diff --git a/Slides/Module 15 Security.pdf b/Slides/Module 15 Security.pdf new file mode 100644 index 0000000..18ed4d8 Binary files /dev/null and b/Slides/Module 15 Security.pdf differ diff --git a/Slides/Module 15 Security.pptx b/Slides/Module 15 Security.pptx new file mode 100644 index 0000000..87e15ed Binary files /dev/null and b/Slides/Module 15 Security.pptx differ diff --git a/_data/modules.yml b/_data/modules.yml index 658f0a5..0326334 100644 --- a/_data/modules.yml +++ b/_data/modules.yml @@ -51,7 +51,7 @@ name: Midterm 9b: name: Security - page: + page: /modules/15-security 10a: name: Work on project 10b: diff --git a/lectures/l15.md b/lectures/l15.md new file mode 100644 index 0000000..3cf64f4 --- /dev/null +++ b/lectures/l15.md @@ -0,0 +1,39 @@ +--- +layout: module +title: "15 - Security" +permalink: /modules/15-security +parent: Modules +nav_order: 15 +lessons: #I know that it seems a bit annoying to have to put each lesson in the yaml header like this... + #But, the benefit is that if you do it like this, the site + #will automatically add the lecture on Canvas, including + #links to the ppt, pdf, and tutorials as appropriate! + - title: Software Engineering + Security + pdf: "Module 15 Security.pdf" + ppt: "Module 15 Security.pptx" +--- + +### Learning Objectives: +By the end of this module, you should be able to: +* Define key terms relating to software/system security +* Describe some of the tradeoffs between security and other requirements in software engineering +* Explain 5 common vulnerabilities in web applications and similar software systems, and describe some common mitigations for each of them. +* Explain why software alone isn’t enough to assure security + +{% include lesson.html %} + +### Resources: + +* ["OWASP Top 10 Web Security Risks"](https://owasp.org/www-project-top-ten/) +* [Try the XSS example on the transcript server](https://rest-example.covey.town/transcripts/%3Ch1%3ECongratulations%21%3C%2Fh1%3E%20You%20are%20the%201000th%20visitor%20to%20the%20transcript%20site%21%20You%20have%20been%20selected%20to%20receive%20a%20free%20iPad.%20To%20claim%20your%20prize%20%3Ca%20href%3D%27https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DDLzxrzFCyOs%27%3Eclick%20here%21%3C%2Fa%3E%3Cscript%20language%3D%22javascript%22%3Edocument.getRootNode%28%29.body.innerHTML%3D%27%3Ch1%3ECongratulations%21%3C%2Fh1%3EYou%20are%20the%201000th%20visitor%20to%20the%20transcript%20site%21%20You%20have%20been%20selected%20to%20receive%20a%20free%20iPad.%20To%20claim%20your%20prize%20%3Ca%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DDLzxrzFCyOs%22%3Eclick%20here%21%3C%2Fa%3E%27%3Balert%28%27You%20are%20a%20winner%21%27%29%3B%3C%2Fscript%3E) (Try it in Edge!) This link might be annoying, but is not malicious. +* [A good video on public and private keys](https://www.youtube.com/watch?v=_zyKvPvh808) +* [Report on the eslint 2018 Attack](https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes/) +* ["Reflections on Trusting Trust" (1984)](https://dl.acm.org/doi/pdf/10.1145/358198.358210) +* ["Running the “Reflections on Trusting Trust” Compiler" (2023)](https://research.swtch.com/nih) +* ["What are Weak Links in the npm Supply Chain?"](https://arxiv.org/abs/2112.10165) +* ["Why secret detection tools are not enough: It’s not just about false positives - An industrial case study"](https://link.springer.com/article/10.1007/s10664-021-10109-y) +* ["A comparative study of vulnerability reporting by software composition analysis tools"](https://dl.acm.org/doi/10.1145/3475716.3475769) +* ["Practical Automated Detection of Malicious npm Packages"](https://arxiv.org/abs/2202.13953) +* [Podcast on SolarWinds attack](https://www.theverge.com/2021/1/26/22248631/solarwinds-hack-cybersecurity-us-menn-decoder-podcast) +* Security awareness/training activity: [OWASP Juice Shop](https://owasp.org/www-project-juice-shop/), [online demo](https://juice-shop.herokuapp.com/#/) +