks in which a system looks at available balance once at the initial login - neglecting to consider a separate AMT can be used at the same time - each machine used to withdraw the total amount of the account). You can try and use the UML trial designer, paint, word, etc. No points for pretty work, just make it readable. 4
* Upload the Use Case diagram and a threat model from one of the abuse cases you provided. * Get a debugger (http://www.ollydbg.de/ or equivalent) and attach it to a running binary. Take screen shots of the debugger after it is attached to a running program of functions including toggling a breakpoint, analyzing code, and viewing the call tree. Week 4 (Jan 30) Talukder Chapter 4, Constructing Secured Systems in.net is omitted purposely because we do not use.net in any of our courses. Talukder Chapter 5, Networking and SOA-Based Security * Look at the code samples provided. Address any security concerns and fix the code where appropriate. Be sure your code compiles and runs. Week 5 (Feb 6) Talukder Chapter 6, Java Client-Side Security * In Java, Create a class with a main method and a private static method that takes a String object, converts it to an integer and returns the result. Validate that the integer is between 1 to 10. Create unit tests for bounds testing. Be sure to check negative infinity, a large negative, a small negative, everything on and next to the low bounds, a midrange value, etc. Don't forget to use encoded, nonprintable, and character data in unit tests. * Use Eclipse and Provide a screen shot and analysis of Eclemma http://agile.csc.ncsu.edu/sematerials/tutorials/eclemma/ * Go find or make some poor code that causes results in FindBugs to generate results. 5
Week 6 (Feb 13) Talukder Chapter 7, Security in Mobile Applications Research how to sign a JAR with jar signer (part of the JDK). Write up the instructions for deployment of a signed JAR. Explain why you would do this and look at any issues that users may encounter. Week 7 (Feb 20) Talukder Chapter 8, Security in Web-Facing Applications Week 8 (Feb 27) Talukder Chapter 9, Server-Side Java Security * Create an example of SQL Injection and Cross Site Scripting. Once you are done, encode the attacks using UTF-8 and URL encoding. Week 9 (Mar 6) Talukder Chapter 10, Constructing Secured Web Services The Servlet API states that Servlets are single threaded. Write a Servlet that demonstrates how improperly scoped variables can expose user data, test your code with 2 browser sessions to see if you can get one sessions data from the other. Submit the code and a screen shot. Week 10 (Mar 13) Spring Break No Class, next week's homework is somewhat involved. I recommend getting started soon. Week 11 (Mar 20) Kalali Chapter 1, Java EE Security Model Chapter 2, Glassfish Security Realms * Create a certificate authority and add it to your Browser s trusted CA s provide the instructions you used. 6
*Create a server certificate and configure the Web Server with it to allow for HTTPS. Include the CSR creation steps and provide all the instructions used * Create a Client certificate and load it in the Browser. Include a screen shot of the imported certificate. * Configure HTTPS SSL Client Authentication. Include a screen shot of the HTTPS connection to the server. This may require you to setup RBAC and setup the deployment descriptor for a protected resource. Week 12 (Mar 27) Kalali Chapter 3, Designing and Developing Secure Java EE Applications Chapter 4, Securing Glassfish Environment Week 13 (Apr 3) Kalali Chapter 5, Securing Glassfish Chapter 6, Introducing OpenDS: Open Source Directory Service * Create an EJB project that uses RBAC and a login page that uses a JDBC realm. Submit the EAR or WAR (your choice of deployment) * Sign the code using the certificate you created in week 10 * Write up a sample security/policy manager to allow your code to run in your container. Describe the configuration. Week 14 (Apr 10) Kalali Chapter 7, OpenSSO: The Single Sign-On Solution Chapter 8, Securing Java EE Applications Using OpenSSO Week 15 (Apr 17) Kalali Chapter 9, Securing Web Services by OpenSSO Course Wrap-up and Evaluation 7
Religious Observances The University recognizes the right of students and faculty to observe major religious holidays. Students who anticipate the necessity of being absent from class for a major religious observance must provide notice of the date(s) to the instructor, in writing, by the second week of classes. http://generalcounsel.usf.edu/policies-and-procedures/pdfs/policy-10-045.pdf Disabilities Accommodation Students are responsible for registering with the Office of Students with Disabilities Services (SDS) in order to receive academic accommodations. Reasonable notice must be given to the SDS office (typically 5 working days) for accommodations to be arranged. It is the responsibility of the student to provide each instructor with a copy of the official Memo of Accommodation. www.sarasota.usf.edu/students/disability/ Contact Information: Pat Lakey, Coordinator 941-359-4714 plakey@sar.usf.edu Academic Dishonesty The University considers any form of plagiarism or cheating on exams, projects, or papers to be unacceptable behavior. Please be sure to review the university s policy in the catalog, USFSM Undergraduate Catalog or USFSM Graduate Catalog and the USF Student Code of Conduct. Undergraduate: http://www.sarasota.usf.edu/academics/catalogs/ Graduate: http://www.sarasota.usf.edu/academics/catalogs/ USF Student Code of Conduct: http://www.sa.usf.edu/srr/page.asp?id=88 Academic Disruption The University does not tolerate behavior that disrupts the learning process. The policy for addressing academic disruption is included with Academic Dishonesty in the catalog:, USFSM Undergraduate Catalog or USFSM Graduate Catalog and the USF Student Code of Conduct. Undergraduate: http://www.sarasota.usf.edu/academics/catalogs/ Graduate: http://www.sarasota.usf.edu/academics/catalogs/ USF Student Code of Conduct: http://www.sa.usf.edu/srr/page.asp?id=88 Contingency Plans In the event of an emergency, it may be necessary for USFSM to suspend normal operations. During this time, USFSM may opt to continue delivery of instruction through methods that include but are not limited to: Blackboard, Elluminate, Skype, and email messaging and/or an alternate schedule. It s the responsibility of the student to monitor Blackboard site for each class for course specific communication, and the main USFSM and College websites, emails, and MoBull messages for important general information. The USF hotline at 1 (800) 992-4231 is updated with pre-recorded information during an emergency. 8
Emergency Preparedness It is strongly recommended that you become familiar with the USF Sarasota-Manatee Emergency Action Plan on the Safety Preparedness site http://www.sarasota.usf.edu/facilities/safetypreparedness.php Fire Alarm Instructions At the beginning of each semester please note the emergency exit maps posted in each classroom. These signs are marked with the primary evacuation route (red) and secondary evacuation route (orange) in case the building needs to be evacuated. 9