URL study guide
https://studiegids.vu.nl/en/courses/2024-2025/XB_0088Course Objective
This course is an introduction to security and safety engineering for Bachelor Students in Computer Science to build awareness of security and safety issues in software systems, apply security and safety threat analysis and mitigation techniques at conceptual level to practical case studies, andinspire students to further their education in computer security by exposing them to industrial practices.The course is organised along the principles of scientific peer reviews and expects motivated students to reach the highest educational objective in Bloom’s cognitive taxonomy (Judgement).Course Content
After completing this course, the student will be able to:Apply the conceptual elements of security and safety engineering for security and safety risk analysis (assets, threats, risks and controls) on a concrete problem [Applying knowledge and understanding, Communication]Identify and review pros and cons of qualitative techniques on the concrete problem instance by reviewing the work of their peers. [Making judgements, Communication, Lifelong learning skills]Apply the general methodology so learned to the industrial software vulnerability assessment techniques on a concrete problem. [Applying knowledge and understanding, Lifelong learning skills]Teaching Methods
The course is organised into weekly lectures coupled with practical assignments where the students will apply gained theoretical knowledge on one or more case studies of a software system. Lectures and discussion/Q&A sessions. These activities will cover risk analysis, authentication and identification, assets, threats and security controls, software vulnerability and IT system assessment and introduce the concepts the students will be asked to apply.All questions will be answered in the Q&A sessionsSecurity Risk Analysis report(s). Each student will write a risk analysis report that is submitted in incremental stages with weekly deadlines including assets, threat analysis and security controls.Each report includes a new part corresponding to the newly introduced material and a rebuttal of the received reviews on the previous part as in scientific articlesStudents who do not submit by the deadline will not be able to review the reports of their peers.Individual peer reviews. Each student will review the assignments submitted by their peers according a detailed grading scheme provided and exemplified by the lecturersEach student will have to review five assignments for each type of assignment. The feedback of students of past editions of the course is that the average time for peer evaluation is estimated at one hour per (good) review.Class presentation and public review. To provide intermediate feedback and to learn to identify and review a variety of applications of the technique students will be asked to discuss their assignments in front of the class. Attending the discussion classes is mandatory, also for students that have already discussed in previous sessions.Method of Assessment
Given the tight timeline, at the beginning of the course students will have to submit a short (1/3 page) essay on their study strategy and grade expectation. Those that do not submit by the deadline will get a NS "No Show" as the final grade. The overall grade is determinbed as follows:60% for the reports each of which is divided as65% on the evaluation of the report as graded by the peers35% for the participation to the peer review process and the quality of the reviews as re-evaluated by the lecturers and teaching assistants40% for the final exam for the score of vulnerability assessmentsPass or failQuality of the reviews. Additional points beyond the participation will be deducted to students who write poor (e.g. generic such as "it is ok, full points") or unfair reviews.Presentation of the reports in class. If a student is asked to present his/her report in class and is absent or not able to do present it, the assignments will be considered void. Students must reach 5.5 on both the report and the final exam. Plagiarism and Fraud Check If the number of students is so large that discussions in front of the class cannot be organised for all students to present at least once, a digital exam will be organised to assess the knowledge of the reviewed material. Students who have not presented must score at least 6/10 in the confirmation exam for the assignments score to be considered valid. Resit There is a resit for the final exam on vulnerability assessment. It is not possible to resit the assignments and the peer reviews. Students can only resit failed reviews due to additionally deducted points by writing a report analyzing the reviews of all other students for each failed report.Literature
Gibson. Managing Risk in Information Systems. Jones & BartlettThis book offers a general structure of the security assessment process in industry and can be followed for the high level process of threat and security Additional Lecture MaterialSlides and Additional Material will be provided in CanvasCommon Vulnerability Scoring System Standard v3.1 and v4.0National institute of Standards and Technology- 800-
- familySESAR OpenSky Security Risk Assessment Method SecRAM simplified version used by Eurocontrol Anderson. Security Engineering. Wiley. The previous version of the book is available on line https://www.cl.cam.ac.uk/~rja14/book.htmlShostack, A. (2014). Threat modelling: Designing for security. WileySelected chapters will be made available on canvas for educational use.
Target Audience
Computer Science Bachelor (year 2)Custom Course Registration
Given the tight timeline, at the very beginning of the course students will have to submit a short (1/3 page) essay on their study strategy and grade expectations. Those that do not submit by the deadline will get a NS "No Show" as the final grade.Additional Information
Please see the information on Canvas.Entry Requirements
While there is no formal entry requirements, students who do not have the background knowledge provided by the courses on Computer Networks, Operating Systems, Web/Application Software development will encounter some difficulties in the course.Recommended background knowledge
While there is no formal entry requirements, students who do not have the background knowledge provided by the courses on Computer Networks, Operating Systems, Web/Application Software development will encounter some difficulties in the course.Explanation Canvas
The submission of the report and the peer review of the reports will be done in Canvas/FeedbackFruit. Because of the way the system works by automatically assigning reviewers, it is not possible to grant any deadline extension for the submission of the reports and the submission of the reviews. Students should therefore carefully plan their activities and submit also a draft version of their reports well in advance of the deadline (multiple submissions are possible) rather than waiting for the last moment.Language of Tuition
- English
Study type
- Bachelor