What "security" means professionally. CIA triad. The Saltzer and Schroeder design principles. picoCTF orientation week. Lab 1: CIA-triad worksheet.
Reading (~30 min)
Browse the OWASP Top 10 landing page (owasp.org/Top10) to get a first look at the ten categories. You don't need to understand each one yet. The goal is to see the shape of the list and notice that it is organized around what goes wrong, not around what to defend.
Then read the Wikipedia summary of the Saltzer and Schroeder paper "The Protection of Information in Computer Systems" (1975). Focus on the eight design principles: least privilege, fail-safe defaults, complete mediation, open design, separation of privilege, least common mechanism, psychological acceptability, and work factor. These eight principles show up again in every week that follows; they are the "why" behind most security advice.
Lecture outline (~1.5 hr)
Part 1: What "security" actually means (30 min)
Before diving into tools and attacks, define the terms.
The CIA triad:
- Confidentiality: information is accessible only to those authorized to see it. Examples: your email is confidential to you and the recipients; a patient's medical record is confidential to the care team and the patient.
- Integrity: information is modified only by those authorized to modify it. Examples: a bank ledger that can only be updated by authorized transactions; a software binary that has not been tampered with since the developer signed it.
- Availability: authorized users can access the system when they need it. Examples: a hospital's medication lookup system must be available 24/7; a company's payroll system must be available on payday.
The triad is a framework for asking the right question: when something goes wrong, which of the three properties failed? A ransomware attack primarily attacks availability. A phishing attack that steals credentials attacks confidentiality. A supply-chain compromise that modifies source code attacks integrity.
Beyond CIA: AAA Authentication (who are you?), Authorization (what are you allowed to do?), and Accountability (who did what, when?) extend the triad to operational systems. They come up in Weeks 6 and 11.
The adversarial framing: Security work is adversarial in a way that other engineering is not. A bridge engineer asks "will this hold the load?" A security engineer asks "what would I do if I wanted to destroy this bridge?" Both questions are necessary. This course teaches the second question in a controlled, ethical environment.
Part 2: The Saltzer and Schroeder principles (30 min)
The eight principles from the 1975 paper. Each is brief and memorable; together they form a checklist for evaluating any security decision.
| Principle | One-sentence version |
|---|---|
| Least privilege | Give a process or user only the access it needs to do its job, nothing more. |
| Fail-safe defaults | The default behavior should be to deny access, not to grant it. |
| Complete mediation | Every access to every resource must be checked against the access-control policy, every time. |
| Open design | The security of a mechanism should not depend on the secrecy of its design. The only secret should be the key, not the algorithm. |
| Separation of privilege | Require more than one condition to be satisfied before granting access. |
| Least common mechanism | Minimize the shared mechanisms through which different users interact; shared state is a potential side channel. |
| Psychological acceptability | Security mechanisms should be easy for users to understand and use correctly, or they will work around them. |
| Work factor | Compare the cost of circumventing the mechanism to the likely resources of the attacker. |
Walk through two examples applying the principles: a login system and a file-sharing service. Students should be able to name which principles are violated when a system stores passwords in plaintext (open design is fine but fail-safe defaults, complete mediation, and psychological acceptability are all implicated depending on context) or when an admin account has no expiry and full access across all systems (least privilege violation).
Part 3: Professional ethics as day-one content (30 min)
SEC-101 is the course where professional ethics is curriculum, not a footnote.
Three things established in Week 1 that run through the rest of the course:
-
Authorization is the bright line. Operating on a system you own or have explicit written permission to test is authorized. Everything else, including "just testing," "it's open so it counts as public," and "I didn't think they'd mind," is unauthorized and potentially criminal. In the U.S., the Computer Fraud and Abuse Act (CFAA, 18 U.S.C. 1030) makes unauthorized access a federal crime regardless of whether you find anything. Other jurisdictions have equivalent statutes. This is the line the course never crosses, and it is the line PEN-101 students learn to document before every engagement.
-
The dual-use reality. Every offensive technique the course covers was either discovered by a defender trying to protect a system or is routinely used by defenders to test systems they are authorized to test. There is no "defender-only" security skill and no "attacker-only" skill. The same tool runs both ways. What makes an action ethical is authorization and intent. What makes it professional is documentation.
-
picoCTF is the week's lab environment. CTF competitions are the profession's sanctioned training ground: explicitly designed to be attacked, explicitly authorized, explicitly safe. Creating an account on picoCTF.org this week is the student's first authorized-access setup. Notice what that setup requires: an account, explicit acceptance of terms, challenges that are scoped and time-limited. That structure is the shape of every authorized security engagement.
Lab exercises (~1.5 hr)
Lab 1: CIA-triad worksheet (graded)
See labs/lab-1-cia-triad.md for the full lab.
The lab takes approximately 60-90 minutes. Work through it before the next session.
In-class: picoCTF orientation (30 min, ungraded)
Create an account at picoCTF.org if you haven't already. Browse to the Practice arena and find the General Skills category. Attempt at least one challenge before the next session. The goal is navigation familiarity, not solving. If you get stuck on the first challenge, that's fine: write down exactly where you got stuck. That question is the starting point for next week.
Independent practice (~5 hr)
- Reading (1 hr): Read the OWASP Top 10 category descriptions for A01 (Broken Access Control) and A02 (Cryptographic Failures). These are the first two categories because they are the most common. You don't need to understand the technical details yet; read for the pattern of what goes wrong.
- picoCTF spine (3 hr): Work in the General Skills category. Aim to complete at least 3 challenges. Document each one in your lab notebook: what you tried, what worked, what you didn't understand. Attempts-with-notes count as much as solves.
- Reflection (1 hr): Write the reflection prompts below before the next session.
Reflection prompts
-
Choose a system you use every day (your email account, your bank's mobile app, a school system, a smart-home device). Identify one threat to each of the three CIA properties: confidentiality, integrity, and availability. Which of the three do you think the system's designers focused on most? What evidence in the product supports your answer?
-
The Saltzer and Schroeder principle "psychological acceptability" says that security mechanisms should be easy for users to understand and use correctly. Identify one security feature you use regularly (a password, a two-factor authentication prompt, a lock screen) and evaluate whether it satisfies this principle. What would an attacker gain if the feature is psychologically annoying enough that users work around it?
-
The CFAA makes unauthorized access a federal crime regardless of intent. Why does the law not include a "good intentions" exception? Think through what would happen if it did.
Week 1 of 14. Next: Threat Modeling I (STRIDE, attack trees, data flow diagrams).