Motivation
Cybersecurity touches nearly every part of modern life. Hardly a day passes without reports of stolen credentials, breached medical records, ransomware attacks against hospitals, or large-scale leaks of sensitive personal data. As our reliance on connected technologies grows, from autonomous vehicles and smart medical devices to critical infrastructure, the consequences of insecure systems become more severe. The risks now extend beyond financial losses and privacy violations to real threats against public safety, business continuity, and even national security.
Weaknesses can arise at every layer of technology: flawed firmware, poorly designed operating system mechanisms, subtle bugs in application code, insecure defaults in programming languages and libraries, and, perhaps most importantly, the fallibility of human users and administrators. In this course, you will study how attackers exploit these weaknesses, not to learn how to attack systems, but to understand where systems fail and how to design them to be more secure. Only by recognizing and analyzing these vulnerabilities can we build systems that are resilient, reliable, and trustworthy.
Whether you plan to work in software development, system administration, network engineering, or technology management, understanding security principles is essential. Security is not an add-on feature to be patched in after deployment. It is a fundamental property of robust systems. This course is designed to help you think critically about security trade-offs and give you the tools to design, evaluate, and maintain systems that can withstand real-world threats.
The course
This course provides a broad introduction to computer security, focusing on how to engineer secure systems rather than how to attack them. Our emphasis will be on understanding the principles, technologies, and failures that shape the security of modern computing environments.
We’ll demystify the security mechanisms that often seem like black magic: encryption, authentication, access control, sandboxes, firewalls, intrusion detection, and more. By the time you leave, terms like "TLS handshake," "hash pointer," or "ASLR" should make sense.
We will cover core topics such as cryptographic techniques, including symmetric and asymmetric encryption, hash functions, and digital signatures, as well as protocols for authentication, key exchange, and secure communication. You will explore the foundations of operating system security, access control models, and sandboxing mechanisms, along with the pitfalls that arise from software design flaws and programmer errors.
The course also addresses network security concepts, including firewalls, intrusion detection, VPNs, and zero trust architectures. We will look at real-world threats, such as routing attacks, phishing, code injection, and ransomware, and examine strategies to mitigate and contain them. In addition, we will discuss the challenges unique to distributed systems, commerce platforms, and mobile devices.
This is not a course on how to break into systems. Instead, you will learn how to analyze where and why systems fail and how to make informed design and engineering decisions to reduce risk.
The course syllabus, available here, provides an outline of the topics we’ll cover. As the semester progresses, I may adjust the schedule to organize material into logical, lecture-sized units and to account for topic dependencies. Any updates will be posted to the course website.
Information about the course, policies, lecture material, exam details, and old exams are available on the main course webpage: people.cs.rutgers.edu/~pxk/419/index.html. A mirror of the content is also hosted at pk.org/rutgers/419. Please review the course policies and prerequisites to ensure a smooth start.
Homework and class announcements will be posted on Canvas throughout the semester.
Welcome to the course!
Lecture notes
The course will use on-line reading material. We will make much use of Ross Anderson's Security Engineering, second edition, which is available online or in print form. Sadly, Ross Anderson died in March 2024, so I don't know if his web pages will reamain up indefinitely.
We will also make use of published papers and other content.
I will post all the lecture slides and lecture notes that summarize lecture content, particularly information that may not be available in the text. While the lecture notes attempt to cover most material that will be presented, I cannot guarantee that they will cover all of the material. The course is not a correspondence course. You are responsible for attending class and for all the material presented in class.
Exams and assignments
To ensure fair grading and give you a chance to engage with the material, this course will include a combination of homework assignments, programming projects, quizzes, and exams. The goal isn’t to overwhelm you but to provide opportunities to apply what you’ve learned and allow me to evaluate your performance fairly without relying on a single high-stakes exam.
You are expected to have reasonable proficiency in programming with C, Java, and/or Python. Completing the programming assignments is mandatory; you cannot pass the course without doing so.
There will be an exam roughly every third lecture, each lasting about half the lecture time. All exams will be weighted equally, and your lowest exam grade will be dropped. Unless you missed an exam or received a grade on one exam that deviated significantly from your other grades, there will be no need for you to take the final.
To reward attendance and keep you at least partially awake (especially since this is a late class), I will occasionally give short, easy quizzes during lectures. These will be designed to reinforce key points from the lecture and can be completed using information covered in class.
By balancing different types of assessments, I hope to create a learning environment that rewards effort, engagement, and understanding without the panic of high-stakes components.