diff --git a/index.md b/index.md index bf24968..848d290 100644 --- a/index.md +++ b/index.md @@ -39,7 +39,8 @@ Content will be linked as we progress through the semester. This allows to me to * Reading: NIST 800-160 Appendix-F: Design Principles for Security (See Canvas) * Hands-on: In-class working session on Threat Modeling using Microsoft Threat Modeling Tool. 1. **Coding for Software Security Engineering** - * Knowledge base: [Common Weakness Enumeration](http://cwe.mitre.org/), [CAPEC](https://capec.mitre.org/), [CERT Secure Coding Guidelines](https://www.securecoding.cert.org/confluence/display/seccode/SEI+CERT+Coding+Standards) + * [Coding for SSE Lecture](https://robinagandhi.github.io/swa/slides/lecture-5/code-for-software-se.html) + Knowledge-bases: [Common Weakness Enumeration](http://cwe.mitre.org/), [CAPEC](https://capec.mitre.org/), [CERT Secure Coding Guidelines](https://www.securecoding.cert.org/confluence/display/seccode/SEI+CERT+Coding+Standards) * [DHS SWAMP](https://www.mir-swamp.org/) * Lecture: Code review tools and techniques 1. Hands-on: In-class working session for code review and automated tool analysis. diff --git a/pages/project.md b/pages/project.md index a77a1f2..af2c9fd 100644 --- a/pages/project.md +++ b/pages/project.md @@ -37,8 +37,8 @@ The project will have the following deliverables: * Link to your team GitHub repository that shows your internal project task assignments and collaborations to finish this task. 1. **Code analysis for Software Security Engineering**: A markdown report that describes the following: * Code review strategy - * Manual code review of critical security functions identified in misuse cases, assurance cases and threat models. - * Automated code scanning (if available). Include links to full reports. + * Findings from manual code review of critical security functions identified in misuse cases, assurance cases and threat models. + * Findings from automated code scanning (if available). Include links to full reports. * Summary of key findings from manual and/or automated scanning. This summary may include categorization, mappings to CWEs, CAPECs, Risk Levels, etc. * Links to any pull requests, issues, discussion, etc. from the team to the original project and any follow-up interactions. * Link to your team GitHub repository that shows your internal project task assignments and collaborations to finish this task. @@ -46,8 +46,8 @@ The project will have the following deliverables: * Project description * Gaps in security requirements and design of the original project * Assurance claims - * Findings from code review and automated software scanning - * Contributions to the original project (documentation, design changes, code changes, communications) + * Findings from manual code review and automated software scanning + * Any contributions to the original project (documentation, design changes, code changes, communications) ## Project Hall of Fame * [List of successful contributions to OSS projects from student teams](https://robinagandhi.github.io/swa/pages/halloffame.html) @@ -74,8 +74,8 @@ The project will have the following deliverables: 1. Requirements for Software Security Engineering – **September 28th, 2018.** 1. Assurance Cases Software Security Engineering – **October 12th, 2018.** 1. Designing for Software Security Engineering – **November 7th, 2018.** -1. Code analysis for Software Security Engineering – **November 21, 2018.** -1. Class presentations – **December 9, 2018.** +1. Code analysis for Software Security Engineering – **November 30, 2018.** +1. Class presentations – **December 5, 2018.** \* All dates are subject to change as the course progresses diff --git a/slides/lecture-5/include/code-for-software-se.md b/slides/lecture-5/include/code-for-software-se.md index f350234..b8c2ed5 100644 --- a/slides/lecture-5/include/code-for-software-se.md +++ b/slides/lecture-5/include/code-for-software-se.md @@ -192,7 +192,7 @@ class: middle # Common Attack Pattern Enumeration and Classification ## Enumerates .red[attack patterns] used in exploits -- Total of 550+ attack patterns +- Total of 500+ attack patterns - Abstractions: Meta, Standard, Detailed Patterns and Categories @@ -223,7 +223,7 @@ class: middle # [National Vulnerability Database](http://nvd.nist.gov) - Maintains a dictionary of CVEs - CVEs use Common Platform Enumeration (CPE) to identify affected products and packages. [Search Engine](https://nvd.nist.gov/vuln/search) -- Total CVEs: 80000+, ~15-20 added every day +- Total CVEs: [NVD Dashboard](https://nvd.nist.gov/general/nvd-dashboard) --- @@ -276,7 +276,7 @@ class: middle --- class: middle ## Training Surgeons -![GA](https://pbs.twimg.com/media/CtPPfC3XEAA_sdq.jpg) +![GA](https://www.closerweekly.com/wp-content/uploads/2017/10/greys-anatomy.jpg?crop=0px%2C0px%2C594px%2C334px&resize=800%2C450) --- class: middle @@ -328,7 +328,7 @@ class: middle --- class: middle # Putting the pieces together -![crash](https://qph.ec.quoracdn.net/main-qimg-08cc5472e55ff2becf09468b9ae6c650-c?convert_to_webp=true) +![crash](https://www.nydailynews.com/resizer/m96o09B1y-FdXEQIQB1mmglMCRs=/1400x0/arc-anglerfish-arc2-prod-tronc.s3.amazonaws.com/public/KSU66ZVVHLMTWRVTJQS7IHJ46A.jpg) --- class: middle @@ -368,8 +368,8 @@ class: middle ### What CWEs do the vulnerabilities in your project typically map to? Have you taken any hands-on training for them? -- -### Have you looked at the [semantic templates](http://faculty.ist.unomaha.edu/rgandhi/st) by being developed at UNO? -### Here are some [example vulnerabilities](http://faculty.ist.unomaha.edu/rgandhi/st/CVEsamples.zip), why don’t you fill-up the semantic templates to study them? +### Have you looked at the [semantic templates](https://robinagandhi.github.io/st) by being developed at UNO? +### Here are some [example vulnerabilities](https://robinagandhi.github.io/st/CVEsamples.zip), why don’t you fill-up the semantic templates to study them? ---