CS456/556 Secure Software Development

Instructor information

Instructor:W. Michael Petullo
Office location:210 Wing Technology Center
Physical office hours:11:00 a.m–12:00 noon every weekday
Telephone:(608) 785-6817
Email:wpetullo@uwlax.edu

Catalog description

Traditionally, software engineering has viewed flaws as the inconsistency of software behavior with its functional requirements. Software security problems, however, can occur in software that contains no such flaws but is nonetheless susceptible to external attack. This course examines known reasons for software security vulnerabilities with an emphasis on best practices for their detection and mitigation, along with general principles for engineering software in ways that enhance security. This course is taught largely at an undergraduate level. Graduate students will have additional course requirements/expectations.

Prerequisites

CS340; junior standing

Time and location

Thursday and Friday at 9:25–10:50 a.m. in Centennial 2301

Student learning objectives

  • Understand the concepts of confidentiality, integrity, and availability in the context of software systems.

  • Understand how to violate input validation and representation assumptions to exploit a software system.

  • Describe the countermeasures and best practices that aim to avoid or mitigate input validation and representation errors.

  • Understand how you could exploit of code quality to violate a software system’s security.

  • Describe techniques that can lead to higher code quality.

  • Describe the security features commonly necessary in a software system to preserve security.

  • Understand how to craft software that makes use of common security features.

  • Describe the matters of time and state that arise in distributed systems, and describe their impact on security.

  • Understand how to maintain consistency across distributed computations.

  • Describe how API abuse, poor error handling, and violations of encapsulation can lead to security vulnerabilities.

Textbook

The third edition of Security Engineering: A Guide to Building Dependable Distributed Systems by Ross Anderson is not yet in print. Professor Anderson presently distributes digital copies of the book’s chapters for free.

Classroom standards

Please be prepared to take notes using a pen and paper, or use discipline while taking digital notes. Do not use the Internet for personal reasons during class.

Perform your assigned reading and other preparation before arriving for class. I will expect you to participate in class discussions, and I might call on you to contribute.

You are reminded of Board of Regents’ Student Academic Disciplinary Procedures concerning academic integrity. Cheating undermines the integrity of this university and shows disrespect towards the work of your classmates. Starting coursework early will help you to avoid the temptation of cheating. Plagiarism or cheating in any form may result in a failing grade, and might also warrant harsher disciplinary action. “Students are responsible for the honest completion and representation of their work, for the appropriate citation of sources, and for respect of others’ academic endeavors.”

On perseverance and the scientific method

You will inevitably encounter problems while trying to complete your coursework. Sometimes you will be led astray by the confusing interfaces that our software applications present, and other times you will simply make an error. When something goes wrong, try to fix the problem! Make small, incremental changes, and observe their effects. Most importantly, think about how systems work, and then consider why the error you are observing might have arisen. Occasionally you should stop what you are doing and start from scratch. Learning how to better troubleshoot should be a beneficial side effect of this course.

Graded events

EventPortion of grade
Homework33% (3% per assignment)
Exams37% (18½% per exam)
Instructor points5%
Final exam25%

Grade scale

Grades are assigned based on the following scale.

RangeGrade
93–100%A
89–92%AB
83–88%B
79–82%BC
70–78%C
60–69%D
0–59%F

Late policy

Assignments are due the moment class starts. Late assignments will lose points according to the table below.

TardinessPenalty
Up to 24 hours late15% reduction
24–48 hours late30% reduction
More than 48 hours lateNo credit

If some external circumstance might cause you to be late, then you must notify your instructor in writing and before the assignment deadline in order to be considered for an exception. The act of notification does not automatically grant you an exception.

COVID-19 health statement

Students with COVID-19 symptoms or reason to believe they were in contact with COVID-19 should call and consult with a health professional, such as the Student Health Center. Students who are ill or engaging in self-quarantine at the direction of a health professional should not attend class. Students in this situation will not be required to provide formal documentation and will not be penalized for absences. However, students should: 

  • notify the instructor in advance of the absence, and provide him with an estimate of how long the absence might last;
  • keep up with classwork, if able;
  • submit assignments electronically;
  • work with the instructor to either reschedule or remotely complete exams, labs, and other academic activities; and
  • consistently communicate their status to the instructor during the absence. 

Instructors have an obligation to provide reasonable accommodation for completing course requirements to students adversely effected by COVID-19. This policy relies on honor, honesty, and mutual respect between instructors and students. Students are expected to report the reason for absence truthfully and instructors are expected to trust the word of their students. University codes of conduct and rules for academic integrity apply to COVID-19 situations. Students may be advised by their instructor or academic advisor to consider a medical withdrawal depending on the course as well as the timing and severity of the illness. Students should work with the Office of Student Life if pursuing a medical withdrawal.