Difference between revisions of "IU:TestPage"

From IU
Jump to navigation Jump to search
Tag: Manual revert
Line 1: Line 1:
   
  +
= Secure development =
= IT Product Development =
  
* '''Course name''': IT Product Development
 +
* '''Course name''': Secure development
* '''Code discipline''':
+
* '''Code discipline''': XXX
* '''Subject area''': Technological entrepreneurship
 +
* '''Subject area''': Security and Networks
   
 
== Short Description ==
  
== Short Description ==
  +
This course is for the first-time entrepreneur. We will briefly but concisely discuss all the issues related to starting your own project from scratch: how to make sure that your idea is in demand, how to do market research, how to stop putting off the launch, why the customer is more important than the product, and how to do customer research. During this course, students will get used to their entrepreneurial role, build teams, formulate a business and product idea and be ready to delve into the complexities of business development in the following courses.
  
   
 
== Prerequisites ==
  
== Prerequisites ==
   
 
=== Prerequisite subjects ===
  
=== Prerequisite subjects ===
  +
* CSE101: Introduction to Programming
 
  +
* CSE112: Software Systems Analysis and Design
   
 
=== Prerequisite topics ===
  
=== Prerequisite topics ===
  +
* Basic programming skills, C/C++ is recommended
 
  +
* Software design or software architecture
  +
* Basics of compilers
   
 
== Course Topics ==
  
== Course Topics ==
Line 22: Line 25:
 
! Section !! Topics within the section
  
! Section !! Topics within the section
 
|-
  
|-
  +
| Basics of security ||
| Introduction & Building Your Team & Making Your Team Agile ||
 
  +
# Security and safety. Security and code quality. Maintainability and security. Why it is so hard to develop a secure system and what approaches may be applied? When it makes sense to drive system secure?
# Defining a startup
  
# Formulating the group project: team, business idea
  
# Leadership
  
# Forming the team
  
# Managing the team
  
 
|-
  
|-
  +
| Security architecture ||
| Defining Your Customer & Defining Your Product & Defining Your Rivals ||
 
  +
# NIST recommendations
# Customer Segmentation
  
  +
# Security principles
# Customer Profile (JTBD, Pains, Gains)
  
  +
# Theoretical security: access matrix and security models
# Creating a Value Proposition
  
  +
# Secure by design
# Matching Value Proposition with Customer Profile
  
# Strategy Canvas
  
 
|-
  
|-
  +
| Secure coding<br> ||
| Defining Your Business Model & Defining Your Vision ||
 
  +
# Security on the code level
# Business Model Canvas
  
  +
# SDL
# Business Model Patterns
  
  +
# Main binary vulnerabilities and their mitigations
# Business Model Environment
  
  +
|-
# Business Model Testing
  
  +
| Secure operating ||
# Minimum-Viable Product
  
  +
# Security monitoring
# Product Roadmap
  
  +
# DevSecOps
  +
# Dealing with 3rd parties
  +
|-
  +
| Security assurance ||
  +
# Pen testing
  +
# Fuzzing
  +
# Bug Bounty programs
  +
|-
  +
| Linux security ||
  +
# Keep it all together and see how Linux kernel deals with that.
  +
# SELinux
  +
# GrSec patches
  +
# Why Linux is not safety system
 
|}
 
|}
 
== Intended Learning Outcomes (ILOs) ==
  
== Intended Learning Outcomes (ILOs) ==
   
 
=== What is the main purpose of this course? ===
  
=== What is the main purpose of this course? ===
The purpose of the course is to walk students through the concrete steps that are necessary for an entrepreneur to develop a tech product and build a solid business around that tech product.
 +
The main purpose of this course is to give students a security vision from up to down, because the security principle of weakest link insist that the weakest part of the process/system would be the one to be attacked.
   
 
=== ILOs defined at three levels ===
  
=== ILOs defined at three levels ===
Line 53: Line 64:
 
==== Level 1: What concepts should a student know/remember/explain? ====
  
==== Level 1: What concepts should a student know/remember/explain? ====
 
By the end of the course, the students should be able to ...
  
By the end of the course, the students should be able to ...
  +
* Remember main security principles
* approaches to designing and testing a business model through the experiments,
  
  +
* List SDL stages
* frameworks of agile development,
  
  +
* Describe the difference between security and safety
* storytelling methods to design a brand,
  
  +
* Explain basic binary vulnerabilities
* pitching presentation tools.
  
