CIS 4615 - Secure Software Development and Assurance, Fall 2015

Overview

This page provides information on some of the resources available for students in CIS 4615. The page is organized as follows:

1. Course resources
2. General Security Resources
3. Secure implementation including:
   1. Requirements for security,
   2. Requirements specification techniques,
   3. Usability tradeoffs,
   4. Architecture
   5. System design for security,
   6. Cryptography, and
   7. Coding securely
4. Analysis tools and resources including:
   1. Static analysis, and
   2. Dynamic analysis (including testing).
5. Reverse engineering including:
   1. Reverse engineering tools,
   2. Attacks and exploits, and
   3. Malware.

Course Resources

Related to various Textbooks

• Michael Sikorski and Andrew Honig. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press, San Francisco, 2012. ISBN-13: 978-1-59327-290-6.
• Matt Bishop. Computer Security: Art and Science. Addison-Wesley Professional, 2002.
• Michael Howard, David LeBlanc, and John Viega. 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. McGraw-Hill, 2010. ISBN: 978-0-07-162676-7.
• Chris Eagle. The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler. 2nd edition, No Starch Press, San Francisco, 2011. ISBN-13: 978-1593272890.

Related to the Course Materials

• Course home page.
• Meeting outlines directory, containing outline files for the "lectures".
• Old homeworks directory, containing old homework assignments from this and previous semesters. Current students should only use the assignments from Webcourses, as this directory is not necessarily up to date during the current semester.
• Lecture notes directory, containing strangely formatted notes for the "lectures". We recommend that students use the Meeting outlines (above) instead.
• The course documentation directory.

Return to top

General Security Resources

• Homeland Secruity's Cybersecurity page
• US-CERT
• CERT at the Software Engineering Institute
• Center for Internet Security
• SANS Information Security Resources
• Google Online Security Blog
• Cigital's Resources page
• Simply Secure

Return to top

Secure Implementation

Requirements for Security

Requirements Specification Techniques

• Making Security Mesurable.

Usability Tradeoffs

Architecture

System Design for Security

• From the UCF library, you can read the following book on UMLSec by following the link and clicking on the button "Read this book on SpringerLink". Jan Jürjens. Secure Systems Development with UML. Springer-Verlag, Berlin, 2005. http://www.springer.com/us/book/9783540007012.
• A tool that is the successor of UMLSec is Carisma, which works Eclipse

Cryptography

Coding Securely

• MITRE Common Vulnerabilities and Exposures (CVE) list.
• Common Weakness Enumeration (CWE), and the:
  • 2011 CWE/SANS Top 25 Most Dangerous Software Errors
  • Common Weakness Scoring System (CWSS).
  • Common Weakness Risk Analysis Framework (CWRAF).
• Open Web Security Project (OWASP). This site has several references, including a Secure Coding Cheat Sheet.
• CERT's secure coding page
• Microsoft Secure Coding Guidelines
• Apple Secure Coding Guide
• US CERT's Build Security In website
• (ISC)²'s Ten Best Practices for Secure Software Development
• Debian Linux's hardening page

Return to top

Analysis Tools and Resources

See the course's analysis tools page for information about various tools we will be using in class.

Static Analysis

• David Wheeler's Static Analysis tools page
• Klocwork's Static Analysis tools
• Winitor's pestudio
• HP's Application Security page
• HP's Fortify on Demand
• VirusTotal, a free service that can scan uploaded files.
• Jotti, a free service that can scan uploaded files.
• VirSCAN.org, a free service that can scan uploaded files.

Dynamic Analysis (including Testing)

• Valgrind dynamic analysis tool
• Cyber Observable Expression (CyboX).
• OWASP Security Testing Cheat Sheet
• OWASP's Testing Project and its Testing Guide

Return to top

Reverse Engineering

To set up a VM to safely look at malware, see the course's analysis tools page in the Dynamic Analysis Tools section.

• Contagio Malware Dump. See also this blog's links and resources for malware samples.
• US Army Research Lab on GitHub, including
• Computer Forensics, Cybercrime, and Steganography Resources
• NSA Codebreaker Challenge 2015 resources page
• Intel 64 and IA-32 Architecture Sofware Developer Manuals
• Intel 80x86 code table
• NASM, an assembler with the Intel syntax

Reverse engineering tools

• Malware Analysis Toolkit from Zeltser.com, using free tools.
• Explorer Suite from NTCore
• Microsoft SysInternals Tools
• How to Geek's tutorial to the Microsoft SysInternals Tools.

Attacks and exploits

• Common Attack Pattern Enumeration and Classification (CAPEC).
• Bugtraq mailing list, which describes vulnerabilities.
• OWASP's description of buffer overflow attacks
• Smashing the Stack, a description of the details of a static buffer overflow attack

Malware

• malwr.com, which has analyses of various malware
• Cuckoo Sandbox
• MAEC Language, a standardized language for describing malware.

Return to top

Last modified Tuesday, November 17, 2015.

This web page is for CIS 4615 at the University of Central Florida. The details of this course are subject to change as experience dictates. You will be informed of any changes. Please direct any comments or questions to Gary T. Leavens at leavens@eecs.ucf.edu. Some of the policies and web pages for this course are quoted or adapted from other courses I have taught, in particular, Com S 342 and COP4020.