CIS 3615 Secure Software Development



Similar documents
USF Sarasota-Manatee CIS 3615: Secure Software Development Spring 2014 Wednesdays 6:00 9:00 PM EST

USF Sarasota-Manatee CIS 4368 Database Security and Auditing Summer Office Hours: By Appointment

CGS Web Development: JavaScript

CTS 4348 Linux Administration Spring 2014

CIS 4204 Ethical Hacking Fall, 2014

University of South Florida Sarasota-Manatee Course Syllabus Forensic Accounting and Fraud Examination ACG 4931 Spring 2015

University of South Florida Sarasota/Manatee Course Syllabus Fall 2015 (updated )

BACHELOR OF SCIENCE IN HOSPITALITY MANAGEMENT MISSION STATEMENT

USF Sarasota-Manatee College of Business Information Technology CGS Credit Hours Computers in Business Fall 2015, USF Sarasota-Manatee

SYLLABUS FALL 2015 PHI 3640 Environmental Ethics (A 100% Online Class) 3 credits (Subject to Revision and Canvas Posting with Notice)

University of South Florida Sarasota-Manatee COURSE SYLLABUS

MAR 3400 Professional Selling Spring, 2015

How To Pass Developmental Psychology At South Florida State University

University of South Florida Sarasota-Manatee Course Syllabus Forensic Accounting and Fraud Examination ACG 4931 Fall 2015

Research Methods in Psychology

Instructor: Michael A. Gillespie, Ph.D. Office Hours: M, W 11:00 to 12:00

Summer Credit Hours

The Wall Street Journal, Barrons, and other financial news papers.

CIS 4203 IT Forensics & Investigations Summer C

UNIVERSITY OF SOUTH FLORIDA COLLEGE OF ARTS AND SCIENCES SCHOOL OF SOCIAL WORK. HUMAN BEHAVIOR AND THE SOCIAL ENVIRONMENT II SOW 3102 Syllabus

PROJECT MANAGEMENT MAN 4930

PREREQUISITES: HFT 3003

GlassFish Security. open source community experience distilled. security measures. Secure your GlassFish installation, Web applications,

University of South Florida Sarasota-Manatee College of Hospitality and Technology Leadership (CHTL) HFT 4930 Contemporary Cuisine

College of Public Health University of South Florida. Department of Environmental and Occupational Health. Syllabus Page 1

This course is 100% online via Canvas

MAN 4802 Entrepreneurship/Small Business Management Online. Fall 2012

LIT INTRODUCTION TO LITERATURE FALL 2015 (100% ONLINE)

GIS6100: Geographic Information Systems Syllabus Spring 2015

Check list for web developers

STA 4442 INTRODUCTION TO PROBABILITY FALL 2012

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

This training is targeted at System Administrators and developers wanting to understand more about administering a WebLogic instance.

CIS 292 Computer and Network Security Proposed Start: Summer Instructor's Name: Office Location: Office Hours: Office Phone:

College of Education Learn. Lead. Inspire. Transform.

COURSE SYLLABUS Basic American Sign Language (ASL 1)

MAN 4802 Entrepreneurship/Small Business Management Online Fall 2013

The University of Texas at Tyler COLLEGE OF BUSINESS & TECHNOLOGY Fall Semester 2013 Course Syllabus. Introduction to the American Health Care System

WebSphere Server Administration Course

IBM WebSphere Server Administration

Installation Guide of the Change Management API Reference Implementation

Hudson configuration manual

INTRODUCTION TO INFORMATION TECHNOLOGY CSIT Class Hours: 3.0 Credit Hours: 4.0 Laboratory Hours: 3.0 Revised: August 24, 2012

California State University Polytechnic University. CIS 311 Interactive Web Development. Fall 2011

JVA-122. Secure Java Web Development

COURSE SYLLABUS COURSE REQUIREMENTS

Course Title: ITAP 4371: E-Commerce. Semester Credit Hours: 3 (3,0)

Sonatype CLM Enforcement Points - Continuous Integration (CI) Sonatype CLM Enforcement Points - Continuous Integration (CI)

ACCT W Advanced Managerial Accounting Spring Office Hours: Mon - 1 PM to 6 PM (BA 122 or UCD, every other week, appointment recommended)

Prerequisite: For students other than business and agribusiness majors.

