CprE 562x – Secure Software Engineering
Catalog Listing:
Fundamentals and techniques to design and implement software systems. Assessment of security vulnerabilities in software systems, exploitation of software vulnerabilities, and methods to secure vulnerable software. Secure coding practices, data analytics for security, microservices and cloud services security. Reverse engineering and security assessment of cyber-physical systems. 3 credits.Learning Outcomes
- Assess the security in vulnerable software systems
- Exploit software vulnerabilities
- Apply methods to secure vulnerable software
- Apply best practices in secure software development
- Build effective cryptographic-based functionalities and assess their vulnerabilities
- Assess security implications for emerging software technologies
Course goals:
The goal of the course is to provide students, as future software developers, with the knowledge and first-hand experience they need to develop secure software. The students will get familiar with exploiting software vulnerabilities, experiment with the techniques to design secure software and to ensure the security of developed software. In addition, they will learn to use of empirical research methods to study software security challenges.Instructor
Dr. Lotfi ben Othmane
Durham Hall #315 Department of Electrical and Computer Engineering
Iowa State University
Phone: 515-294-2664
Email: othmanel@iastate.edu
Office Hours
11:00 - 12:00 Mondays in Durham 315
Other times by email appointment
Teaching Assistants
Ameerah-Muhsinah Jamil | amjamil@iastate.edu
Topics
Topics covered include the following:- Secure software-development life-cycle
- Risk analysis
- Security architecture
- Implementing security features
- Secure coding
- Reverse engineering
- Security assessment
- Data analytics for security
Invited lectures
- Youssef Jad - CyVault
- Heinrich Gantenbein- Microsoft
- Julian Dolby - IBM
- Altaz Valani - SecurityCompass
Tentative Schedule
| Week | Topic | Assignment |
|---|---|---|
| 1 |
|
|
| 2 | Lab 1 | |
| 3 | ||
| 5 | Assignment 1 Research activity |
|
| 6 | ||
| 7 | 8 | Assignment 2 |
| 9 |
Lab 2 |
|
| 10 | ||
| 11 | ||
| 11 | ||
| 11 |
Optional Readings
- Smashing The Stack For Fun And Profit
- A Survey of Security and Privacy in Connected Vehicles
- Incorporating attacker capabilities in risk estimation and mitigation
- Extending the Agile Development Process to Develop Acceptably Secure Software
- Using Assurance Cases to Develop Iteratively Security Features Using Scrum
- Security Analysis of TrueCrypt
- EPICS: A Framework for Enforcing Security Policies in Composite Web Services
- The Current Practices of Changing Secure Software: An Empirical Study
Grading
- 20% - Labs on software attacks
- 5% - Report about security news
- 20% - Assignments
- 20% - Project
- 20% - Research activity
- 15% - Final exam
We will use the standard grade levels. Do not expect the grades to be curved. There will be limited bonus points – get them.
Evaluation
All assignments must be submitted through Canvas. Submission of late assignments are not considered if submitted after 5 days and will have 5%/day penalty otherwise.
Communication
The best way to communicate with me is by email—use [CPRE 562] as subject prefix. I usually reply in 2 business days. Remind me if you do not get an answer. Do not expect me to respond to a communication when the exchange exceeds 4 or 5 emails. In such cases, the issue shall be addressed in a face-to-face meeting.