Syllabus - Fall 2024

Course Description

• Assurance is a reasoned, audit-able argument created to support claimed beliefs about an entity – Generally, the entity is so complex that it is not possible (i.e. time, technology, or resources are constrained) to examine every possible circumstance related to the claimed beliefs.
• This course is an intersection of knowledge areas necessary to perform activities relevant for promoting assurance through claims argued and supported with evidence from Software Security Engineering (SSE) activities. Software Assurance entails SSE.
• This course takes on a software development lifecycle perspective for the prevention of flaws. It is not just secure coding!

Class Format

• Asynchronous fully-online lectures, assignments, and exams
• Synchronous weekly team meetings at team determined times. Instructor check-ins will be required before the submission of major assignments. Multiple time-slots will be available to teams for flexibility in scheduling instructor check-ins.

Where does the course fit in the degree program?

• MS in Cybersecurity Core
• Graduate CS concentrations

Course Learning Objectives

• SA1. Students will be able to explain the basic concepts and principles of software assurance.
• SA2. Students will be able to evaluate arguments for assurance claims.
• SA3. Students will be able to generate security requirements for a given threat environment.
• SA4. Students will be able to create software designs and reorganize existing ones to minimize weaknesses.
• SA5. Students will be able to apply software assurance standards and tools to analyze code.
• SA6. Students will be able to examine, synthesize, discuss, and present evidence related to software assurance.
• SA7. Students will be able to give examples of activities that occur within a software assurance maturity framework.
• SA8. Students will be able to use modern software engineering tools for code management and collaboration

Teaching methods

• A combination of readings, discussions and trying out methods learned.
• Team-based working sessions and check-ins with the instructor.
• Quiz for every module.
• Team-based assignments.
• Timed, open book exams with access to a network-connected computer. Exams are to be completed individually.

Resource Materials

Lecture slides, videos, readings, and supplemental materials will be organized using modules in Canvas.

Textbooks/References

Instead of a single textbook, I have identified a series of books available from the library as e-books. You will need to use NU VPN and authenticate with your user-id to access these books. Alternatively, you could use single sign-on using your @unomaha.edu email on O’Reilly Books Website.

• NIST SP 800-160 Vol. 1 Rev. 1, Engineering Trustworthy Secure Systems, National Institute of Standards and Technology.

• NIST SP 800-160 Vol. 2 Rev. 1, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, National Institute of Standards and Technology.

• AI-Assisted Programming. Better Planning, Coding, Testing, and Deployment, By Tom Taulli, O’Reilly Media Inc., April 2024

• Cyber Security Engineering: A Practical Approach for Systems and Software Assurance, By Nancy R. Mead, Carol C. Woody

• Secure Coding Principles and Practice, By Mark G. Graff; Kenneth R. van Wyk(Commonsense and lightweight approach to software security engineering. Lots of war stories from the authors. While the book may appear dated, principles still remain relevant)

• System Assurance: beyond Detecting Vulnerabilities, By Mansourov, Nikolai, and Djenana Campara (Standards-based definition and assessment of software weaknesses, creating an assurance argument)

• Software Security Engineering, By Julia H. Allen; Sean Barnum; Robert J. Ellison; Gary McGraw; Nancy R. Mead (Management focused)

• Enterprise Software Security, By Kenneth R. van Wyk; Mark G. Graff; Dan S. Peters; Diana L. Burley (How to ease into a software assurance mindset in an organization)

• Software Security: Building Security In, By Gary McGraw (Software security engineering with lifecycle touchpoints)

• Secure Programming with Static Analysis, By Brian Chess and Jacob West (Excellent book for understanding the ins and outs of static analysis)

• Secure Coding in C and C++, By Robert C. Seacord (Language specific guidance. Deep dive.)

