COSC424-21S2 (C) Semester Two 2021

Secure Software

15 points

Details:
Start Date: Monday, 19 July 2021
End Date: Sunday, 14 November 2021
Withdrawal Dates
Last Day to withdraw from this course:
  • Without financial penalty (full fee refund): Sunday, 1 August 2021
  • Without academic penalty (including no fee refund): Friday, 1 October 2021

Description

This course provides students with skills to design and implement secure application programs, which are not vulnerable to malicious attacks.

2021 Covid-19 Update: Please refer to the course page on AKO | Learn for all information about your course, including lectures, labs, tutorials and assessments.

This course provides students with skills to design and implement secure application programs, which are not vulnerable to malicious attacks.
In an increasingly connected world, Cybersecurity is one of the biggest risks companies face. One does not have to look far to read the persistent warnings issued by governments and media alike. Many companies today depend on IT to run critical business functions, and your security system is no different.

A cyber breach in your security system can damage your business's reputation, disrupt operations, expose personal data, open doors, or provide access to other building systems.

This course provides students with the skills to design and implement secure software, at all levels in a system which is not vulnerable to cybersecurity attacks. By the end of the course, students should be familiar with why security is important, what types of vulnerabilities can be present in software, how they can be exploited, how to configure and test the software configurations in IT systems and how to develop and/or implement software that is sufficiently secure. The course involves significant practical work involving a range of proprietary and open source Cybersecurity tests systems.

Learning Outcomes

  • Students who successfully complete this course will be able to:
  • Learn how to configure systems and both proprietary and open source equipment such that attacks can be prevented.
  • Understand how to design X.509 digital certificate systems in order to secure web sites working with https/ssl
  • Understand vulnerabilities in software such as Heartbleed, Wannacry, Denial of Service Attacks, MSVenon, Eternalblue, and other widespread malware in the wild today and how they can be prevented.
  • Learn how to write and test application programs which protect against vulnerabilities such as cross-site scripting, cross-site request forgery, injection attacks etc.
  • Configure a backend AD Server which can be used to deploy secure desktops
  • Understand how Metasploit is used to provide a testing infrastructure and framework. Use this to demonstrate attacks on servers and mobile systems.
  • Build a 2FA crypto frontend onto Windows or Linux machines in order to provide multifactor authentication
  • Design a physical access security system which back-ends to the AD and uses smartcard access
  • Develop and test systems which carry out penetration testing and intrusion analysis
  • Setup and test a secure commercial wireless system and test some of the vulnerabilities to be found in Android and Bluetooth systems
  • Learn how forensics operations are performed on voice and video systems as used by Police and Intelligence agencies.

Prerequisites

Subject to approval of the Head of Department.

Timetable Note

Teaching Notes:
Weeks 1-2: Ray Hunt (Room 247)
Weeks 3-6: Richard Pascoe (Room 247)
Weeks 7-12: Ray Hunt (Room 247)

Course Coordinator

Andreas Willig

Lecturers

Ray Hunt and Richard Pascoe

Assessment

Assessment Due Date Percentage  Description
Lab Assignments (6) 60% One following each 2 Weeks of labs
Final Exam 40%


2021 Covid-19 Update: Please refer to the course page on AKO | Learn for all information about your course, including lectures, labs, tutorials and assessments.

The final exam will be used to evaluate a student’s overall understanding of the theoretical and technical aspects discussed in the course.

An important component of this course is to gain skills in the testing and evaluation of software cybersecurity systems. Thus a set of labs will be run which are outlined below. These practical lab sessions will mainly be written up during the lab sessions and handed in every two weeks.

Weeks 1-2:
Practical Software Security Policy Implementation and Testing:  Software Security packet filters and proxy configuration, Public Key Infrastructure and Digital Certificate creation and implementation on a server
Penetration Testing and Intrusion Detection:  SSL Data Leakage - Heartbleed, SSL Interception - Man-In-The-Middle Vulnerabilities, Penetration Testing using Zenmap, Nessus and Snorby G Intrusion Detection.

