Learning Objectives:

In this week of the course, you will learn to:

• Describe that security is a spectrum, and be able to define a realistic threat model for a given system
• Evaluate the tradeoffs between security and costs in software engineering
• Recognize the causes of and common mitigations for common vulnerabilities in web applications
• Utilize static analysis tools to identify common weaknesses in code

Lessons:

• Software Engineering + Security Slides PDF, PPT

For Further Reading:

• “What are Weak Links in the npm Supply Chain?”
• “Why secret detection tools are not enough: It’s not just about false positives - An industrial case study”
• “A comparative study of vulnerability reporting by software composition analysis tools”
• “Practical Automated Detection of Malicious npm Packages”
• HashiCorp Vault
• “OWASP Top 10 Web Security Risks”
• LGTM analysis of transcript server and XSS example on transcript server (This link might be annoying, but is not malicious)
• Software supply-chain vulnerabilities: ESLint 2018 attack, Podcast on SolarWinds attack
• Security awareness/training activity: OWASP Juice Shop, online demo