• Design Patterns: Elements of Reusable Object-Oriented Software, By Erich Gamma, Richard Helm, Ralph Johnson, John Vlissides (Seminal book on design patterns. We will look at several of them for relevance to designing for SSE)

• Mastering Python Design Patterns - Second Edition By Kamon Ayeva, Sakis Kasampalis (Noteworthy patterns in this book: Facade, Singleton, MVC, Observer, Command, Factory)

• The Browser Hacker’s Handbook, By Wade Alcorn; Christian Frichot; Michele Orru (This book will help you think about attacks if you are working with Web-apps)

• Hands-on Security in DevOps, By Tony Hsu (Integration of security into DevOps)

• Bug Bounty Hunting Essentials, by Shahmeer Amir, Carlos A. Lozano, 2018 (How White-hat hacking can be a full-time job)

Other Reference Books

• Problem Frames: Analyzing and Structuring Software Development Problems, By Michael Jackson, Addison-Wesley (A seminal work in Requirements Engineering)

Additional Resources

• Secure Programming for Linux and Unix HOWTO, David Wheeler
• Software Assurance in Education, Training and Certification, Pocketguide, Ed. Robin Gandhi. Was written in 2010 so some of the links and resources might be dated, but the discussion is just as relevant!
• SEI Book Series on Software Assurance (Good collection of relevant books on the topic)

Engagement

While course content can be passively consumed, active participation in various class activities is important for your learning success. Here are some dimensions of engagement:

1. Behavioral engagement: attend and participate in class activities and discussions; follow class norms; study class materials and timely completion of assignments.
2. Cognitive engagement: desire a challenge; plan, monitor and evaluate one’s thinking and learning (reflection).
3. Emotional engagement: comfortable talking to peers; engage in group learning where appropriate; ask questions about course material; interested, inquisitive and curious about academic content.

Policy on Plagiarism

It is a violation of the academic integrity policy to misrepresent work that you submit or exchange with your instructor by characterizing it as your own. Submitting responses to assignments that do not acknowledge the use of entities like generative AI tools, another person’s work or your own work in another course without proper acknowledgment of the source will be considered plagiarism.

You will have the opportunity to defend yourself if you are suspected of submitting a plagiarized assignment. Cheating, fabrication and falsification, plagiarism or complicity in academic dishonesty will not be tolerated in this class. Copying text from public sources (websites, blogs, and books) or have someone else write for you (including Generative AI) will be considered plagiarism if such sentences are not adequately acknowledged or referenced. Please feel free to contact me with any questions about using generative AI tools before submitting any content that has been substantially informed by these tools. Students shall give credit to AI tools whenever used, even if only to generate ideas rather than usable text, diagrams or illustrations.

A full listing of violations of the academic integrity policy can be found here: http://www.unomaha.edu/student-life/student-conduct-and-community-standards/policies/academic-integrity.php

Any incidents of academic dishonesty will be handled according to the UNO academic integrity procedures. Make yourself familiar with writing techniques such that you can cite external sources or summarize them without plagiarizing. Here are some resources to get you started:

• Guidance for Quoting, Paraphrasing and Summarizing: https://owl.purdue.edu/owl/research_and_citation/using_research/quoting_paraphrasing_and_summarizing/index.html

• How to cite Chat-GPT https://apastyle.apa.org/blog/how-to-cite-chatgpt

Many of your class deliverables will be on Github in a public repository. As a result, you must be extra careful to avoid plagiarism through responsible and ethical practices.

Exams

There will be a mid-term and a final exam. The exams will consist of essay-type questions which may require design and modeling activities. These exams will allow full access to technology and are intended to help focus on the essential parts of the course material, reinforce learning, and provide timely feedback. The exam questions will typically have multiple parts, be sure you answer all the parts.

Team Working Sessions

Synchronous working sessions for teams will correspond to the stages of the software development lifecycle. The objective of these sessions is to gain hands-on experience with various techniques and tools for software assurance and apply them to understand the engineering activities necessary for building security in. Details about these sessions will follow as we go further into the semester.

Team-based Semester Project

We will examine this aspect of the course in more detail on the Team Project Page.

Grading

20% Mid-term
20% Final exam (Comprehensive)
20% Quizzes, Discussions, and Class participation
40% Team-based Semester Project Deliverables

Course Schedule

On Canvas I have a weekly schedule for the course that will help you plan ahead.

Due to the current and advanced nature of this class, it is under constant revision! Expect shuffling of course topics as we progress through the semester. Constructive feedback on the content is highly encouraged. Fork it on Github!

Supplies

• To support class activities and access course materials, a laptop or desktop computer with a webcam and mic is required.
• A notebook, and pencil. It helps to first scribble your ideas on paper and then tranfer them into an electronic medium for sharing. We will be doing a lot of drawing!

Important Dates

See Canvas

Emails

All email sent to me regarding the class must have the class descriptor and your name in the subject field, e.g. (8420 - TOPIC). We will be using Canvas for all course assignment submissions and exams.