module15-security (#47)

* module15-security

* Update slides

* fixed animations on slide 32 and 28

* nits

---------

Co-authored-by: Jonathan Bell <[email protected]>

_data/modules.yml

@@ -51,7 +51,7 @@
   name: Midterm
 9b:
   name: Security
-  page: 
+  page: /modules/15-security
 10a:
   name: Work on project
 10b:

lectures/l15.md

@@ -0,0 +1,39 @@
+---
+layout: module
+title: "15 - Security"
+permalink: /modules/15-security
+parent: Modules
+nav_order: 15 
+lessons: #I know that it seems a bit annoying to have to put each lesson in the yaml header like this...
+  #But, the benefit is that if you do it like this, the site
+  #will automatically add the lecture on Canvas, including
+  #links to the ppt, pdf, and tutorials as appropriate!
+  - title: Software Engineering + Security
+    pdf: "Module 15 Security.pdf"
+    ppt: "Module 15 Security.pptx"
+---
+
+### Learning Objectives:
+By the end of this module, you should be able to:
+* Define key terms relating to software/system security
+* Describe some of the tradeoffs between security and other requirements in software engineering
+* Explain 5 common vulnerabilities in web applications and similar software systems, and describe some common mitigations for each of them.
+* Explain why software alone isn’t enough to assure security
+
+{% include lesson.html %}
+
+### Resources:
+
+* ["OWASP Top 10 Web Security Risks"](https://owasp.org/www-project-top-ten/)
+* [Try the XSS example on the transcript server](https://rest-example.covey.town/transcripts/%3Ch1%3ECongratulations%21%3C%2Fh1%3E%20You%20are%20the%201000th%20visitor%20to%20the%20transcript%20site%21%20You%20have%20been%20selected%20to%20receive%20a%20free%20iPad.%20To%20claim%20your%20prize%20%3Ca%20href%3D%27https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DDLzxrzFCyOs%27%3Eclick%20here%21%3C%2Fa%3E%3Cscript%20language%3D%22javascript%22%3Edocument.getRootNode%28%29.body.innerHTML%3D%27%3Ch1%3ECongratulations%21%3C%2Fh1%3EYou%20are%20the%201000th%20visitor%20to%20the%20transcript%20site%21%20You%20have%20been%20selected%20to%20receive%20a%20free%20iPad.%20To%20claim%20your%20prize%20%3Ca%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DDLzxrzFCyOs%22%3Eclick%20here%21%3C%2Fa%3E%27%3Balert%28%27You%20are%20a%20winner%21%27%29%3B%3C%2Fscript%3E) (Try it in Edge!) This link might be annoying, but is not malicious.
+* [A good video on public and private keys](https://www.youtube.com/watch?v=_zyKvPvh808)
+* [Report on the eslint 2018 Attack](https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes/)
+* ["Reflections on Trusting Trust" (1984)](https://dl.acm.org/doi/pdf/10.1145/358198.358210)
+* ["Running the “Reflections on Trusting Trust” Compiler" (2023)](https://research.swtch.com/nih)
+* ["What are Weak Links in the npm Supply Chain?"](https://arxiv.org/abs/2112.10165)
+* ["Why secret detection tools are not enough: It’s not just about false positives - An industrial case study"](https://link.springer.com/article/10.1007/s10664-021-10109-y)
+* ["A comparative study of vulnerability reporting by software composition analysis tools"](https://dl.acm.org/doi/10.1145/3475716.3475769)
+* ["Practical Automated Detection of Malicious npm Packages"](https://arxiv.org/abs/2202.13953)
+* [Podcast on SolarWinds attack](https://www.theverge.com/2021/1/26/22248631/solarwinds-hack-cybersecurity-us-menn-decoder-podcast)
+* Security awareness/training activity: [OWASP Juice Shop](https://owasp.org/www-project-juice-shop/), [online demo](https://juice-shop.herokuapp.com/#/)
+