Our scheduled meeting times Mondays and Wednesdays from 4:50-6:05pm in ST254.

Lecture Date Topic Presentations
1 01/09/06 The Need for Secure Systems
  1. Writing Secure Code, 2nd ed, Chapter 1 (Howard 2003) (available via NetLibrary@NKU)
  2. Exploiting Software: How to Break Code, Chapter 1 (McGraw 2004) (available via Safari)
Need for Secure Systems (Charles Frank)
2 01/11/06 Reading and Presenting
  1. Efficient Reading of Papers in Science and Technology (McNamee 2000)
  2. The Task of the Referee (Smith 1990)
  3. How to Give a Research Talk (Peyton-Jones 2004)
  1. Reading a Paper (James Walden)
  2. Craft of Presentations (Charles Frank)
3 01/18/06 Why Information Security is Hard
  1. Why Cryptosystems Fail (Anderson 1993)
  2. Why Information Security is Hard--An Economic Perspective (Anderson 2001)
  1. Why Cryptosystems Fail (Geoffrey Foote)
  2. Economics Of Security (Everett Bruce)
4 01/23/06 Threats and Vulnerabilities
  1. A Failure to Learn from the Past (Spafford 2003)
  2. Attacks and Countermeasures (Dwaikat 2005)
  3. SANS Top 20 Vulnerabilities (SANS 2005)
  1. A Failure to Learn from the Past (Chad Frommeyer)
  2. Attacks and Countermeasures (Daniel Frohlich)
5 01/25/06 Trust and Vulnerability
  1. Reflections on Trusting Trust (Thompson 1984)
  2. Countering Trusting Trust through Diverse Double-Compiling (Wheeler 2005)
  1. Trusting Trust (Jairan Hejazifar)
  2. Countering Trusting Trust (Daniel Frohlich)
6 01/30/06 Secure Development Lifecycle
The Trustworthy Computing Secure Development Lifecycle (Lipner 2005)		 Secure Development Lifecycle (James Walden)
7 02/01/06 Risk Management
  1. Risk Analysis in Software Design (McGraw 2004)
  2. Security Risk Management Guide (Dillard 2004)
  1. Risk Analysis (Joe Combs)
  2. Security Risk Management (Liping Cai)
8 02/06/06 Attack Trees and Patterns
  1. Attack Trees (Schneier 1999)
  2. Exploiting Software: How to Break Code, Chapter 2 (McGraw 2004) (available via Safari)
  1. Attack Trees (Yin Shi)
  2. Attack Patterns (Geoffrey Foote)
9 02/08/06 Attack Modeling
Attack Modeling for Information Security and Survivability (Moore 2001)		 Attack Modeling (Chad Frommeyer)
10 02/13/06 Security Requirements
  1. Misuse Cases: Use Cases with Hostile Intent (Alexander 2003)
  2. Users are not the Enemy (Adams 1999)
  1. Misuse Cases (Rajib)
  2. Users (Jairan Hejazifar)
11 02/15/06 Security Requirements
  1. Developing Secure Systems with UMLsec (Jürjens 2001)
  2. Information Security Antipatterns in Software Requirements Engineering (Kis 2002)
  1. UMLsec (Joe Combs)
  2. AntiPatterns (Liping Cai)
12 02/20/06 Threat Modeling
  1. Writing Secure Code, 2nd ed, Chapter 4 (Howard 2003) (available via NetLibrary@NKU)
  2. Trike v.1 Methodology Document (Saitta 2005)
Threat Modeling (James Walden)
13 02/22/06 Attack Surface
  1. Measuring Relative Attack Surfaces (Howard 2003)
  2. Measuring a System's Attack Surface (Manadhata 2004)
  1. Measuring Relative Surfaces (Everett Bruce)
  2. Measuring Attack Surface (Yin Shi)
14 02/27/06 Secure Design Principles
  1. Writing Secure Code, 2nd ed, Chapter 3 (Howard 2003) (available via NetLibrary@NKU)
  2. Design for Usability, Security and Usability, Chapter 3 (Tognazzini 2005)
  1. Secure Design Principles (Rajib)
  2. Security and Usability (Charles Frank)
15 03/01/06 Secure Design Principles