  +
* Specify the required security assurance
  +
* Describe the key elements of SOC systems
  +
* Explain why fuzzing is not the same as unit or integration testing
   
 
==== Level 2: What basic practical skills should a student be able to perform? ====
  
==== Level 2: What basic practical skills should a student be able to perform? ====
 
By the end of the course, the students should be able to ...
  
By the end of the course, the students should be able to ...
  +
* Perform Threat Modeling
* concrete steps of the business design (business model, hypothesis formulation/testing and minimum-viable product creation),
  
  +
* Review code to find insecure patterns
* SCRUM roles, ceremonies and artefacts,
  
  +
* Deal with open source code securely
* specifics of pitch presentation for investors.
  
  +
* Explain the value of bug bounty programme and find the right moment to start it
   
 
==== Level 3: What complex comprehensive skills should a student be able to apply in real-life scenarios? ====
  
==== Level 3: What complex comprehensive skills should a student be able to apply in real-life scenarios? ====
 
By the end of the course, the students should be able to ...
  
By the end of the course, the students should be able to ...
  +
* Suggest hardenings and architecture drifts to achieve required level of s&s
* define the customer problem and validate it,
  
  +
* Propose process improvement in a cost-effective manner that would drastically improve the security and safety level.
* create the product to fit the problem with agile methods,
  
* define the business model around the product,
  
* promote a product and a startup,
  
* build strong networks in the business world.
 
 
== Grading ==
  
== Grading ==
   
Line 79: Line 91:
 
! Grade !! Range !! Description of performance
  
! Grade !! Range !! Description of performance
 
|-
  
|-
| A. Excellent || 90-100 || -
 +
| A. Excellent || 80-100 || -
 
|-
  
|-
| B. Good || 75-89 || -
 +
| B. Good || 60-79 || -
 
|-
  
|-
| C. Satisfactory || 60-74 || -
 +
| C. Satisfactory || 40-59 || -
 
|-
  
|-
| D. Fail || 0-59 || -
 +
| D. Fail || 0-39 || -
 
|}
  
|}
   
Line 94: Line 106:
 
! Activity Type !! Percentage of the overall course grade
  
! Activity Type !! Percentage of the overall course grade
 
|-
  
|-
| Final presentation || 30
 +
| Assignment/Labs || 70
 
|-
  
|-
| Project Report || 20
 +
| Final quiz || 30
|-
  
| Project Progress || 50
  
 
|}
  
|}
   
 
=== Recommendations for students on how to succeed in the course ===
  
=== Recommendations for students on how to succeed in the course ===
Participation is important. Showing up and participating in discussions is the key to success in this course.<br>Students work in teams, so coordinating teamwork will be an important factor for success.<br>Reading the provided materials is mandatory, as lectures will mainly consist of discussions.<br>The main assignment in the course is Market research paper which is supposed to be useful not only for this course but s a basis for future business oriented courses
 +
Participation is important. Showing up is the key to success in this course.<br>If you don’t have a corresponding technical background, please do not hesitate to ask lecturer. If you feel that the gap is deep, request for extra reading.<br>Reading the recommended literature is optional, and will give you a deeper understanding of the material.
   
 
== Resources, literature and reference materials ==
  
== Resources, literature and reference materials ==
   
 
=== Open access resources ===
  
=== Open access resources ===
  +
* Owasp.com
* Tidd, J. & Bessant, J. (2011). Managing Innovation: Integrating Technological, Market and Organizational Change
  
  +
* MITRE SOC Operations https://www.mitre.org/sites/default/files/publications/11-strategies-of-a-world-class-cybersecurity-operations-center.pdf
* Stickdorn, M. & Schneider, J. (2010). This is Service Design Thinking. Wiley.
  
  +
* MISRA, AUTOSAR, SEI CERT
* Brown, T. & Kātz, B. (2009). Change by design. New York: Harper Business.
  
  +
* https://www.microsoft.com/en-us/securityengineering/sdl
* Osterwalder, A.& Pigneur, Y. (2010). Business Model Generation: A Handbook for Visionaries, Game Changers, and Challengers
  
* Sutherland, J. (2014). Scrum: The Art of Doing Twice the Work in Half the Time
  
   
 
=== Closed access resources ===
  
=== Closed access resources ===
  +
* Matt Bishop, (2018) “Computer Security: Art and Science”
 
  +
* D Deougun, DB Jonhsson, D Sawano (2019) “Secure by design”
  +
* D LeBlanc, Michael Howard (2002) “Writing secure code”
   
 
=== Software and tools used within the course ===
  
=== Software and tools used within the course ===
  +
* Some static analyser
* Boardofinnovation.com
  
