COMP 116: Introduction to Cyber Security

Required Readings

Week 1 Required Readings

  1. A Disaster Foretold --and Ignored (Washington Post)
  2. Reflections on Trusting Trust by Ken Thompson
  3. Programmers: Stop Calling Yourselves Engineers (The Atlantic)
  4. Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say (NYT)
  5. Verizon 2018 Data Breach Investigations Report (DBIR)
  6. Cybersecurity: Time for a New Definition (Lawfare)
  7. The Trinity of Trouble: Why the Problem is Growing (Freedom to Tinker)
  8. Tools and Techniques to Succeed at the Wall of Sheep (on
  9. The Basics of Arpspoofing/Arppoisoning (
  10. ARP Spoofing (Veracode)
  11. Fun With Network Friends (2600 Magazine, Summer 2008)
  12. We scanned the Internet for port 22 (Errata Security)
  13. Thousands of computers open to eavesdropping and hijacking (Sophos)
  14. Deep Inside a DNS Amplification DDoS Attack (Cloudflare)
  15. Brian Krebs' Blog Hit by 665 Gbps DDoS Attack (SecurityWeek)
  16. Network Protocols (Destroy All Software)

Week 2 Required Readings

  1. How to Dramatically Improve Corporate IT Security Without Spending Millions (Praetorian)
  2. You Wouldn't Base64 a Password - Cryptography Decoded (Paragon Initiative)
  3. Enterprise Security - SSL/TLS Primer Part 1 - Data Encryption (Akamai)
  4. Enterprise Security - SSL/TLS Primer Part 2 - Public Key Certificates (Akamai)
  5. GitHub Security Update: Reused password attack (GitHub)
  6. Analyzing the Patterns of Numbers in 10M Passwords (2015)
  7. Salted Password Hashing - Doing it Right
  8. Hacker, Hack Thyself: Always assume that Internet Bad Guys will somehow get a copy of your database. Then what? (Coding Horror)
  9. AdiOS: Say Goodbye to Nosy iPhone Apps (Veracode)
  10. Mitmproxy: Your D.I.Y. Private Eye (Medium)
  11. Reverse-Engineering the Kayak App with mitmproxy (
  12. Illustrated: How HTTPS Works (

Week 3 Required Readings

  1. READ FIRST: How The Web Works --In One Easy Lesson (
  2. READ SECOND: Veracode's State of Software Security 2016
  3. How The Web Works --In One Easy Lesson (
  4. What happens when you type into your browser and press enter? (on GitHub)
  5. OWASP Top 10
  6. CWE/SANS TOP 25 Most Dangerous Software Errors
  7. Metasploitable 2 Exploitability Guide (Rapid7)
  8. Cross-Site Request Forgery Guide: Learn All About CSRF Attacks and CSRF Protection (Veracode)
  9. Cross-Site Request Forgeries and You (Coding Horror)
  10. CSRF Attacks - What They Are and How to Defend Against Them (Acunetix)
  11. Cross-Site Request Forgery (OWASP)
  12. Cross-Site Request Forgeries: Exploitation and Prevention (Zeller, Felten)
  13. Blind SQL Injection: What is it? (Acuenix)
  14. XKCD: Exploits of a Mom
  15. The History of SQL Injection, the Hack That Will Never Go Away (Vice)
  16. Anonymous Leaks Paris Climate Summit Officials' Private Data (Wired)
  17. Why Even Google Is Susceptible to the Most Basic Website Vulnerabilities (Veracode)
  18. Paypal 2FA Bypass (
  19. 10 Scariest Vulnerabilities (Veracode)

Week 5 Required Readings

  1. Binary Static Analysis (Chris Wysopal's talk to this class back in spring 2012)
  2. We See the Future and It's Not Pretty: Predicting the Future Using Vulnerability Data (Chris Wysopal's talk to this class back in fall 2013)
  3. A Brief History of Software, Security, and Software Security: Bits, Bytes, Bugs, and the BSIMM (Gary McGraw's talk to my class in fall 2013)
  4. Introduction to CVE, CWE, and the Top 25 (Steve Christey Coley's guest talk to this class back in fall 2015)
  5. Why Everything is Hackable: Computer Security is Broken From Top to Bottom (The Economist)
  6. The Difference Between CWE and CVE (Daniel Miessler)
  7. Web Applications Under Attack: and the 2017 Verizon DBIR (Tenable)
  8. The Language of AppSec (Veracode)
  9. Application Security Tools: Good or Bad? (Freedom-To-Tinker)
  10. Badness-meters Are Good. Do You Own One? (Synopsys)

Week 6 Required Readings

  1. The Internet Worm Program: An Analysis (
  2. Reverse Engineering Malware (Alien Vault)
  3. CryptoLocker Ransomware (Sophos)
  4. SMB Exploited: WannaCry Use of "EternalBlue" (FireEye)
  5. Viking Horde: A New Type of Android Malware on Google Play (Check Point)
  6. Building a Home Lab to Become a Malware Hunter - A Beginner's Guide (Alien Vault)
  7. Last but not least, and perhaps wrapping up the course: Attacking Malicious Code: A Report to the Infosec Research Council (McGraw, Morrisett; IEEE 2000)