Course evaluation: CS-305 Software Security


The purpose of this evaluation is to inform your expectations of CS-305 Software Security. As the name suggests, CS-305 focuses on creating secure software by following industry best practices and implementing software testing throughout the software development lifecycle.

CS-350 study material

The reading material for each week consists of one or two chapters from the book Iron-Clad Java: Building Secure Web Applications. CS-305 also assigns other reading material from the Shapiro Library and from other parts of the web.

CS-350 learning tools

The learning tools for CS-305 are the OWASP dependency check plugin, Eclipse, Maven, the Spring framework, and a terminal for generating a self-signed certificate. You can easily prepare for CS-305 by becoming familiar with the Spring framework and the OWASP dependency plugin for Maven.

CS-305 topics

Figure 1

CS-305 weekly assignments

Static testing

CS-305 kicks off with an introduction to static testing, an industry approach to automated code testing using a popular open-source plugin, the OWASP dependency plugin for Maven.

Week one consists of reading chapters one and ten from Iron-Clad Java, an introduction post, a quiz, and a non-graded tutorial to integrate the maven dependency plugin in Eclipse to prepare for the static testing assignment in week two.

Week two consists of reading chapters three and seven, a written assignment, and a lengthy and labor-intensive static testing assignment.

The static testing assignment involves integrating the famous OWASP dependency plugin into an existing Java project and running the plugin to find known vulnerabilities in the project’s dependencies. The vulnerabilities can range between 20 and 60, and you are expected to document each vulnerability by detailing its security implications and recommending a mitigation plan.

Although the rubric states that the static testing assignment should be about 5-pages long, mine was a total of 21-pages long for 64-vulnerabilities, 21 of which were duplicates. Around 43-paragraphs were from copying and pasting the description of each vulnerability with a citation and a mitigation plan of one paragraph for each vulnerability excluding duplicates.

After week two, static testing was a breeze, mainly because I took the time to understand how the OWASP dependency plugin works and how to filter out false positives.

My post on filtering out false positives for Project Two and in general will save you a lot of time and provide you with intuition.

CS-305 related post: Reconfiguring the dependency check tool to stop the alarms for false positives

Manual review

After static testing, CS-305 introduced me to manual review and gave me several projects to manually review for security vulnerabilities and prompted me to fix the security concerns and recommend a mitigation plan.

CS-305 related post: This post will help you to successfully run the Module2.1 project on Eclipse for CS-305: Software Security

SSL certificates

Later in the course, and part of project Two, is to discuss the use of SSL certificates and to generate a self-signed certificate to secure Artemis Financial’s public API. It turned out that generating a self-signed certificate is easy using the terminal, and I have written a post about it and discussed the pros and cons of using a self-signed certificate and a CA-certificate.

CS-305 related post: Explain the role and value of the services provided by a certificate authority (CA)

Checksum verification

CS-305 also introduced me to checksum verification and how to create my own checksum verification using Java. Generating a checksum verification in Java was easier than I thought. My post for generating a checksum should give you more details on what to expect.

CS-305 related post: Checksum verification using an encryption algorithm cipher that avoids collisions.

CS-305 related post: Recommend an appropriate encryption algorithm cipher to deploy given Artemis Financial’s needs.

What I liked about CS-305

My biggest appreciation for taking CS-305 was that it taught me how software professionals keep their applications secure by following the software industry’s best practices. Specifically, I know a lot more about SSL certificates and how they work, I know how to choose between encryption algorithms, and I had a chance to put my theoretical knowledge of testing software into practice.

Iron-Clad Java: Building Secure Web Applications was also one of the few books that I have enjoyed reading. I loved how the book was structured and how easy it was to understand.

What I disliked about SC-305

At first I disliked researching mitigation plans for common vulnerabilities, but then it became easier and faster towards the end.

I did not enjoy rumbling through boilerplate code trying to figure out security vulnerabilities for a framework I did not understand well (Spring framework). Manual review could have been a lot more trouble than it was if not for my practical experience as a web developer.

Final thoughts

CS-305 covers a lot of topics, but it does not leave you stranded without providing helpful resources to help you navigate the course and complete assignments. I am fairly sure that you will also enjoy reading Iron-Clad and generating a self-signed certificate and a checksum verification.

One last thing, don’t underestimate Module Two, and give yourself plenty of time to work on static testing.

If you plan your weeks accordingly and try to comprehend the topics covered in CS-305, you will be on the right track to finish strong.

Figure 2

CS-305 final grade