  +
* AFL
* Miro.com
  
* Notion.com
 
 
= Teaching Methodology: Methods, techniques, & activities =
  
= Teaching Methodology: Methods, techniques, & activities =
   
Line 126: Line 136:
 
|+ Teaching and Learning Methods within each section
  
|+ Teaching and Learning Methods within each section
 
|-
  
|-
! Teaching Techniques !! Section 1 !! Section 2 !! Section 3
 +
! Teaching Techniques !! Section 1 !! Section 2 !! Section 3 !! Section 4 !! Section 5 !! Section 6
 
|-
  
|-
| Problem-based learning (students learn by solving open-ended problems without a strictly-defined solution) || 1 || 1 || 1
 +
| Problem-based learning (students learn by solving open-ended problems without a strictly-defined solution) || 1 || 1 || 1 || 1 || 1 || 1
 
|-
  
|-
| Project-based learning (students work on a project) || 1 || 1 || 1
 +
| Modular learning (facilitated self-study) || 1 || 1 || 1 || 1 || 1 || 1
 
|-
  
|-
| Differentiated learning (provide tasks and activities at several levels of difficulty to fit students needs and level) || 1 || 1 || 1
 +
| Differentiated learning (provide tasks and activities at several levels of difficulty to fit students needs and level) || 1 || 1 || 1 || 1 || 1 || 1
 
|-
  
|-
| Contextual learning (activities and tasks are connected to the real world to make it easier for students to relate to them); || 1 || 1 || 1
 +
| Contextual learning (activities and tasks are connected to the real world to make it easier for students to relate to them); || 1 || 1 || 1 || 1 || 1 || 1
 
|-
  
|-
| Business game (learn by playing a game that incorporates the principles of the material covered within the course). || 1 || 1 || 1
 +
| Business game (learn by playing a game that incorporates the principles of the material covered within the course). || 1 || 1 || 1 || 1 || 1 || 1
|-
  
| Task-based learning || 1 || 1 || 1
  
 
|}
  
|}
 
{| class="wikitable"
  
{| class="wikitable"
 
|+ Activities within each section
  
|+ Activities within each section
 
|-
  
|-
! Learning Activities !! Section 1 !! Section 2 !! Section 3
 +
! Learning Activities !! Section 1 !! Section 2 !! Section 3 !! Section 4 !! Section 5 !! Section 6
|-
  
| Lectures || 1 || 1 || 1
  
|-
  
| Interactive Lectures || 1 || 1 || 1
  
|-
  
| Lab exercises || 1 || 1 || 1
  
|-
  
| Cases studies || 1 || 1 || 1
  
|-
  
| Group projects || 1 || 1 || 1
  
|-
  
| Peer Review || 1 || 0 || 0
  
|-
  
| Discussions || 1 || 1 || 1
  
|-
  
| Presentations by students || 1 || 1 || 1
  
|-
  
| Written reports || 1 || 1 || 1
  
|-
  
| Oral Reports || 1 || 1 || 1
  
|-
  
| Quizzes (written or computer based) || 0 || 1 || 0
  
|-
  
| Simulations and role-plays || 0 || 1 || 0
  
|-
  
| Essays || 0 || 1 || 1
  
 
|-
  
|-
| Experiments || 0 || 0 || 1
 +
| Lectures || 1 || 1 || 1 || 1 || 1 || 1
 
|-
  
|-
| Individual Projects || 0 || 0 || 1
 +
| Lab exercises || 1 || 1 || 1 || 1 || 1 || 1
 
|}
 
|}
 
== Formative Assessment and Course Activities ==
  
== Formative Assessment and Course Activities ==
Line 185: Line 167:
 
! Activity Type !! Content !! Is Graded?
  
! Activity Type !! Content !! Is Graded?
 
|-
  
|-
  +
| Individual Assignments || A2: Product Ideation and Market Research<br>Find all weakness in the code snippet. Suggest how to fix them in a secure way. What is your recommendation for the code author? || 1
| Discussion || 1. What is a startup?<br>2. What are the roles within a team?<br>3. How should you form the team of a startup?<br>4. What types of leadership are the most effective?<br>5. What are the ceremonies, roles and artifacts of SCRUM? || 0
  
|-
  
| Workshop || Fill in the team canvas to put all your goals and common values on one page. || 1
  
 
|}
 
|}
 
==== Section 2 ====
  
==== Section 2 ====
  +
{| class="wikitable"
  
|+
 
|-
  
! Activity Type !! Content !! Is Graded?
  
