Review on Software Security Course by Maryland University on coursera.org

   This course was my second course in Cybersecurity specialization. Syllabus you can find here. In brief this course gave me a lot of fun. From my point of view there was a good start, but at the end it became a little bit boring, brief and easy.

    There were 6 weeks, 6 quizzes and 3 labs. First lecture was about low-level memory-based attacks. Stack smashing and format string attacks were well described, there were clear examples, so if you are not familiar with this attacks you can find here useful information. I can't but mention references at the end of the week. There were a lot of links, which provided detailed and deep description of these attacks. Well done, professor! As for me, ROP description was not clearly explained and there were not enough examples to understand it without addtional reading.

   Week 2 was devoted to defense mechanisms against memory attacks. Key technics, such as stack canaries, DEP, ASLR, memory-safety enforcement, control-flow integrity (CFI) were described in details. During these 2 weeks students had time to finish lab 1. It was a vulnerable software with source in VirtualBox image. Professor also provided this lab with step-by-step instructions. It was great pleasure to find flaws, to write exploits and using gdb. I appreciate such tasks because in educational programms there is lack of practice, especially in practical information security.

    Nowadays everything migrates to web. Professor devoted week 3 and lab 2 to web flaws. In brief there were descriptions and examples of SQLi, XSS, CSRF and Session hijacking. Some defensive mechanisms were presented too. In order to create lab BadStore distib was chosen. It is damn vulnerable web app with lots of flaws. Unfortunately, tasks in lab was very easy. As for me it will be more useful and tough to use XSS or SQLi to get access, than find out some cookies info.

   Secure design in week 4 was pretty easy to understand. It was great, that principles of designing was introduced in course. In this week you can find basic definitions? Such as authentication, authorization and etc. Also there were criteria of a good model, key principles of secure design. They are obvious, but very hard to follow.

   Week 5 was a nightmare. I suffered and struggled with static code analysis. From my point of view this technology is efficient, but also it needs much more experience in software development than an average student has. As for me, quizz after the lecture was incredibly difficult, some ways of static analysis procedure was not fully described in lectures, but they were in quizz. Additional reading was Brian Chess and his book - «Secure Programming with Static Analysis». Great book, but without enough coding experience and time for understanding for me it was rocket science. Symbolic execution theme was fair, good examples and clear description of principles gave me an opportunity to solve quizz questions.

    Lab 3 was connected with fuzzing. In brief we fuzzed app from Lab 1. It was very easy and I didn't spend much time on thinking about it.

   Week 6 was greatly titled «Penetration testing». But I was confused, because Professor in brief told us several well-known tricks and software without going deeper. Some words was about fuzzing, but not enough to understand underlying algorythms.

   Course was pretty good at the beginning. 3 weeks was great, 2 good labs. I thought it would be better and better. But at the end themes became a little bit boring and unclear. May be they were in a hurry. If this course would be expanded with heap overflow and ROP examples, more information about XSS and CSRF, more practice and entire week or two about pentest it would be great and unbelievable. I think professor can do it!