SYLLABUS. Learning/Developing Child EDF 3122 Fall 2014 Section 524.F14 Mondays, 3:00-5:50 PM Room A203B

ITNW 1337 Introduction to the Internet Course Syllabus: Spring 2015

AUSTIN COMMUNITY COLLEGE DEPARTMENT OF COMPUTER STUDIES AND ADVANCED TECHNOLOGY

COURSE SYLLABUS. Office Hours: MWF 08:30am-09:55am or by appointment, DAV 238

PELLISSIPPI STATE TECHNICAL COMMUNITY COLLEGE MASTER SYLLABUS CIW JAVASCRIPT FUNDAMENTALS WEB 2300

Entrepreneurship & Small Business Management. USF College of Business. MAN 4802 Fall 2014 Room: BSN 124. Instructor: Jennie Jolly

Oracle WebLogic Server 11g: Administration Essentials

HARFORD COMMUNITY COLLEGE 401 Thomas Run Road Bel Air, MD Course Outline

EME6055: Current Trends in Instructional Technology

THE UNIVERSITY OF TEXAS AT TYLER COLLEGE OF NURSING COURSE SYLLABUS. NURS NURS 5321: Health Policy and Population Health. Spring 2014.

SCHOOL OF SOCIAL WORK. Field Instruction. Part-time: SOW Credits SYLLABUS

MGT 3361 Project Management

INF 203: Introduction to Network Systems (3 credit hours) Spring W1, Class number 9870

THE UNIVERSITY OF TEXAS AT TYLER COLLEGE OF NURSING COURSE SYLLABUS. NURS NURS 5321: Health Policy for Population Health. Fall 2015.

ANGELO STATE UNIVERSITY Department of Accounting, Finance and Economics. Financial Management. Spring 2015 Syllabus

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

MGT 3361 Project Management

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 5

Biology BSC 6932 Applied Regression for Scientists Fall 2014

PHIL 2244: Engineering Ethics (3 credits)

Management 352: Human Resource Management Spring 2015 Syllabus

Acct Accounting and Finance for Small Business and Entrepreneurs Spring 2015 Online

MagDiSoft Web Solutions Office No. 102, Bramha Majestic, NIBM Road Kondhwa, Pune Tel: /

A Monitored Student Testing Application Using Cloud Computing

Case Studies of Running the Platform. NetBeans UML Servlet JSP GlassFish EJB

CS 300 Data Structures Syllabus - Fall 2014

Workshop for WebLogic introduces new tools in support of Java EE 5.0 standards. The support for Java EE5 includes the following technologies:

UVic Department of Electrical and Computer Engineering

Basic TCP/IP networking knowledge of client/server concepts Basic Linux commands and desktop navigation (if don't know we will cover it )

Configuring. SuccessFactors. Chapter 67

Prerequisite: CIS 271 with a minimum grade of C or consent of department.

Proof of Concept. A New Data Validation Technique for Microsoft ASP.NET Web Applications. Foundstone Professional Services

Configuring SuccessFactors

WEB APPLICATION DEVELOPMENT. UNIT I J2EE Platform 9

NetIQ Access Manager 3.2 integration


ENC2210 Technical writing for health science majors. Course Description:

The University Of Texas At Austin. The McCombs School of Business

SYLLABUS: MKT , Monday evening 4:00-6:30pm; BU124 Spring Semester, 2012

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

BCM :00-12:15 p.m. 1:30-3:35 p.m. Wednesday 10:00-12:00 noon

Imperial Valley College Course Syllabus - Elementary Differential Equations Math 220

Florida Gulf Coast University Lutgert College of Business Marketing Department MAR3503 Consumer Behavior Spring 2015

WHITE MOUNTAINS COMMUNITY COLLEGE 2020 Riverside Drive, Berlin, NH COURSE SYLLABUS. Introduction to Psychology.

Collin College Business and Computer Systems

I INF 300: Probability and Statistics for Data Analytics (3 credit hours) Spring 2015, Class number 9873

University of North Texas at Dallas Spring 2014 SYLLABUS

Course: ISYS 4373 Application Development with Java Prerequisite: ISYS 3293

Transcription:

Information Technology CIS 3615 Secure Software Development Spring 2013 3 Credit Hours University of South Florida Sarasota/Manatee 8350 North Tamiami Trail, Sarasota, FL 34243

