SWE 681 001 / ISA 681 001 - Topic Paper/Presentation ideas
The topic paper and presentation
must present and plausibly advocate some specific actions
to take (or avoid) to produce more secure software during its
design and/or implementation.
Imagine that I will remove everything not relevant to the class, which is
about design and implementation of secure software.
For example, you can briefly mention the importance of training users,
or implementing network firewalls in a computer network, and I will
simply pretend that you didn't write that at all.
If there is little left, your grade will be really bad.
In real computer systems you need to combine many techniques to produce
secure systems, but the purpose of this class is for you to learn how
to apply design and implementation techniques to develop secure software,
and the paper must demonstrate your knowledge in the topic area.
See the requirements for more information.
Example of types of topics are:
- If your topic is a particular type of vulnerability,
explain what it is, but you must focus on
explaining at least one way to counter that vulnerability.
More than one is better; in that case, briefly compare/contrast the
alternatives.
You must describe and advocate at least one specific approach
to avoid having these vulnerabilities!
- If your topic is the developing secure software in
a particular programming language, you need to describe
and advocate specific constructs to use/avoid (and explain why).
In these kinds of papers, just put in a sentence like
“The general principles of developing secure software apply to this
programming language; this paper describes some of the specific issues
in language XYZ”, and then just focus on the key
issues specific to that language.
Focus on making the software more secure, not just on developing
software that is more likely to produce correct outputs given correct inputs.
- If your topic is a particular attack or security incident, you need to
focus on the “lessons learned”
on specific actions a software developer
or manager should take or avoid, so that
that type of attack/incident would not be successful or as damaging.
- If your topic is a particular type of program analysis
(static, dynamic, or hybrid), be sure to focus on it in terms of how
it can support detection of vulnerabilities (or prove their absence)
during design and implementation.
Technically analysis is verification, not design and implementation, but
since the processes are often interleaved I do allow this particular
area if the material is focused on its use while also doing
design and/or implementation.
Here is a list of ideas/examples, mostly based on past topics
by previous students:
- Android (writing secure software for...)
- Android Stagefright Vulnerability (lessons learned in the design and implementation of secure software)
- Apple goto fail; goto fail (lessons learned in design and implementation of secure software; reference Wheeler!)
- Automotive software (how to design/implement secure automotive software)
- Broken authentication, session management (how to prevent / how to do correctly)
- Buffer overflow (how to counter; you'll have to go beyond the class material)
- Business Process applications based on SOA WebServices
- C (writing secure software in...)
- C++ (writing secure software in...)
- Clickjacking (how to counter)
- Cross Site Request Forgery (CSRF) (how to counter)
- Cross Site Scripting (XSS) (how to counter)
- Embedded systems (how to design/implement secure embedded software systems)
- Enterprise Vulnerability Management (focus on design and implementation of software)
- Format String Vulnerabilities (countering)
- Go (writing secure software in...)
- Heap overflows
- Heartbleed (lessons learned in the design and implementation of software; reference Wheeler!)
- Implementing security in Windows Communication Foundation (WCF) services
- Insecure Cryptographic Storage (how to counter/prevent in the design and implementation of secure software)
- iOS (writing secure software for...)
- Java (writing secure software in...)
- Java Web Application (writing secure software that is a...)
- Javascript (server-side)
- Kernel hardening (how to modify the design/implementation of existing operating system kernels to resist attack. See grsecurity, etc.)
- LDAP Injection (how to counter)
- Operation Aurora Attacks (lessons learned in the design and implementation of software)
- OPM Data Breach (lessons learned in the design and implementation of software)
- Perl (writing secure software in...)
- PHP (writing secure software in...)
- Python (writing secure software in...)
- QEMU Attacks (countering...)
- Reflected DOM Injection (countering...)
- Ruby (writing secure software in...)
- Ruby on Rails (writing secure software in...)
- Self-Protecting Software Systems (what design mechanisms could be used to increase self-protection of software? What are their pros and cons?)
- Shellshock bug (reference Wheeler!)
- Sony pictures (lessons learned in the design and implementation of software; reference Wheeler!)
- SQL Injection (how to counter)
- Stuxnet (lessons learned in the design and implementation of software)
- Target Data Breach (lessons learned in the design and implementation of software)
- Unvalidated Redirects & Forwards, Insecure direct object reference
- Vulnerabilities in Cloud storage
- Web browser (how to design/implement a secure web browser)
Remember, do not focus on the problem, or on approaches
irrelevant to the class like user training and implementing firewalls.
In the real world we should combine many approaches, but often people forget
about actually securing the software (leading to future problems).
Focus on the design and implementation of secure software, that's what
the class is about.