ossu/computer-science

Request for Comment: Add Security Courses

waciumawanjohi opened this issue · 22 comments

Problem:
OSSU:CS does not give students the proper broad introduction to information security.

Duration:
Feb 29, 2020

Background:
OSSU promises the equivalent of an undergraduate degree in Computer Science. In order to evaluate our recommended courses, we use the Curriculum Guidelines for Undergraduate Programs in Computer Science (CS2013). More information can be found here.

CS2013 specifies a number of knowledge areas a curriculum must cover, one of which is Information Assurance and Security (IAS). This is described as "...the set of controls and processes both technical and policy intended to protect and defend information and information systems by ensuring their confidentiality, integrity, and availability, and by providing for authentication and non-repudiation." There are 6 topics within this knowledge area.

  • Foundational Concepts in Security
  • Principles of Secure Design
  • Defensive Programming
  • Threats and Attacks
  • Network Security
  • Cryptography

It is important to note that the expectation is generally just an introduction of these areas. There need only be 1-2 hours of lecture material on each topic (this time does not count course readings, assignments, etc, which will be extra time). The learning outcomes on most topics expect only that students are familiar with the topics, not necessarily that they have used them. For example, students must be able to "Explain why input validation and data sanitization is necessary in the face of adversarial control of the input channel." Asking students to undertake data sanitization goes above and beyond the curricular requirements. (It should be noted that students may certainly choose electives that far exceed the general requirements.)

The four learning outcomes that expect students to demonstrate 'usage' are:

  • Analyze the tradeoffs of balancing key security properties (Confidentiality, Integrity, and Availability).
  • Classify common input validation errors, and write correct input validation code.
  • Demonstrate using a high-level programming language how to prevent a race condition from occurring and
    how to handle an exception.
  • Demonstrate the identification and graceful handling of error conditions.
    Only 2 of these expect students to write code.

Proposal:
Add three courses to the curriculum:

And give students the option between one of these two courses:

Alternatives:
a) Use only one course to cover all of the IAS topics:

b) Choose one of the following specializations (which go more in depth).

Sorry if this is off-topic.

There was a Cryptography course under Core Applications, what happened to it? Right now I am at that exact place in my curriculum progress, should I follow dev branch or master branch? I'm confused.

Completely on topic!
This issue pointed out that Cryptography was an advanced course. #570

While the course goes deep on the topic of cryptography, there are many other information security topics that an undergraduate needs to learn that the crypto course does not address.

Since the course did not qualify as 'Core CS' it's been removed. See this commit: 8be7b6d

As to whether to follow the dev or the master branch, right now you should follow dev. There is actually an Issue open about the branches as well: #638 The master branch is currently simply an old version of the dev branch.

Another strong contender:
Unlocking Information Security

The first course in this 2-course offering was rated one of the top 50 MOOCs of 2019:
https://www.classcentral.com/report/best-free-online-courses-2019/

Hello!

Sorry I'm a little slow to the thread. I've been trying out the courses listed. I have done:

  • Information Security: Context and Introduction

  • Principles of Secure Coding

It seems to be a good track; it's on familiar platform, most of the content is available for free (some quizzes are not). I'll probably finish the UC Davis specialisation.

Perhaps the course "Information Security: Context and Introduction" could be optional though? I did it in a day and I know it's an introduction but it was very light. If you have already done other courses like Networking or Math for CS, you probably already have the context and it didn't add much more than that. They direct you to Wikipedia a lot, so you could probably just get context from there as needed. The quizzes were not very good (they were testing reading comprehension, not understanding of the material). On the plus side, they do include some reading material (journal/newspaper articles).

What do other people think?

@waciumawanjohi OK; since my comment, I finished Cryptography I. It's a fairly hard MATH class (with optional programming exercises that are pretty cool). You are correct it does not go much into other security topics. The instructor said it would, but in the second class.

