Instructor
James Joshi

 

Contact Info
706A, IS Building,

Tel:412-624-9982
 jjoshiATsis.pitt.edu 

 

Office Hours

By Appointment

(Or just drop by when you see me in my office)

 

 

         

INFSCI 2620 Developing Secure Systems

(Fall 2017)

 

This Course can be used for

SAIS Track Elective OR Capstone Requirement

PhD Core Area/

Systems and Technology

 

Thursdays; 12:00 - 2:50PM

Room IS 406

 

 


 

 


Announcement


Lectures

 

(Lecture 8,9 Slides have been added)


Assignments

 

(HW1 - due Sept 22)

(HW2 /Lab1 - due Oct 2)

 


Safari Online Books


Reading Material

(research papers, articles)


 

 

 

 

This course was revised in around 2014 to align with the new requirements for Knowledge Units and Focus Areas in Information Security established by the US National Security Agency (click here to see the Knowledge Units, and Focus Areas). In particular, the revision will make this course a more structured course with specific labs and projects - unlike in the past when it was a flexible course with reading assignments and open projects.

 

The course will also aim at addressing some or all of requirements of the following Focus Areas:

         Secure software development

         Security Engineering

         Secure Mobile technology

 

Special interest this year is to look at Healthcare IT/Applications -- case studies, readings or projects.

 

Labs will focus on :

1.    Buffer Overlow,

2.    SQL Injections and Cross-Site Scripting

3.    Reverse Engineering

4.    Code analysis tools and security testing tools

5.    Verification tool

 

TOOLS: Some tools that the students will be working with include

  • Static Code Analysis tools
  • VirtualBox
  • Netbeans
  • Cygwin
  • Hex-Rays Decompiler
  • MySQL
  • Apache Tomcat
  • Eclipse
  • Android SDK
  • Xamarin Studio or Microsoft Visual Studio & Xamarin Visual Studio integration
  • More to be added

 

Course Description
 

Development of high-assurance software systems is a growing challenge in emerging complex systems. Secure by design is emerging as a basic principle for trustworthy computing and as a preferred way to ensure the security of networked information systems and infrastructures. This course will focus on this issue and fosters the design, implementation as well as verification/validation of secure software systems and architectures. A key coverage will include principles and practices of secure and high assurance software development process, including security development lifecycle models, and design/verification/validation using languages and tools such as UML. Tools and techniques for code analysis and testing, and evaluation and certification of software will also be emphasized. The course will also cover secure programming principles using different languages, with particular focus in secure software development.

 

Key topics summary:

1. Secure development methodologies/models, assurance techniques (certification, validation, etc.)

2.    Secure programming issues/practices and tools

3.    Software assurance and Security analysis - tools and techniques

4.    Secure design, testing and systems security engineering (e.g., protocol verification, model-based techniques, etc.)

5.    Supply Chain Security, Life-Cycle Security, Security Risk Analysis

 

 

Course Objectives

1.   Understand the principles and methodologies for designing and implementing secure systems, and establishing software assurance

2.    Understand and analyze code for vulnerabilities and learn secure programming practices

3.    Use of tools for code analysis and security property verifications (labs)

4.    Apply secure design principles to build a real system (projects)

 


Prerequisites

  • IS 2150/TEL 2810 Introduction to Computer Security OR EQUIVALENT
  • Following courses are preferred but not required:
    • IS 2170/TEL 2820 Cryptography; TEL 2821 Network Security
    • IS 2511 or 25 40
  • Talk to the instructor if you are not sure of the background

Course Material & Tools

 

There is no one book that covers all the topics considered in this course. All the relevant books are still being checked to see if one can be used as the main text book. Here are some reference books that will be recommended for the course.

  • Secure programming with Static Analysis, Brian Chess and Jacob West.
  • Secure Coding in C and C++, Robert C. Seacord, Addition-wesley, 2006
  • Software Security - Building Security In, Gary McGraw, Addition-Wesley Software Security Series, ISBN: 0-321-35670-5
  • Building Secure Software: How to avoid the Security Problems the Right Way, John Viega, Gary McGraw, Addison-Wesley, 2002
  • Reverse Engineering secrets of reverse engineering, Eldan Eilam
  • SQL Injection Attack and Defenses by Justin Clarke
  • Modelling and Analysis of Security Protocols, Peter Ryan, Steve Schneider, Michael Goldsmith, Gavin Lowe and Bill Roscoe
  • Enterprise Java Security: Building Secure J2EE Applications Marco Pistoia, Nataraj Nagaratnam, Larry Koved, Anthony Nadalin, Addition-Wesley, 2004
  • Secure Systems Development with UML Jan Jurjens, Springer-Verlag, 2005.

 

  • Papers; MSDN, US-CERT etc.

 

Most of these and others useful materials are available through the Pitt domain in Safari Online. Check this page for the online books that are available (you can search for the book here).

 

 


Grading (Tentative the distribution may be changed based on class interest)

  • Assignments/Presentation/Exam: 50% 

         Read/Review and/or present research papers or articles

         Assignments/quizzes

         Lab exercises

 

  • Exams and Project : 50%

         Two exams

         One project


If you are having a disability for which you are or may be requesting an accommodation, you are encouraged to contact both your instructor and the Office of Disability Resources and Services (DRS), 216 William Pitt Union (412-648-7890/412-383-7355) as early as possible in the term. DRS will verify your disability and determine reasonable accommodations for this course.