University of South Florida Sarasota/Manatee Course Syllabus Spring 2013 (Revised: 1/6/13) Instructor: John Collins Office: N/A E-Mail: johncollins@sar.usf.edu Office Hours: By Appointment Course Number: CIS 3615 Course Name: Course Description: Instructor: Required Materials: Secure Software Development Information is power. It also has value. Thus, there is an incentive for unscrupulous individuals to steal information. This course covers a number of different techniques to help developers to build enterprise-level systems that are secure and safe. Staff Asoke K. Talukder and Manish Chaitanya, Architecting Secure Software Systems. CRC Press, 2009 ISBN-13: 978-1-4200-8784-0. Masoud Kalali, Glassfish Security. Packt Publishing, 2010 ISBN-13: 978-1-847199-38-6. Prerequisites: Course Goals: Performance Objectives: COP 3515 Requirements and Program Design; COP 3601 Systems Programming (Java EE) The goal of this course is to provide students with the knowledge and skills to develop enterprise-level systems that are safer and more secure. The techniques presented here will increase the effort needed by hackers to successfully launch attacks on enterprise software applications. On completing this course, students will: Understand vulnerability and the variety of possible attacks Be able to apply the Security Development Lifecycle Be able to construct secure UNIX/Linux-based 2

programs Understand Networking and SOA-based Security Be able to implement Java Client-Side Security Be able to implement Mobile Application Security Be able to secure Web-Facing Applications Be able to implement Java Server-Side Security Be able to construct Secured Web Services Attendance Policy: Performance Evaluation and Grading This course will be conducted entirely on-line. Students are expected to log in to each Elluminate session. The course moves through the material at a rapid pace, and each topic builds on the ones that preceded it. However, the online class sessions will be recorded and retained so that students may review the class material. Student performance will be evaluated based on exercises and assignments. A grade will be determined based on the total of possible points earned, as follows: A+ 97-100 A 93-96.9 A- 90-92.9 B+ 87-89.9 B 83-86.9 B- 80-82.9 C+ 77-79.9 C 73-76.9 C- 70-72.9 D+ 67-69.9 D 63-66.9 D- 60-62.9 F 0-59.9 3

Class Schedule: (Revised: 10/15/10) Date Week 1 (Jan 9) Course Introduction Topic Talukder Chapter 1, Security in Software Systems Week 2 (Jan 16) Talukder Chapter 2, Architecting Secure Software Systems * Setup an Eclipse IDE. Be sure to include these at the very least - a C/C++ compiler - The CDT packages for your release (e.g. Juno) - ProGuard - FindBugs -EclEmma - SVN - GlassFish Integration * Upload a screenshot of your IDE, with the Help > About Eclipse. There should be a set of tool icons. Week 3 (Jan 23) Talukder Chapter 3, Constructing Secured and Safe C/UNIX Programs * Create a UML Use Case diagram for an AMT (or nontrivial system) of your choice. Include at least 3 use cases and 2 abuse cases (e.g. for an ATM time-of-check, time-of-use attacks in which a system looks at available balance once at the initial login - neglecting to consider a separate AMT can be used at the same time - each machine used to withdraw the total amount of the account). You can try and use the UML trial designer, paint, word, etc. No points for pretty work, just make it readable. 4

* Upload the Use Case diagram and a threat model from one of the abuse cases you provided. * Get a debugger (http://www.ollydbg.de/ or equivalent) and attach it to a running binary. Take screen shots of the debugger after it is attached to a running program of functions including toggling a breakpoint, analyzing code, and viewing the call tree. Week 4 (Jan 30) Talukder Chapter 4, Constructing Secured Systems in.net is omitted purposely because we do not use.net in any of our courses. Talukder Chapter 5, Networking and SOA-Based Security * Look at the code samples provided. Address any security concerns and fix the code where appropriate. Be sure your code compiles and runs. Week 5 (Feb 6) Talukder Chapter 6, Java Client-Side Security * In Java, Create a class with a main method and a private static method that takes a String object, converts it to an integer and returns the result. Validate that the integer is between 1 to 10. Create unit tests for bounds testing. Be sure to check negative infinity, a large negative, a small negative, everything on and next to the low bounds, a midrange value, etc. Don't forget to use encoded, nonprintable, and character data in unit tests. * Use Eclipse and Provide a screen shot and analysis of Eclemma http://agile.csc.ncsu.edu/sematerials/tutorials/eclemma/ * Go find or make some poor code that causes results in FindBugs to generate results. 5

