CYSE 411: Secure Software Engineering (Spring 2017)

Course Description

This is an upper-level undergraduate course on software security. This course provides a foundation for building secure software by applying security principles to the software development lifecycle. Students will learn the practical skills for developing and testing secure software. The focus is practical with discussions on why and how mechanisms ensure security, what level of security is provided, and how hostile adversaries might violate the mechanisms. Programming flaws, methods to avoid and correct flaws, and economic cost of software bugs are also addressed.

Course Information

Class Time: W 10:30am - 1:10pm
Class Location: David King Jr. Hall 1006

Instructor: Dr. Kun Sun
Office Hours: W 2:00pm - 4:00pm and by appointment, Research Hall, #421

Grading Policy

Term project


Each student is required to complete a mid-size project, which includes proposal, implementation, and final demo or paper. Each student must finish the project by himself/herself.

Requirements for project proposal.
Requirements for project final report.
Requrrements for presentation.

Projects include but are not limited to:

  • Research Paper [sample 1][sample 2]
    • You can work on original research problems. The outcome should be a paper with original technical contribution. Your grade on this will be judged on originality, soundness of the approach, and quality of presentation.
    • Example Topics:
      • Android Security
      • Honeypot
      • Virtualization Security, e.g., Docker, VMM
      • Vulnerability Analysis
      • Intrusion Detection
      • Authentication and Access Control
      • DNS Security
      • Trusted Execution Environment
      • New Attacks
      • etc.
  • Survey Paper [sample 1] [sample 2]
    • You can write a paper that surveys a particular field on software security. The outcome should be a paper that summarizes the trend in the field you have chosen. Your grade will be judged on the completeness of the survey, the quality of the trend analysis, and the quality of presentation.
    • Example topics:
      • Cybercrime, e.g., Ransomware, Online Black market
      • Web application Vulnerabilitie, e.g., XSS
      • Database Vulnerabilities, e.g., SQL Injection
      • Network Security, e.g., Botnet, SDN, NFV
      • Secuity of Browser Plug-ins/extensions
      • Drive-by Downloads, social engineering
      • Code-level Vulnerabilities: Return-oriented Programming (ROP), Buffer Overflow,
      • Software Defense Mechanism, e.g., Address Space Layout Randomization (ASLR)
      • Symbolic Execution
      • etc.


1. [McGraw] Gary McGraw, Software Security: Building Security In (1st Edition), Addison-Wesley Professional, ISBN-10: 0321356705 ISBN-13: 978-0321356703

2. [Seacord] Secure Coding in C and C++ (2nd Edition), by Robert Seacord, ISBN-13: 978-0321822130, ISBN-10: 0321822137

Class Schedule (tentative)

Note: the schedule will change as the course progresses. Please check frequently.

Reading Assignment
Project Assignment

Topic 1. Introduction to Information Security
Topic 2-1. Software Security Fundamentals

[Mcgraw] Chapter 1

T01 slides
T02.1 slides

Topic 2-1. Software Security Fundamentals (cont.)
Topic 2-2. Secure coding: Strings

[Mcgraw] Chapter 1
[Seacord] Chapter 2

Topic 2-2. Secure coding: Strings (cont.)
Topic 3. Risk Management

[Seacord] Chapter 2
[Mcgraw] Chapter 2


Topic 3. Risk Management (cont.)
Topic 4. Software Development Process and Software Security Touchpoints

[Mcgraw] Chapter 3
Quiz 1
Topic 5-1. Code Review
Topic 5-2. Static Analysis
[Mcgraw] Chapter 4


Topic 5-2. Static Analysis (cont.)
Topic 6. Penetration Testing
[Mcgraw] Chapter 6



Topic 7-1. Architectural Risk Analysis
Topic 7-2. Risk-Based Security Testing
Topic 7-3.Abuse/Misuse Cases

[Mcgraw] Chapter 5,7, 8
Quiz 2
Project proposal due on 03/10/2017


No Class (Spring break)

Topic 8. Security Operations
Topic 9.1. Secure coding: Dynamic Memory
Topic 9.2. Secure coding: Integer Security

[Mcgraw] Chapter 9
[Seacord] Chapter 4
[Seacord] Chapter 5


Topic 9.3. Secure coding: Formatted Output
Topic 9.4. Secure coding: Race Conditions
Topic 10. Symbolic Execution
[Seacord] Chapter 6
[Seacord] Chapter 7
Topic 10. Symbolic Execution (cont.)
Topic 11. Web Security


Student Presentation (I)

1. Drive-by Downloads & Social Engineering
2. Cybercrime
3. Automated Binary Analysis
4. SDN Security


1. Doug Mcdonald
2. Andrew VanPernis
3. Steve Zamory
4. Matt Wilkes


Student Presentation (II)

5. Android Security
6. Medical Device Security
7. Web Security
8. Honeypot
9. Drive-by Download


5. Allen Shen & James Peck
6. Ankur Goel &Marco Perdomo
7. Chase Franklin & Yusif Atasoy
8. Jacob Dulaney
9. Eric Gum

Student Presentation (III)

10. Ransomware
11. Botnet
12. Medical Device Security
13. Web Browser Security
14. Ransonware
15. DDoS Attacks
16. Browser Plug-ins Security
10. Zabi Tori &Gustavo Loayza
11. Nicholas Burley
12. Clara Currier
13. Ismail Ahmad & Nadia Jehangir
14. Benjamin Krause & Shival Puri
15. Ali Nasir, Alexander Svinicki
16. Saarthik Tannan

Student Presentation (IV)

17. Ransomware
18. Cybercrime
19. BYOC Security
20. Bitcoin Security
21. Ransomware
22. IoT Security
23. Web Application Security

Final Review

17. Juwan Harris
18. Simplice Njike
19. Hyun Kim
20. Erika Strano & Natalie Parke
21. Samuel Dura
22. Matt Burke/Jon W.
23. Stefany Cando

Final_review slides

Final Exam (10:30 am – 1:10 pm)
Project final report due on 5/10/2017

Honor Code

Students are required to follow George Mason Univeristy's Honor Code.

Students with Disabilities

Any student with a disability needing academic adjustments or accommodations should contact the instructor immediately.


This course includes materials provided by Dr. Thomas Schwarz (Marquette University), Dr. Michael Hicks (University of Maryland) and Dr. Csilla Farkas (University of South Carolina).