Learning Objectives

In this assignment you will demonstrate:

• Familiarity with security weaknesses in C, C++, and Java
• Familiarity with secure coding issues in C, C++, and Java
• Familiarity with the SEI CERT documentation on C, C++, and Java
• Research and writing skills through the exploration and exposition of certain topics in software security
• The ability to get through a few more of Tom Scott videos on YouTube

Read and Watch

Do the following:

• Read the course notes on C, C++ (and JavaScript and Java if you did not read them prior to Homework 1)
• Read the OWASP Security by Design Principles
• Skim this whitepaper on How to Write Secure Code in C
• Read the Preface and Chapter 2 of this book. Also skim the table of contents just to get a feel for the kinds of things you need to do when writing C and C++ securely.
• In the SEI CERT C Coding Standard, read the introductory pages and expand the entire table of contents to get a feel for the standards themselves. Click through to a few interesting standards (seven or eight is sufficient).
• Browse the SEI CERT C++ Coding Standard as you did the CERT C reference above.
• Browse SEI CERT Oracle Coding Standard for Java. the same way.
• Watch three more Tom Scott videos listed on the first page of course notes (other than the five you watched previously).
• Begin the Linked in Learning Course Programming Foundations: Web Security. Complete the introduction and chapters 1 and 2.

For Submission

Submit via BrightSpace, a PDF document with answers to the following. Please note that several of these questions involve research to answer questions not specifically addressed during lectures (though they may build on the big ideas introduced during class meetings).

1. Give the titles and URLs of the three Tom Scott security-related videos you watched (to completion), together with a sentence or two on the purpose or lesson if each video.
2. Research the concept of Security Through Obscurity. Write up a couple paragraphs describing what this phrase refers to, give some examples, and describe why it is (generally) a bad thing.
3. Give (software) examples of (a) a failure of confidentiality, (b) a failure of integrity, and (c) a failure of availability.
4. What is the difference between authentication and authorization? Give an example.
5. Select 3 guidelines each from the SEI CERT Guidelines in this assignment’s reading list (for C, C++, and Java). For each, give their name, their number in the CERT numbering scheme, a description of the standard in your own words and an example of your very own of code that is compliant with the selected guideline. (You may optionally include a non-compliant piece of code too, but please mark it as non-compliant.) Yes, your answer will be very much based on the code in the standard itself, but the effort you put into answering this question well, and testing the code, will help you reach the learning objectives and increase your familiarity with these useful documents. (Be careful to select 9 guidelines that are markedly different from each other.)

Grading

• For each video: 1 pt for giving the URL, 3 points for capturing the essence of the video. (4 points × 3 = 12 points)
• For the STO question: 3 points for writing well, 3 points for an accurate description, 4 points for good examples (at least 2), 5 points for saying why it is bad. (15 points)
• For CIA, 3 points each (9 points)
• For auth 5 points in being accurate, 7 points for the examples. (12 points)
• For each of the 9 CERT guidelines: 0.5 point for the name, 1.5 for the description, 3 points for your example(s). Then, 5 points for spreading out concerns (i.e., having a good selection) and 2 points for good writing. (5 points * 9 + 7 points = 52 points)