About the Course:
This course will present security aspects from a software life cycle process - requirement,
Architecture - Design, coding, and testing. Students will have opportunity well dwell in to technical "how to" with hands on sessions and some case studies.
Course Objectives:
Understand various cyber threats and attacks; learn about Secure Software development process.
Understand how privilege escalation attacks and Buffer overflows happen Learn to analyze malware and differentiate between categories such as Virus and Worms.
Understand the concept of Threat Modelling and its application.
Understand and learn about the most common Web application security vulnerabilities.
Understand and apply various security testing techniques and tools.
Course Outcomes:
At the end of this course, the student will be able to:
Be able to identify possible misuse cases in the context of software development.
Apply the different concepts and techniques learnt to prevent privilege escalation and Buffer overflow attacks. Apply the acquired knowledge to create a Worm from a Virus.
Apply Threat Modelling techniques to expose inherent/dormant vulnerabilities in a given software design /architecture and propose alternate solutions.
Be able to design and develop Secure Web applications.
Be able to perform Penetration testing on the given software system.
Course Content:
Unit 1:
Introduction - 12 Hours
Software Threats and Vulnerabilities, OWASP Top 10, SANS Top 25, CVE, etc. The CIA Triad - Core Security Principles, Vulnerabilities, Threats and Attacks, Security and reliability, Security vs. privacy, Cyberattack Types, Anatomy of an Attack, Security Concepts and Relationships. Use cases and Misuse cases, Misuse case legend, Security use case vs Misuse case Software Development Life Cycle, Risk analysis, SDL, SDL practices.
Unit 2:
Privilege Escalation Attacks - 12 Hours
Set UID program and environment variable, Shell shock attack, buffer overflow. Non-executable stack, defeat countermeasures, Environment Setup, Tasks involved in the attack, Function prologue and epilogue, Format string Vulnerabilities, Vulnerabilities code launching attack. Malware and abra worm, Stuxnet worm, Morris worm.
Unit 3:
Threat Modelling - 10 Hours
Threat Modelling, Trust Boundaries Threat Modelling, Brainstorming, Modelling Methods, stride privacy threats, Taxonomy Of Privacy, privacy tools, processing threats, defensive tactics and technologies. EOP card game.
Unit 4:
Web Application Security Issues - 12 Hours
Challenges, browser security, web security. SQL injection. Basic Structure of Web Traffic, Relational Database Elements, SQL Tutorial, Interacting with Database in Web Application, Launching SQL Injection Attacks. Cross Site Request Forgery, CSRF Attacks on HTTP GET / POST Services, Countermeasures, Cross-Site Scripting Attack, XSS Attacks, Countermeasures. HTTP Security: Overview of HTTP Security, MITM Attacks and Solutions, HTTP Security Headers Privacy Issues and HTTP Authentication.
Unit 5:
Security Testing Countermeasures - Tools, Frameworks, and Services - 10 Hours
Static analysis tools, penetration testing, Benefits, Drawbacks, Web hacking Tools, Nmap for network probing, Web proxies, Metasploit, Ethical Hacking, Fuzzing.
Textbooks:
1: “Computer and Internet Security”, Hands on Approach”, Wenliang Du, 2nd Edition, 2019
Refrence Books:
1: Computer Security – Principles and Practice”, William Stallings, 3rd Edition, 2014
Note: Giving hands on experience for relevant topics in the form of Lab or Assignment. Relevant cyber security case for undergraduate students is discussed.
Tools & Languages:
Seed labs, Scapy, Burp-suit, N-Map, C- Language