Software Security is a free online course conducted by the University of Maryland. It is a part of the Cybersecurity Specialization.
About the course
Software security course shall explore the foundation of the software security. This course shall consider important software vulnerabilities and attacks that exploit them, such as buffer overflows, SQL injection, and session hijacking. They shall also consider dethat prevent or mitigate these attacks, including advanced testing and program analysis techniques. Importantly, they take a "build security in" mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems.
The course is broken into the following 6 units:
- Low-level, memory-based attacks, including stack smashing, format string attacks, stale memory access attacks, and return-oriented Programming (ROP)
- Defenses against memory-based attacks, including stack canaries, non-executable data (aka W+X or DEP), address space layout randomization (ASLR), memory-safety enforcement (e.g., SoftBound), control-flow Integrity (CFI)
- Web security, covering attacks like SQL injection, Cross-site scripting (XSS), Cross-site request forgery (CSRF), and Session hijacking, and defenses that have in common the idea of input validation
- Secure design, covering ideas like threat modeling and security design principles, including organizing ideas like favor simplicity, trust with reluctance, and defend in depth; we present real-world examples of good and bad designs
- Automated code review with static analysis and symbolic execution, presenting foundations and tradeoffs and using static taint analysis and whitebox fuzz testing as detailed examples
- Penetration testing, presenting an overview of goals, techniques, and tools of the trade
- A third-year undergraduate in computer science is recommended.
The class shall consist of lecture videos, which are between 8 and 12 minutes in length. These typically contain 1-2 integrated quiz questions per video, to check understanding. There will also be standalone quizzes (one per week) that are not part of the video lectures, and three hands-on projects.
February 23, 2015 - April 4, 2015