Class Topics*

Content will be linked as we progress through the semester. This allows to me to update/create/re-design content throughout the semester.

1. The Demand for Software Assurance
   • Competencies and Sample Job Descriptions: 1, 2, 3
2. What is Software Assurance?
   • Reading: Why hackers know more about our systems?
3. Collaborating when working on Software
   • Self-paced module: Get familiar with version control.
4. Engineering For Assurance
   • Systems Security Engineering. Based on Chapter 2 from NIST SP 800-160v1r1.
5. Engaging with Open Source Projects, by Matt Germonprez
6. Requirements for Software Security Engineering
   • The Meaning of Requirements for Software Security Engineering
   • Elicitation - Misuse Cases
   • Assignment: Misuse Case Exercise (Team Deliverable)
   • Reading: Chapter 8, Software Security: Building Security In
   • Reading: Misuse Cases
   • Additional Reference: Translating compliance constraints to requirements. Page 262, NIST 800-160 public draft 2, Appendix-J. This work is not available in the current revision, so we have to access it in prior versions of the document.
   • Hands-on: Working session on Misuse Cases
7. Assurance Cases for Software Security Engineering
   • Trustworthiness context: Assurance cases
   • Assignment: Assurance Case Exercise (Team Deliverable)
   • Reference: ISO Standard for Assurance cases.
   • Reference: OMG Structured Assurance Case Metamodel
   • Reference: Formal diagramming in Adelard ASCE
8. Maturity Models for Software Security Engineering
   • Build Security In Maturity Model (BSIMM)
9. Midterm Exam
10. Design for Software Security Engineering
    • Lecture: Threat Modeling
    • Hands-on: Working session on Threat Modeling using Microsoft Threat Modeling Tool.
      
    • Reading: NIST 800-160v1r1, Page 82, Appendix E. Principles for Trustworthy Secure Design
11. Coding for Software Security Engineering
    • Lecture: Coding for SSE Lecture
    • Knowledge-bases: Common Weakness Enumeration, CAPEC, CERT Secure Coding Guidelines
    • Tools: Security as Code in DevSecOps, eg. CodeQL, SpotBugs, SonarQube, SonarCloud, Visual Code Grepper, AFL security-oriented fuzzer, Clang Static Analyzer, Flawfinder, CWE compatible tools, Tools curated by NIST, Bytecode scanners, binary scanners and language specific guidance. We will also explore the use of Large Language Models based Chatbots for code analysis. They are quite good at explaining code snippets and spotting potential software weaknesses.
    • Lecture: Code review tools and techniques
    • Hands-on: Working session for code review and automated tool analysis.
12. Testing for Software Security Engineering
13. Project Presentations
14. Final Exam
15. Other topics
    • Guest talks from other faculty or practitioners.
    • Quizzes at several checkpoints in the course.

* These topics will get refined and updated as the semester progresses