|-
  
| Workshop || 1. Define INTERESTING industries for all team members. Define industries in which you HAVE KNOWLEDGE AND EXPERIENCE. Put these industries on the matrix. Choose ONE industry for your project that meets 2 criteria above. <br>2. Brainstorm about stakeholders from your market. Choose the segment that you sympathise the most. <br>3. Define the customer segment you empathise the most (i.e. elderly people, children, office workers etc.). Define JOBS TO BE DONE. Put each job on the separate sticker. Define user's PAINS. Put each pain on the separate sticker.Define user's GAINS. Put each gain on the separate sticker. <br>4. Brainstorm what products you can offer to the chosen segment with their pains or gains. If you are stuck, use SCAMPER techniques.Group ideas that have the similar topic into clusters. Choose 1 top idea for further development based on 2 defined criteria (innovative potential and feasibility). <br>5. Choose the best product idea. Define PRODUCTS & SERVICES. Put each item on the separate sticker. Define GAIN CREATORS. Put each item on the separate sticker. Define PAIN RELIEVERS. Put each item on the separate sticker. <br>6. Review your pain relievers and gain creators.Check if pain relievers and gain creators correspond with JBDs, pains and gains from the customer profile. Highlight those that correspond with each other. If there are any pain relievers and gain creators are left, they don't create the value for a customer. Check how you can redefine you value proposition. <br>7. Define your 5 main competitors. Define competing factors (these are your pain relievers and gain creators). Draw the strategic canvas based on competing factors. Define areas where you can compete. Redefine your value proposition if necessary (make new priorities for product and services, pain relievers, gain creators.<br> || 0
  
|-
  
| Discussion || 1. How to validate a problem?<br>2. How to validate a market?<br>3. How to validate a solution? || 0
  
|-
  
| Customer research || 1. How customers do their jobs in the industry right now?<br>2. How can we develop the empathy with users?<br>3. What is a persona? How to design a persona? || 1
  
|}
 
 
==== Section 3 ====
  
==== Section 3 ====
  +
{| class="wikitable"
  
  +
==== Section 4 ====
|+
 
  +
|-
  
  +
==== Section 5 ====
! Activity Type !! Content !! Is Graded?
  
  +
|-
  
  +
==== Section 6 ====
| Discussion || What is the value of the business model canvas by Alexander Osterwalder?<br>What are the components of the business model?<br>What is the Minimum Viable Product (MVP)? How to define must-have, should-have and could-have requirements? || 0
  
  +
|-
  
| Group project || Please, develop the business model for your tech product.<br>Please, test your business model using experiments with your prototypes.<br>Please, create the concept for your Minimum Viable Product. || 1
  
|-
  
| Workshop || Formulate all blocks of the business model for your business idea.<br>Define the forces that shape your business environment.<br>Define must-have, should-have and could have requirements for your product. || 0
  
|-
  
| Group presentation || Create a story for your product. Think about your user as a hero and your product as a helper. || 1
  
|}
 
 
=== Final assessment ===
  
=== Final assessment ===
 
'''Section 1'''
  
'''Section 1'''
  +
# For the final assessment, students should complete the Market Research paper.
  
# It should follow the market research paper structure, contain information about market volume (TAM SAM SOM), data must be gathered with help of data sources learnt.
  
# The paper should refer to market potential and give the basis to make business decisions, answer questions on how to start and develop your idea, what is your business model, target customer persona, product MVP etc.
  
# Grading criteria for the final project presentation:
  
# Market sizing has been carried out
  
# Customer segments are named
  
# Сompetitor analysis has been conducted
  
# At least 2 prominent data sources are used
 
# Customer discovery interviews conducted
  
# Future steps are mapped out
  
# The final report is visualized clearly and transparent
  
 
'''Section 2'''
  
'''Section 2'''
   
 
'''Section 3'''
  
'''Section 3'''
  +
  +
'''Section 4'''
  +
  +
'''Section 5'''
  +
  +
'''Section 6'''
   
   
 
=== The retake exam ===
  
=== The retake exam ===
 
'''Section 1'''
  
'''Section 1'''
  +
# .3 The retake exam.
  
# For the retake, students have to submit the results of the market sizing exercise with the TAM SAM SOM method in the form of a visual framework studied.
  
