Request for Comment: Add Security Courses

[waciumawanjohi]

Problem:
OSSU:CS does not give students the proper broad introduction to information security.

Duration:
Feb 29, 2020

Background:
OSSU promises the equivalent of an undergraduate degree in Computer Science. In order to evaluate our recommended courses, we use the Curriculum Guidelines for Undergraduate Programs in Computer Science (CS2013). More information can be found here.

CS2013 specifies a number of knowledge areas a curriculum must cover, one of which is Information Assurance and Security (IAS). This is described as "...the set of controls and processes both technical and policy intended to protect and defend information and information systems by ensuring their confidentiality, integrity, and availability, and by providing for authentication and non-repudiation." There are 6 topics within this knowledge area.

• Foundational Concepts in Security
• Principles of Secure Design
• Defensive Programming
• Threats and Attacks
• Network Security
• Cryptography

It is important to note that the expectation is generally just an introduction of these areas. There need only be 1-2 hours of lecture material on each topic (this time does not count course readings, assignments, etc, which will be extra time). The learning outcomes on most topics expect only that students are familiar with the topics, not necessarily that they have used them. For example, students must be able to "Explain why input validation and data sanitization is necessary in the face of adversarial control of the input channel." Asking students to undertake data sanitization goes above and beyond the curricular requirements. (It should be noted that students may certainly choose electives that far exceed the general requirements.)

The four learning outcomes that expect students to demonstrate 'usage' are:

• Analyze the tradeoffs of balancing key security properties (Confidentiality, Integrity, and Availability).
• Classify common input validation errors, and write correct input validation code.
• Demonstrate using a high-level programming language how to prevent a race condition from occurring and
  how to handle an exception.
• Demonstrate the identification and graceful handling of error conditions.
  Only 2 of these expect students to write code.

Proposal:
Add three courses to the curriculum:

• Information Security: Context and Introduction
• Principles of Secure Coding
• Identifying Security Vulnerabilities

And give students the option between one of these two courses:

• Identifying Security Vulnerabilities in C/C++Programming
• Exploiting and Securing Vulnerabilities in Java Applications

Alternatives:
a) Use only one course to cover all of the IAS topics:

• Introduction to Cyber Security

b) Choose one of the following specializations (which go more in depth).

• Cybersecurity
• Fundamentals of Computer Network Security
• Introduction to Cyber Security Specialization

[spamegg1]

Sorry if this is off-topic.

There was a Cryptography course under Core Applications, what happened to it? Right now I am at that exact place in my curriculum progress, should I follow dev branch or master branch? I'm confused.

[waciumawanjohi]

Completely on topic!
This issue pointed out that Cryptography was an advanced course. #570

While the course goes deep on the topic of cryptography, there are many other information security topics that an undergraduate needs to learn that the crypto course does not address.

Since the course did not qualify as 'Core CS' it's been removed. See this commit: 8be7b6d

As to whether to follow the dev or the master branch, right now you should follow dev. There is actually an Issue open about the branches as well: #638 The master branch is currently simply an old version of the dev branch.

[waciumawanjohi]

Another strong contender:
Unlocking Information Security

The first course in this 2-course offering was rated one of the top 50 MOOCs of 2019:
https://www.classcentral.com/report/best-free-online-courses-2019/

[xxylem]

Hello!

Sorry I'm a little slow to the thread. I've been trying out the courses listed. I have done:

• Information Security: Context and Introduction

• Principles of Secure Coding

It seems to be a good track; it's on familiar platform, most of the content is available for free (some quizzes are not). I'll probably finish the UC Davis specialisation.

Perhaps the course "Information Security: Context and Introduction" could be optional though? I did it in a day and I know it's an introduction but it was very light. If you have already done other courses like Networking or Math for CS, you probably already have the context and it didn't add much more than that. They direct you to Wikipedia a lot, so you could probably just get context from there as needed. The quizzes were not very good (they were testing reading comprehension, not understanding of the material). On the plus side, they do include some reading material (journal/newspaper articles).

What do other people think?

[spamegg1]

@waciumawanjohi OK; since my comment, I finished Cryptography I. It's a fairly hard MATH class (with optional programming exercises that are pretty cool). You are correct it does not go much into other security topics. The instructor said it would, but in the second class.

I think I would support the Alternative you suggested. It is less workload heavy, and gives more options/choice to students. Looks pretty good to me. I prefer the thin and lean options; Proposal seems a bit bloated.

Also, off-topic: wouldn't it be so great if secure coding/vulnerabilities were actually taught as standard part of "ordinary" programming classes?

