Code lecture update

index.md

@@ -39,7 +39,8 @@ Content will be linked as we progress through the semester. This allows to me to
   * Reading: NIST 800-160 Appendix-F: Design Principles for Security (See Canvas)
   * Hands-on: In-class working session on Threat Modeling using Microsoft Threat Modeling Tool.  
 1. **Coding for Software Security Engineering**
-  * Knowledge base: [Common Weakness Enumeration](http://cwe.mitre.org/), [CAPEC](https://capec.mitre.org/), [CERT Secure Coding Guidelines](https://www.securecoding.cert.org/confluence/display/seccode/SEI+CERT+Coding+Standards)
+  * [Coding for SSE Lecture](https://robinagandhi.github.io/swa/slides/lecture-5/code-for-software-se.html)  
+  Knowledge-bases: [Common Weakness Enumeration](http://cwe.mitre.org/), [CAPEC](https://capec.mitre.org/), [CERT Secure Coding Guidelines](https://www.securecoding.cert.org/confluence/display/seccode/SEI+CERT+Coding+Standards)
   * [DHS SWAMP](https://www.mir-swamp.org/)
   * Lecture: Code review tools and techniques
 1. Hands-on: In-class working session for code review and automated tool analysis.  

pages/project.md

@@ -37,17 +37,17 @@ The project will have the following deliverables:
   * Link to your team GitHub repository that shows your internal project task assignments and collaborations to finish this task.
 1. **Code analysis for Software Security Engineering**: A markdown report that describes the following:
   * Code review strategy
-  * Manual code review of critical security functions identified in misuse cases, assurance cases and threat models.
-  * Automated code scanning (if available). Include links to full reports.
+  * Findings from manual code review of critical security functions identified in misuse cases, assurance cases and threat models.
+  * Findings from automated code scanning (if available). Include links to full reports.
   * Summary of key findings from manual and/or automated scanning. This summary may include categorization, mappings to CWEs, CAPECs, Risk Levels, etc.
   * Links to any pull requests, issues, discussion, etc. from the team to the original project and any follow-up interactions.
   * Link to your team GitHub repository that shows your internal project task assignments and collaborations to finish this task.
 1. **Class Presentation**: 10-minute class presentation that highlights the following:
   * Project description
   * Gaps in security requirements and design of the original project
   * Assurance claims
-  * Findings from code review and automated software scanning
-  * Contributions to the original project (documentation, design changes, code changes, communications)
+  * Findings from manual code review and automated software scanning
+  * Any contributions to the original project (documentation, design changes, code changes, communications)
 
 ## Project Hall of Fame
 * [List of successful contributions to OSS projects from student teams](https://robinagandhi.github.io/swa/pages/halloffame.html)  
@@ -74,8 +74,8 @@ The project will have the following deliverables:
 1. Requirements for Software Security Engineering – **September 28th, 2018.**
 1. Assurance Cases Software Security Engineering – **October 12th, 2018.**
 1. Designing for Software Security Engineering – **November 7th, 2018.**
-1. Code analysis for Software Security Engineering – **November 21, 2018.**
-1. Class presentations – **December 9, 2018.**
+1. Code analysis for Software Security Engineering – **November 30, 2018.**
+1. Class presentations – **December 5, 2018.**
 
 \* All dates are subject to change as the course progresses
 

slides/lecture-5/include/code-for-software-se.md

@@ -192,7 +192,7 @@ class: middle
 # Common Attack Pattern Enumeration and Classification
 
 ## Enumerates .red[attack patterns] used in exploits
-- Total of 550+ attack patterns
+- Total of 500+ attack patterns
 - Abstractions:   
 Meta, Standard, Detailed Patterns and Categories
 
@@ -223,7 +223,7 @@ class: middle
 # [National Vulnerability Database](http://nvd.nist.gov)
 - Maintains a dictionary of CVEs
 - CVEs use Common Platform Enumeration (CPE) to identify affected products and packages. [Search Engine](https://nvd.nist.gov/vuln/search)
-- Total CVEs: 80000+, ~15-20 added every day
+- Total CVEs: [NVD Dashboard](https://nvd.nist.gov/general/nvd-dashboard)
 
 ---
 
@@ -276,7 +276,7 @@ class: middle
 ---
 class: middle
 ## Training Surgeons
-![GA](https://pbs.twimg.com/media/CtPPfC3XEAA_sdq.jpg)
+![GA](https://www.closerweekly.com/wp-content/uploads/2017/10/greys-anatomy.jpg?crop=0px%2C0px%2C594px%2C334px&resize=800%2C450)
 
 ---
 class: middle
@@ -328,7 +328,7 @@ class: middle
 ---
 class: middle
 # Putting the pieces together
-![crash](https://qph.ec.quoracdn.net/main-qimg-08cc5472e55ff2becf09468b9ae6c650-c?convert_to_webp=true)
+![crash](https://www.nydailynews.com/resizer/m96o09B1y-FdXEQIQB1mmglMCRs=/1400x0/arc-anglerfish-arc2-prod-tronc.s3.amazonaws.com/public/KSU66ZVVHLMTWRVTJQS7IHJ46A.jpg)
 
 ---
 class: middle
@@ -368,8 +368,8 @@ class: middle
 ### What CWEs do the vulnerabilities in your project typically map to? Have you taken any hands-on training for them?
 
 --
-### Have you looked at the [semantic templates](http://faculty.ist.unomaha.edu/rgandhi/st) by being developed at UNO?
-### Here are some [example vulnerabilities](http://faculty.ist.unomaha.edu/rgandhi/st/CVEsamples.zip), why don’t you fill-up the semantic templates to study them?
+### Have you looked at the [semantic templates](https://robinagandhi.github.io/st) by being developed at UNO?
+### Here are some [example vulnerabilities](https://robinagandhi.github.io/st/CVEsamples.zip), why don’t you fill-up the semantic templates to study them?
 
 ---