SWE 681 001 / ISA 681 001 - Topic Paper/Presentation ideas

The topic paper and presentation must present and plausibly advocate some specific actions to take (or avoid) to produce more secure software during its design and/or implementation.

Imagine that I will remove everything not relevant to the class, which is about design and implementation of secure software. For example, you can briefly mention the importance of training users, or implementing network firewalls in a computer network, and I will simply pretend that you didn't write that at all. If there is little left, your grade will be really bad. In real computer systems you need to combine many techniques to produce secure systems, but the purpose of this class is for you to learn how to apply design and implementation techniques to develop secure software, and the paper must demonstrate your knowledge in the topic area.

See the requirements for more information.

Example of types of topics are:

  1. If your topic is a particular type of vulnerability, explain what it is, but you must focus on explaining at least one way to counter that vulnerability. More than one is better; in that case, briefly compare/contrast the alternatives. You must describe and advocate at least one specific approach to avoid having these vulnerabilities!
  2. If your topic is the developing secure software in a particular programming language, you need to describe and advocate specific constructs to use/avoid (and explain why). In these kinds of papers, just put in a sentence like “The general principles of developing secure software apply to this programming language; this paper describes some of the specific issues in language XYZ”, and then just focus on the key issues specific to that language. Focus on making the software more secure, not just on developing software that is more likely to produce correct outputs given correct inputs.
  3. If your topic is a particular attack or security incident, you need to focus on the “lessons learned” on specific actions a software developer or manager should take or avoid, so that that type of attack/incident would not be successful or as damaging.
  4. If your topic is a particular type of program analysis (static, dynamic, or hybrid), be sure to focus on it in terms of how it can support detection of vulnerabilities (or prove their absence) during design and implementation. Technically analysis is verification, not design and implementation, but since the processes are often interleaved I do allow this particular area if the material is focused on its use while also doing design and/or implementation.

Here is a list of ideas/examples, mostly based on past topics by previous students:

Remember, do not focus on the problem, or on approaches irrelevant to the class like user training and implementing firewalls. In the real world we should combine many approaches, but often people forget about actually securing the software (leading to future problems). Focus on the design and implementation of secure software, that's what the class is about.