 
'''Section 2'''
  
'''Section 2'''
   
 
'''Section 3'''
  
'''Section 3'''
  +
  +
'''Section 4'''
  +
  +
'''Section 5'''
  +
  +
'''Section 6'''

Revision as of 11:42, 7 October 2022

Secure development

  • Course name: Secure development
  • Code discipline: XXX
  • Subject area: Security and Networks

Short Description

Prerequisites

Prerequisite subjects

  • CSE101: Introduction to Programming
  • CSE112: Software Systems Analysis and Design

Prerequisite topics

  • Basic programming skills, C/C++ is recommended
  • Software design or software architecture
  • Basics of compilers

Course Topics

Course Sections and Topics
Section Topics within the section
Basics of security
  1. Security and safety. Security and code quality. Maintainability and security. Why it is so hard to develop a secure system and what approaches may be applied? When it makes sense to drive system secure?
Security architecture
  1. NIST recommendations
  2. Security principles
  3. Theoretical security: access matrix and security models
  4. Secure by design
Secure coding
  1. Security on the code level
  2. SDL
  3. Main binary vulnerabilities and their mitigations
Secure operating
  1. Security monitoring
  2. DevSecOps
  3. Dealing with 3rd parties
Security assurance
  1. Pen testing
  2. Fuzzing
  3. Bug Bounty programs
Linux security
  1. Keep it all together and see how Linux kernel deals with that.
  2. SELinux
  3. GrSec patches
  4. Why Linux is not safety system

Intended Learning Outcomes (ILOs)

What is the main purpose of this course?

The main purpose of this course is to give students a security vision from up to down, because the security principle of weakest link insist that the weakest part of the process/system would be the one to be attacked.

ILOs defined at three levels

Level 1: What concepts should a student know/remember/explain?

By the end of the course, the students should be able to ...

  • Remember main security principles
  • List SDL stages
  • Describe the difference between security and safety
  • Explain basic binary vulnerabilities
  • Specify the required security assurance
  • Describe the key elements of SOC systems
  • Explain why fuzzing is not the same as unit or integration testing

Level 2: What basic practical skills should a student be able to perform?

By the end of the course, the students should be able to ...

  • Perform Threat Modeling
  • Review code to find insecure patterns
  • Deal with open source code securely
  • Explain the value of bug bounty programme and find the right moment to start it

Level 3: What complex comprehensive skills should a student be able to apply in real-life scenarios?

By the end of the course, the students should be able to ...

  • Suggest hardenings and architecture drifts to achieve required level of s&s
  • Propose process improvement in a cost-effective manner that would drastically improve the security and safety level.

Grading

Course grading range

Grade Range Description of performance
A. Excellent 80-100 -
B. Good 60-79 -
C. Satisfactory 40-59 -
D. Fail 0-39 -

Course activities and grading breakdown

Activity Type Percentage of the overall course grade
Assignment/Labs 70
Final quiz 30

Recommendations for students on how to succeed in the course

Participation is important. Showing up is the key to success in this course.
If you don’t have a corresponding technical background, please do not hesitate to ask lecturer. If you feel that the gap is deep, request for extra reading.
Reading the recommended literature is optional, and will give you a deeper understanding of the material.

Resources, literature and reference materials

Open access resources

Closed access resources

  • Matt Bishop, (2018) “Computer Security: Art and Science”
  • D Deougun, DB Jonhsson, D Sawano (2019) “Secure by design”
  • D LeBlanc, Michael Howard (2002) “Writing secure code”

Software and tools used within the course

  • Some static analyser
  • AFL

Teaching Methodology: Methods, techniques, & activities

Activities and Teaching Methods

Teaching and Learning Methods within each section
Teaching Techniques Section 1 Section 2 Section 3 Section 4 Section 5 Section 6
Problem-based learning (students learn by solving open-ended problems without a strictly-defined solution) 1 1 1 1 1 1
Modular learning (facilitated self-study) 1 1 1 1 1 1
Differentiated learning (provide tasks and activities at several levels of difficulty to fit students needs and level) 1 1 1 1 1 1
Contextual learning (activities and tasks are connected to the real world to make it easier for students to relate to them); 1 1 1 1 1 1
Business game (learn by playing a game that incorporates the principles of the material covered within the course). 1 1 1 1 1 1
Activities within each section
Learning Activities Section 1 Section 2 Section 3 Section 4 Section 5 Section 6
Lectures 1 1 1 1 1 1
Lab exercises 1 1 1 1 1 1

Formative Assessment and Course Activities

Ongoing performance assessment

Section 1

Activity Type Content Is Graded?
Individual Assignments A2: Product Ideation and Market Research
Find all weakness in the code snippet. Suggest how to fix them in a secure way. What is your recommendation for the code author?		 1

Section 2

Section 3

Section 4

Section 5

Section 6

Final assessment

Section 1

Section 2

Section 3

Section 4

Section 5

Section 6


The retake exam

Section 1

Section 2

Section 3

Section 4

Section 5

Section 6

Retrieved from "https://eduwiki.innopolis.university/index.php?title=IU:TestPage&oldid=7601"