Application Security Syllabus
This course teaches students the fundamental technical skills required to identify and prevent appplication vulnerabilities. This is further elaborated upon in the textbook, The Art of Software Security Assessment, which this course draws heavily on:
"... you’ll learn about the tools you need to understand and assess software security. You’ll see how to apply the theory and practice of code auditing; this process includes learning how to dissect an application, discover security vulnerabilities, and assess the danger each vulnerability presents. You also learn how to maximize your time, focusing on the most security-relevant elements of an application and prioritizing your efforts to help identify the most critical vulnerabilities first. This knowledge provides the foundation you need to perform a comprehensive security assessment of an application."
- The Art of Software Security Assessment, Chapter 1
We build upon this base of software security assessment and also discuss how to manage ongoing processes in support of secure software development.
Instructors
This course is unique in that guest lecturers come to teach most of the topics in the course, adding their individual specialization and experience to their lectures. In this first run of the application security class, the following invited experts will be teaching classes:
- Dan Guido
- Alex Sotirov
- Dino Dai Zovi
- Brandon Edwards
- Joe Hemler
- Marcin Wielgoszewski
- Shyama Rose
- Tom Ptacek
- Chris Rohlf
Prerequisites
Students are expected to have a strong technical background before taking this course. In particular, they should have at least two of the following:
- Knowledge of computer architecture and assembly (Intel x86 preferred)
- Knowledge of computer security basics (CS393/CS6823: Network Security preferred)
- Familiarity with operating system internals (Windows preferred)
- Familiarity with at least one scripting language (Ruby preferred)
- Familiarity with command line operation of Windows and Linux
Course Content
Each week, an invited expert will give a lecture on a core topic in the course. We plan to cover the following topics this semester, along with their associated chapters from The Art of Software Security Assessment (TAOSSA):
| Course Topic | Reference |
|---|---|
| Threat Modeling and Design Reviews | TAOSSA Chapters 1-4 |
| Metacharacters, Privileges, and Files | TAOSSA Chapters 8, 9, and 13 |
| C, Program Building Blocks | TAOSSA Chapters 6 and 7 |
| Windows: Objects, the Filesystem, and IPC | TAOSSA Chapters 11 and 12 |
| Network Protocols and Fuzzing | TAOSSA Chapter 16 |
| Exploit Mitigations and Privilege Reduction | TAOSSA Chapter 5 |
| Containment | all student lectures |
| Web Security | TAOSSA Chapters 17 and 18 |
| SSL and Cryptography | outside material |
| Secure Development Lifecycle | outside material |
| Mobile Security | outside material |
| Java Insecurities | outside material |
Additionally, each lecture will be accompanied by a student-led presentation and discussion of an assigned paper. Another student will be required to take notes during the discussion and write up a summary of what was discussed on the HowToHack wiki. All students are expected to read the paper before coming to class that week.
Workshops
There will be several workshops that go over practical issues related to the course material throughout the semester. These workshops can be completed on your own time, in your own groups, or you can attend designated Hack Nights in the lab to work on them with other individuals from the class. Solutions for the workshops will be posted and, in fact, many of the solutions are available on Google. The workshops will not be graded, however, you should realize that the contents of the workshops will be exactly mirrored on the exams. We plan the have the following workshops this semester:
- Audit a large body of source code
- Write your own fuzzer module
- Intro to exploit writing
- Sandboxing
- Web hacking
- Cryptography lab
Exams
The midterm and final exam will each be three hours long, open book, and require the use of a laptop. The exams will test course material presented in lectures, discussed in paper reviews, and performed in workshops. There will be a mix of written questions as well as questions requiring more technical skills to complete. These exams will be curved, but only to make the highest scoring student in the class a perfect score.
Grading
Students will receive a grade based on their performance on a midterm (40%), final exam (40%), and their ability to explain the key technical components of their assigned paper to the class (20%). If there are more students than papers reviewed in the class, the grades for the non-paper students will be based on the quality of the writeups they post on the wiki. Since a large part of the course is based on these discussions, attendance will be taken and is required -- more then two absences will negatively affect your final grade. Finally, participation in at least one capture the flag competition is required to pass the class. This isn't graded but your participation must be certified by a senior member of the lab or proved via some other means.
Textbook and Calendar
The textbook for this course is The Art of Software Security Assessment (TAOSSA), although there may be course material and readings from The Tangled Web and A Bug Hunter's Diary as well.
Many events related to the class can be tracked on the ISIS calendar including the schedule for Hack Night, upcoming CTF competions, and the office hours for class instructors. The lecturers and TAs also hold virtual office hours on the ISIS IRC server each week. Students can connect to this server with any modern chat client, like Pidgin or Adium, by connecting to isis.poly.edu on port 6697 (ssl-only) and joining the #security channel. Students are encouraged to use this chat server as a resource throughout the semester.