[waciumawanjohi]

@spamegg1 very on topic. The CS2013 actually makes a nod to this. The Knowledge Area Information Assurance and Security was newly added in 2013. It is unique in that some of its topics are listed just under that knowledge area, but the majority are distributed through other knowledge areas. So while we should have some content that is focused exclusively on security, we should also expect other courses to their due diligence in teaching the security practices germane to their topics.

It's seemed that there's relatively little experience with these courses in the OSSU community, so I'm taking time to work through a number of the courses. I've taken Information Security: Context and Introduction and it is very well suited to teach the CS2013 topic "Foundational Concepts in Security". Because of that, I suspect it will be included in any final configuration of the security courses.

I'm currently trying out Unlocking Information Security at the moment. Enjoyable so far.

If you have time, I think this is one of the highest need areas of OSSU. Information Security Analysts are projected to be one of the fastest growing jobs in the US and we have no courses that address the field. I would love to have more OSSUnians that could speak to these courses, particularly about:

• the quality of the lectures
• the amount of feedback available to students who are auditing the course for free
• which topics of the CS2013 are covered by the course

[spamegg1]

@waciumawanjohi Yeah, security is going to be the biggest growth area in CS, might be even bigger than Data Science related jobs.

I think the top quality main security training hub is considered by many to be Cybrary but they are non-free.

[JacobAgunloye]

@waciumawanjohi I'll preface by saying I wasn't a CS Major and only have a few years in the security field (so I'm by no means an expert), but just found OSSU and am a fan of what you guys are doing - so figured I'd try to contributed in any way I can. I generally agree that the security core is a good idea, and think your courses listed should satisfy CS2013 under the assumption of the four learning outcomes you've mentioned - noting that it's just to give users a basic understanding of security and not necessarily meant to be comprehensive (which I think you're already doing a good job of noting by linking the RFC to make users aware).

If you ever decide to create a security section under Advanced CS - which I believe would generally a good idea once a comprehensive list of security classes are curated, I'd probably add Web Security (which some may argue falls between Threats and Attacks or Defensive Programming) but since web development is so popular compared to learning its security aspects, I'd justify it being it's own topic:

Advanced Security

• Foundational Concepts in Security
• Principles of Secure Design
• Defensive Programming
• Threats and Attacks
• Network Security
• Cryptography

1. https://www.coursera.org/learn/crypto
2. https://www.coursera.org/learn/crypto2
   Following up on the prior comments mentioned by another user, I understand why these were removed from core but would recommend adding them to the Security Advanced CS section if one is ever created because the content in the two courses above are good and more detailed than most of the general online security courses I've found.

• Web Security

1. https://web.stanford.edu/class/cs253/
   Haven't finished yet but it is more detailed than most of the general security courses I've found online
   Pre-Req: Basic HTML and JavaScript, probably would equate to a Sophomore Undergrad CS class

If I find courses for the other topics, I'll update this comment but noting it's been somewhat difficult for me to find decent security courses; often many security courses I've found online give a high level of an overview without actually having assignments to provide the ability to put the knowledge to use (which in general I feel is the most important part of learning).

Last Note: The following three courses above are denoted Advanced CS in terms of comprehensiveness opposed to difficulty. Explanation: I considered them as Advanced CS primarily because they are full a semester's length courses - that provide a more comprehensive approach to the four assumed learning outcomes you mentioned in the description (by going into more detail about a particular topic and allowing a person to take the courses only if they are interested).

[spamegg1]

@JacobAgunloye I took Crypto I from Coursera and I'd be OK with adding it to an elective Advanced Security section if one exists in the future. I agree it's high quality and the instructor is good.

Otherwise it's a very hard math course that teaches the implementation of many ciphers in technical detail (then advises against implementing them yourself), but does not really teach how to use security, or how security concepts fit into a wider context. So probably it should not be outside an elective section.

[JacobAgunloye]

@spamegg1 I agree with your thoughts on the Crypto Courses. Let me know what you think about the Web Security course as well if you get a chance to take it.

If an Advanced CS Security section is ever created, here's a list of courses that may be of interest that were created by people a lot smarter than me (would have to be vetted first before selected, as I haven't gotten a chance to take all of them): https://www.reddit.com/r/netsec/wiki/start

This last note is a digression but an interesting note on why it's always advised to never implement crypto other than standardized and established libraries, is that even the good libraries sometimes become compromised, two that come to mind are:

• Openssl a while back:
• https://en.wikipedia.org/wiki/Heartbleed
  Also Microsoft's crypto32 library earlier this year:
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601