COSC424-20S2 (C) Semester Two 2020

Secure Software

15 points

Details:
Start Date: Monday, 13 July 2020
End Date: Sunday, 8 November 2020
Withdrawal Dates
Last Day to withdraw from this course:
  • Without financial penalty (full fee refund): Friday, 24 July 2020
  • Without academic penalty (including no fee refund): Friday, 25 September 2020

Description

This course provides students with skills to design and implement secure application programs, which are not vulnerable to malicious attacks.

In an increasingly connected world, Cybersecurity is one of the biggest risks companies face. One does not have to look far to read the persistent warnings issued by governments and media alike. Many companies today depend on IT to run critical business functions, and your security system is no different.

A cyber breach in your security system can damage your business's reputation, disrupt operations, expose personal data, open doors, or provide access to other building systems.

This course provides students with the skills to design and implement secure software, at all levels in a system which is not vulnerable to cybersecurity attacks. By the end of the course, students should be familiar with why security is important, what types of vulnerabilities can be present in software, how they can be exploited, and how to go in developing and/or implementing software that is sufficiently secure. The course involves significant practical work involving a range of proprietary and open source Cybersecurity tests systems as well as writing up a project report along similar lines as will be required in industry.

Learning Outcomes

  • Students who successfully complete this course will be able to:
  • Learn how to configure systems and both proprietary and open source equipment such that attacks can be prevented.
  • Understand how to design X.509 digital certificate systems in order to secure web sites working with https/ssl
  • Understand vulnerabilities in software such as Heartbleed, Wannacry, MSVenon, Eternalblue, and other widespread malware in the wild today and how they can be prevented.
  • Configure a backend AD Server which can be used to deploy secure desktops
  • Understand how Metasploit is used to provide a testing infrastructure and framework. Use this to demonstrate attacks on servers and mobile systems.
  • Build a 2FA crypto frontend onto Windows or Linux machines in order to provide multifactor authentication
  • Design a physical access security system which back ends to the AD and uses smartcard access
  • Develop and test systems which carry out penetration testing and intrusion analysis
  • Understand how legal interception of encrypted channels operates.
  • Setup and test a secure commercial wireless system and apply all security, routing and access control functions.
  • Test some of the vulnerabilities to be found in Android and Bluetooth systems
  • Learn how forensics operations are performed on voice and video systems as used by Police and Intelligence agencies.

Pre-requisites

Subject to approval of the Head of Department.

Course Coordinator

For further information see Computer Science and Software Engineering Head of Department

Assessment

Assessment Due Date Percentage  Description
Lab Quizzes (10) 20% One following each lab.
Assignment 40%
Final Exam 40%


The final exam will be used to evaluate a student’s overall understanding of the theoretical and technical aspects discussed in the course.

An important component of this course is to gain skills in the testing and evaluation of software cybersecurity systems. Thus a set of labs will be run which are outlined below

1. Practical Software Security Policy Implementation and Testing:  Stateful packet inspection, cryptographic tools, Public Key Infrastructure, implementation and testing

This lab addresses the implementation and design of secure software infrastructure and develops a good knowledge of firewall security policy implementation and testing thus aiming to avoid cybersecurity disasters.

2. Penetration Testing and Intrusion Detection:  SSL Data Leakage - Heartbleed, SSL Interception - Man-In-The-Middle Vulnerabilities, Penetration Testing using Zenmap, Nessus and Snorby Graphical User Interface Intrusion Detection.

There are two components to this lab. The first provides experience and expertise with industry Penetration Testing and Intrusion Detection systems and tools as used in practice in addressing issues in the software cybersecurity world. The second part addresses legal interception and provides skills used by software security intelligence services and the police.

3. Identity and Access Management Software for Cloud Services:  Active Directory, RSA multifactor authentication using hardware, software and mobile phone devices, smartcard identity, Gallagher cloud service security.

This lab is extends the previous two and develops the tools necessary for linking many of these devices and systems together and for providing multifactor authentication as well as providing for implementation and testing.

4. Wireless and Mobile Software Security: Wireless Enterprise Architecture, Testing and evaluation of Android and Bluetooth systems.

This lab focuses on graduates who will work in the area of wireless and mobile enterprise software engineering security and will be responsible for design, implementation and testing and will required to address key cybersecurity issues in this framework.

5. Application Forensics: TCP/IP, VoIP (Voice over IP) and Video – attacks, exploits and software forensic analysis, Analysing voice, image and video traffic with Wireshark.

This lab is for those who intend to work in police forensics and security intelligence services and must address and understand cybersecurity attacks.

Textbooks / Resources

Information will be given in lectures on appropriate background reading material for each stage of this course.

Additional Course Outline Information

Grade moderation

The Computer Science department's grading policy states that in order to pass a course you must meet two requirements:
1. You must achieve an average grade of at least 50% over all assessment items.
2. You must achieve an average mark of at least 45% on invigilated assessment items.
If you satisfy both these criteria, your grade will be determined by the following University- wide scale for converting marks to grades: an average mark of 50% is sufficient for a C- grade, an average mark of 55% earns a C grade, 60% earns a B- grade and so forth. However if you do not satisfy both the passing criteria you will be given either a D or E grade depending on marks. Marks are sometimes scaled to achieve consistency between courses from year to year.

Students may apply for special consideration if their performance in an assessment is affected by extenuating circumstances beyond their control.

Applications for special consideration should be submitted via the Examinations Office website within five days of the assessment.

Where an extension may be granted for an assessment, this will be decided by direct application to the Department and an application to the Examinations Office may not be required.

Special consideration is not available for items worth less than 10% of the course.

Students prevented by extenuating circumstances from completing the course after the final date for withdrawing, may apply for special consideration for late discontinuation of the course. Applications must be submitted to the Examinations Office within five days of the end of the main examination period for the semester.

Tentative lecture schedule

Week 1 Software Security Policy Implementation and Testing (1)
Week 2 Software Security Policy Implementation and Testing (2)
Week 3 Penetration Testing and Intrusion Detection (1)
Week 4 Penetration Testing and Intrusion Detection (2)
Week 5 Identity and Access Management Software for Cloud Services (1)
Week 6 Identity and Access Management Software for Cloud Services (2)
Semester Break
Week 7 Software Security Assessment for Wireless and Mobile Systems (1)
Week 8 Software Security Assessment for Wireless and Mobile Systems (2)
Week 9 Enterprise Software Security (1)
Week 10 Application Forensics (1)
Week 11 Application Forensics (2)

Indicative Fees

Domestic fee $1,022.00

* Fees include New Zealand GST and do not include any programme level discount or additional course related expenses.

For further information see Computer Science and Software Engineering.

All COSC424 Occurrences

  • COSC424-20S2 (C) Semester Two 2020