  1. The Protection of Information in Computer Systems (Saltzer 1975)
  2. The Security of Open versus Closed Systems (Anderson 2003)
  1. Saltzer (Everett Bruce)
  2. OpenVsClosed (Chad Frommeyer)
16 03/13/06 Secure Design Patterns
  1. Security Patterns Template and Tutorial (Kienzle 2002)
  2. The Security Architecture of qmail and Postfix (Hafiz 2004)
  1. PatternTutorial (Daniel Frohlich)
  2. QmailPostfix (Geoffrey Foote)
17 03/15/06 Secure Design Patterns
  1. Security Engineering with Patterns (Schumacher 2001)
  2. A Pattern Language for Security Models (Fernandez 2001)
  1. PatternEngineering (Joe Combs)
  2. PatternLanguage (Liping Cai)
18 03/20/06 The Role of Empirical Study in Software Engineering (Victor R. Basili 2006)
at University of Kentucky: W.T. Young Library Auditorium		  
19 03/22/06 Case Studies
  1. Preventing Privilege Escalation (Provos 2003)
  2. Usability and privacy: a study of Kazaa P2P file-sharing (Good 2003)
  1. Openssh (Chad Frommeyer)
  2. Kazaa Privacy (Jairan Hejazifar)
20 03/27/06 Implementation Flaws
  1. Smashing the Stack for Fun and Profit (Aleph1 1996)
  2. Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade (Cowan 2000)
  1. StackSmashing (Daniel Frohlich)
  2. BufferOverflows (Charles Frank)
21 03/29/06 Implementation Flaws
  1. SQL Injection (SPI 2002)
  2. OWASP Guide, Data Validation chapter (OWASP 2006)
  1. SQLInjection (Joe Combs)
  2. DataValidation (Yin Shi)
22 04/03/06 Language-based Security
  1. Java Security: From HotJava to Netscape and Beyond (Dean 1996)
  2. High Integrity Ada in a UML and C World (Amey 2004)
  1. Java Security (Rajib)
  2. High Integrity Ada (Liping Cai)
23 04/05/06 Language-based Security
  1. Cyclone: A Safe Dialect of C (Jim 2002)
  2. Comparing Java and .NET Security: Lessons Learned and Missed (Paul 2005)
  1. Cylone (Jairan Hejazifar)
  2. DataValidation (Dan Frohlich)
24 04/10/06 Static Analysis
  1. Static Analysis for Security (Chess 2004)
  2. Code Scanning Tools Don't Make Software Secure (Howard 2006)
Mike Kass (Guest Speaker from NIST)
25 04/12/06 Static and Dynamic Analysis
  1. Improving Security Using Extensible Lightweight Static Analysis (Evans 2002)
  2. Purify: Fast Detection of Memory Leaks and Access Errors (Hastings 1992)
  1. Static Analysis (Joe Combs)
  2. Purify (Jairan Hejazifar)
26 04/17/06 Cryptography and Authentication
  1. Programming Satan's Computer (Anderson)
  2. Securing Passwords Against Dictionary Attacks (Pinkas 2002)
  1. Satan's Computer (Everett Bruce)
  2. Passwords (Chad Frommeyer)
27 04/19/06 Case Studies
  1. Security in Software Architecture: A Case Study (Sachitano 2004)
  2. Why Johnny Can't Encrypt (Whitten 1999)
  1. Cyclone (Jairan Hejazifar)
  2. Johnny (Yin Shi)
28 04/24/06 Testing
  1. An Empirical Study of the Reliability of UNIX Utilities (Miller 1990)
  2. Software Penetration Testing (Arkin 2005)
  1. Fuzz Testing (Liping Cai)
  2. Pen Testing (Rajib)
29 04/26/06 Testing
  1. Security Testing Demystified (Mohanty 2006)
  2. Building Bug-free O-O Software: An Introduction to Design by Contract (Eiffel 2004)
  1. Security Architecture (Geoffrey Foote)
  2. Design by Contract (Bert Bruce)
30 05/01/06 Formal Methods
  1. Is Proof more Cost Effective than Testing? (King 2000)
  2. Correctness by Construction (Hall 2002)
  1. Proof vs. Testing (Yin Shi)
  2. Correctness by Construction (Rajib)


 

©2006 James Walden, Ph.D.