These labs addresses the implementation and design of secure software infrastructure and develops a good knowledge of firewall security policy implementation and testing thus aiming to avoid cybersecurity disasters. Further they provide experience and expertise with industry Penetration Testing and Intrusion Detection systems and tools as used in practice in addressing issues in the software cybersecurity world.

Weeks 3-6:
Lectures and labs will be an introduction to the general topic of secure software as applied to application programs. Concepts associated with secure software will be presented and discussed in lectures while practical skills will be developed in labs as students implement examples of these concepts.
Topics will include: Cross-Site Scripting (XSS), Cross Site Request Forgery (CSRF), Injection Flaws – XML, JSON, Numeric, String, Command etc.

Weeks 7-8:
Identity and Access Management Software for Cloud Services:  Active Directory, RSA multifactor authentication using hardware, software and mobile phone devices, smartcard identity, Gallagher cloud service security.

These labs develop the tools necessary for linking many of these devices and systems together and for providing multifactor authentication as well as providing for implementation and testing.

Weeks 9-10:
Authentication and Authorisation: SSO (Single Sign On) using Shibboleth/Federation Services Authentication. This will operate with an IdP (Identity Provider) and two SPs (Service Providers) and will demonstrate the operation of OpenID and the new OAuth 2 Authorisation Framework thus demonstrating new approaches to authentication and authorisation.

Weeks 11-12:
Application Forensics: TCP/IP, VoIP (Voice over IP) and Video – attacks, exploits and software forensic analysis, Analysing voice, image and video traffic with Wireshark.

This lab is for those who intend to work in police forensics and security intelligence services and must address and understand cybersecurity attacks on software systems..

Textbooks / Resources

Information will be given in lectures on appropriate background reading material for each stage of this course.

Additional Course Outline Information

Grade moderation

The Computer Science department's grading policy states that in order to pass a course you must meet two requirements:
1. You must achieve an average grade of at least 50% over all assessment items.
2. You must achieve an average mark of at least 45% on invigilated assessment items.

If you satisfy both these criteria, your grade will be determined by the following University-wide scale for converting marks to grades: an average mark of 50% is sufficient for a C- grade, an average mark of 55% earns a C grade, 60% earns a C+ grade and so forth. However if you do not satisfy both the passing criteria you will be given either a D or E grade depending on marks. Marks are sometimes scaled to achieve consistency between courses from year to year.

Students may apply for special consideration if their performance in an assessment is affected by extenuating circumstances beyond their control.

Applications for special consideration should be submitted via the Examinations Office website within five days of the assessment.

Where an extension may be granted for an assessment, this will be decided by direct application to the Department and an application to the Examinations Office may not be required.

Special consideration is not available for items worth less than 10% of the course.

Students prevented by extenuating circumstances from completing the course after the final date for withdrawing, may apply for special consideration for late discontinuation of the course. Applications must be submitted to the Examinations Office within five days of the end of the main examination period for the semester.

Tentative lecture schedule

Week 1: Software Security Architecture, Policy Implementation and Testing
Week 2: Penetration Testing and Intrusion Detection
Weeks 3-6: Introduction to the general topic of secure software as applied to application programs. This will include Cross-Site Scripting (XSS), Cross Site Request Forgery (CSRF), Injection Flaws – XML, JSON, Numeric, String, Command etc.
Semester Break
Week 7: Identity and Access Management Software for Cloud Services
Week 8: Common Software Security Failures – Denial of Service Attacks etc
Week 9: Enterprise Software Security
Week 10: Application Forensics
Week 11: Software Security in Wireless/Mobile and IoT Systems
Week 12: Recap and review

Indicative Fees

Domestic fee $1,033.00

* All fees are inclusive of NZ GST or any equivalent overseas tax, and do not include any programme level discount or additional course-related expenses.

For further information see Computer Science and Software Engineering .

All COSC424 Occurrences

  • COSC424-21S2 (C) Semester Two 2021
Previous year Next year