Week 6 (Feb 13) Talukder Chapter 7, Security in Mobile Applications Research how to sign a JAR with jar signer (part of the JDK). Write up the instructions for deployment of a signed JAR. Explain why you would do this and look at any issues that users may encounter. Week 7 (Feb 20) Talukder Chapter 8, Security in Web-Facing Applications Week 8 (Feb 27) Talukder Chapter 9, Server-Side Java Security * Create an example of SQL Injection and Cross Site Scripting. Once you are done, encode the attacks using UTF-8 and URL encoding. Week 9 (Mar 6) Talukder Chapter 10, Constructing Secured Web Services The Servlet API states that Servlets are single threaded. Write a Servlet that demonstrates how improperly scoped variables can expose user data, test your code with 2 browser sessions to see if you can get one sessions data from the other. Submit the code and a screen shot. Week 10 (Mar 13) Spring Break No Class, next week's homework is somewhat involved. I recommend getting started soon. Week 11 (Mar 20) Kalali Chapter 1, Java EE Security Model Chapter 2, Glassfish Security Realms * Create a certificate authority and add it to your Browser s trusted CA s provide the instructions you used. 6

*Create a server certificate and configure the Web Server with it to allow for HTTPS. Include the CSR creation steps and provide all the instructions used * Create a Client certificate and load it in the Browser. Include a screen shot of the imported certificate. * Configure HTTPS SSL Client Authentication. Include a screen shot of the HTTPS connection to the server. This may require you to setup RBAC and setup the deployment descriptor for a protected resource. Week 12 (Mar 27) Kalali Chapter 3, Designing and Developing Secure Java EE Applications Chapter 4, Securing Glassfish Environment Week 13 (Apr 3) Kalali Chapter 5, Securing Glassfish Chapter 6, Introducing OpenDS: Open Source Directory Service * Create an EJB project that uses RBAC and a login page that uses a JDBC realm. Submit the EAR or WAR (your choice of deployment) * Sign the code using the certificate you created in week 10 * Write up a sample security/policy manager to allow your code to run in your container. Describe the configuration. Week 14 (Apr 10) Kalali Chapter 7, OpenSSO: The Single Sign-On Solution Chapter 8, Securing Java EE Applications Using OpenSSO Week 15 (Apr 17) Kalali Chapter 9, Securing Web Services by OpenSSO Course Wrap-up and Evaluation 7

Religious Observances The University recognizes the right of students and faculty to observe major religious holidays. Students who anticipate the necessity of being absent from class for a major religious observance must provide notice of the date(s) to the instructor, in writing, by the second week of classes. http://generalcounsel.usf.edu/policies-and-procedures/pdfs/policy-10-045.pdf Disabilities Accommodation Students are responsible for registering with the Office of Students with Disabilities Services (SDS) in order to receive academic accommodations. Reasonable notice must be given to the SDS office (typically 5 working days) for accommodations to be arranged. It is the responsibility of the student to provide each instructor with a copy of the official Memo of Accommodation. www.sarasota.usf.edu/students/disability/ Contact Information: Pat Lakey, Coordinator 941-359-4714 plakey@sar.usf.edu Academic Dishonesty The University considers any form of plagiarism or cheating on exams, projects, or papers to be unacceptable behavior. Please be sure to review the university s policy in the catalog, USFSM Undergraduate Catalog or USFSM Graduate Catalog and the USF Student Code of Conduct. Undergraduate: http://www.sarasota.usf.edu/academics/catalogs/ Graduate: http://www.sarasota.usf.edu/academics/catalogs/ USF Student Code of Conduct: http://www.sa.usf.edu/srr/page.asp?id=88 Academic Disruption The University does not tolerate behavior that disrupts the learning process. The policy for addressing academic disruption is included with Academic Dishonesty in the catalog:, USFSM Undergraduate Catalog or USFSM Graduate Catalog and the USF Student Code of Conduct. Undergraduate: http://www.sarasota.usf.edu/academics/catalogs/ Graduate: http://www.sarasota.usf.edu/academics/catalogs/ USF Student Code of Conduct: http://www.sa.usf.edu/srr/page.asp?id=88 Contingency Plans In the event of an emergency, it may be necessary for USFSM to suspend normal operations. During this time, USFSM may opt to continue delivery of instruction through methods that include but are not limited to: Blackboard, Elluminate, Skype, and email messaging and/or an alternate schedule. It s the responsibility of the student to monitor Blackboard site for each class for course specific communication, and the main USFSM and College websites, emails, and MoBull messages for important general information. The USF hotline at 1 (800) 992-4231 is updated with pre-recorded information during an emergency. 8

Emergency Preparedness It is strongly recommended that you become familiar with the USF Sarasota-Manatee Emergency Action Plan on the Safety Preparedness site http://www.sarasota.usf.edu/facilities/safetypreparedness.php Fire Alarm Instructions At the beginning of each semester please note the emergency exit maps posted in each classroom. These signs are marked with the primary evacuation route (red) and secondary evacuation route (orange) in case the building needs to be evacuated. 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information