I think I would support the Alternative you suggested. It is less workload heavy, and gives more options/choice to students. Looks pretty good to me. I prefer the thin and lean options; Proposal seems a bit bloated.

Also, off-topic: wouldn't it be so great if secure coding/vulnerabilities were actually taught as standard part of "ordinary" programming classes?

@spamegg1 very on topic. The CS2013 actually makes a nod to this. The Knowledge Area Information Assurance and Security was newly added in 2013. It is unique in that some of its topics are listed just under that knowledge area, but the majority are distributed through other knowledge areas. So while we should have some content that is focused exclusively on security, we should also expect other courses to their due diligence in teaching the security practices germane to their topics.

It's seemed that there's relatively little experience with these courses in the OSSU community, so I'm taking time to work through a number of the courses. I've taken Information Security: Context and Introduction and it is very well suited to teach the CS2013 topic "Foundational Concepts in Security". Because of that, I suspect it will be included in any final configuration of the security courses.

I'm currently trying out Unlocking Information Security at the moment. Enjoyable so far.

If you have time, I think this is one of the highest need areas of OSSU. Information Security Analysts are projected to be one of the fastest growing jobs in the US and we have no courses that address the field. I would love to have more OSSUnians that could speak to these courses, particularly about:

  • the quality of the lectures
  • the amount of feedback available to students who are auditing the course for free
  • which topics of the CS2013 are covered by the course

@waciumawanjohi Yeah, security is going to be the biggest growth area in CS, might be even bigger than Data Science related jobs.

I think the top quality main security training hub is considered by many to be Cybrary but they are non-free.

@waciumawanjohi I'll preface by saying I wasn't a CS Major and only have a few years in the security field (so I'm by no means an expert), but just found OSSU and am a fan of what you guys are doing - so figured I'd try to contributed in any way I can. I generally agree that the security core is a good idea, and think your courses listed should satisfy CS2013 under the assumption of the four learning outcomes you've mentioned - noting that it's just to give users a basic understanding of security and not necessarily meant to be comprehensive (which I think you're already doing a good job of noting by linking the RFC to make users aware).

If you ever decide to create a security section under Advanced CS - which I believe would generally a good idea once a comprehensive list of security classes are curated, I'd probably add Web Security (which some may argue falls between Threats and Attacks or Defensive Programming) but since web development is so popular compared to learning its security aspects, I'd justify it being it's own topic:

Advanced Security

  • Foundational Concepts in Security
  • Principles of Secure Design
  • Defensive Programming
  • Threats and Attacks
  • Network Security
  • Cryptography
  1. https://www.coursera.org/learn/crypto
  2. https://www.coursera.org/learn/crypto2
    Following up on the prior comments mentioned by another user, I understand why these were removed from core but would recommend adding them to the Security Advanced CS section if one is ever created because the content in the two courses above are good and more detailed than most of the general online security courses I've found.
  • Web Security
  1. https://web.stanford.edu/class/cs253/
    Haven't finished yet but it is more detailed than most of the general security courses I've found online
    Pre-Req: Basic HTML and JavaScript, probably would equate to a Sophomore Undergrad CS class

If I find courses for the other topics, I'll update this comment but noting it's been somewhat difficult for me to find decent security courses; often many security courses I've found online give a high level of an overview without actually having assignments to provide the ability to put the knowledge to use (which in general I feel is the most important part of learning).

Last Note: The following three courses above are denoted Advanced CS in terms of comprehensiveness opposed to difficulty. Explanation: I considered them as Advanced CS primarily because they are full a semester's length courses - that provide a more comprehensive approach to the four assumed learning outcomes you mentioned in the description (by going into more detail about a particular topic and allowing a person to take the courses only if they are interested).

@JacobAgunloye I took Crypto I from Coursera and I'd be OK with adding it to an elective Advanced Security section if one exists in the future. I agree it's high quality and the instructor is good.

Otherwise it's a very hard math course that teaches the implementation of many ciphers in technical detail (then advises against implementing them yourself), but does not really teach how to use security, or how security concepts fit into a wider context. So probably it should not be outside an elective section.

@spamegg1 I agree with your thoughts on the Crypto Courses. Let me know what you think about the Web Security course as well if you get a chance to take it.

If an Advanced CS Security section is ever created, here's a list of courses that may be of interest that were created by people a lot smarter than me (would have to be vetted first before selected, as I haven't gotten a chance to take all of them): https://www.reddit.com/r/netsec/wiki/start

This last note is a digression but an interesting note on why it's always advised to never implement crypto other than standardized and established libraries, is that even the good libraries sometimes become compromised, two that come to mind are:

Hey folks, I just wanted to add my two cents as a security engineer myself. I think the University of Maryland Cybersecurity specialization on Coursera is the highest quality security coursework available on any MOOC right now. Most of the other treatments I've seen are superficial, broad, or dated (the UC Davis courses in your curriculum now look decent). The UMD course is a more rigorous review of fundamentals with a particularly strong software security course, essentially the underpinning of all modern security. I appreciate they included the 'Usable Security' course in the specialization, too, which covers human factors most other programs won't even consider.

ps. I will also note that I'm a moderator for the above-referenced /r/netsec and helped write some of the content on that /start wiki. I've been an educator in the past, as a faculty member in NYU Tandon's cybersecurity program, too.

Has anything been decided about this RFC, and the aforementioned security courses?

The courses in the original proposal have been included in the curriculum. Before them is this note:

Note: These courses are provisionally recommended. There is an open Request For Comment on security course selection. Contributors are encouraged to compare the various courses in the RFC and offer feedback.

I take from Xxylem's and Dguido's comments that the UC Davis courses are reasonable courses. Dguido's perspective is valuable as is his endorsement of U Maryland's specialization (one of the alternate possibilities I listed). My hope is that more students will offer feedback and perspective on these two programs (UC Davis & U Maryland).

The 'Defensive Programming & Debugging' PRACE course on FutureLearn is great (I have taken it). It teaches the practical aspects of code security, and is taught by academics from supercomputing centres in Europe.

The drawback is that it is not available on-demand, and therefore may not be suitable for OSSU.

@waciumawanjohi

Hi , Please can you make the final list of the cyber security track

One possible resource, it's worked well for me but I don't know if it's organized in a way you guys would want, it's also sort of it's own standalone OSSU with a focus on cybersecurity.
https://www.hoppersroppers.org/training.html

With 1 comment over the past year, it seems time to close this call for comments. I remain interested in the recommendation for U Maryland's cybersecurity course and welcome future comments comparing its quality to the current recommendations. I am also interested in recommendations for courses that would be appropriate for an Advanced Security section. See this comment as a starting point.

I just finished the first two courses

Principles of Secure Coding
Identifying Security Vulnerabilities

They pretty much all of the topics in IAS/Principles of Secure Design and IAS/Foundational Concepts in Security

Except:
• Concept of trust and trustworthiness
• Usable security
• Security composability
• Use of Vetted security components (sort of covered by the first 2 courses but not in depth)
• End-to-End Security
• Prevention, detection, and deterrence

With the exception of the last one, the first 3 don't seem to be covered in either of the optional courses. Maybe we could do away with them to make the curriculum lighter.

To elaborate on what is covered, please refer these images:

(When I say "Secure Coding Practices Specialization", I mean just the first 2 courses that I've done. )

Screenshot from 2023-01-04 20-35-47

Screenshot from 2023-01-04 20-36-30

Screenshot from 2023-01-04 20-36-49

The 4th course in the spec does cover "Prevention, detection, and deterrence" but that's a tier 2 topic. I haven't done the other 2 courses, so maybe someone who has can provide more guidance. We could move them to advanced or remove them to make the curriculum lighter. The first 2 courses seem to pretty much cover what we need except a small handful of topics.

This is good info! Can you make a new RFC so that this gets visibility from interested contributors?

Will do this weekend!