The bad: the homework requirements are left with intentional vagueness. It wasn't until midway through the semester that it was clarified that this was by design and that Steve's philosophy is that in the real world there is ambiguity, so programmers will be expected to apply their own judgment in assumptions when writing a program. Having worked in cyber security, I don't totally agree... but that being said, it's good to know upfront that you have a lot of latitude in defining the requirements so long as you document your decisions in your readme. The assignments themselves were time consuming, although not necessarily hard. The thought process is different than most other programming classes: you can't merely write a program to fulfill an outcome, and have to consider how the program can be exploited by attackers. Your goal in writing is to consider the flaws and add robustness to reduce exploit vectors. The midterm and final were open notes/open book and scenario based, so it wasn't a matter of regurgitating material as you had to consider circumstances and apply what was covered in lecture. More CS courses should adopt this format. The lectures were fantastic, and kept pace with real world developments in security. The class was at a particularly interesting time late in the 2016 election season when there was a lot of pub about Hillary Clinton's E-mail server and the hacking of the DNC E-mails. Steve's experience dates back decades and he has a lot of interesting stories which compelled me to research further on my own after class.
I mostly agree with the reviews below but would add that Bellovin curves down (almost the entire class would have gotten an A or A- this semester based on numerical scores and so to change this a 93 was downgraded to a B+). A larger issue not mentioned here is that the assignments lacked foresight and the grading seemed arbitrary. There were several instances when instructions had to be clarified at the last minute before something was due or the rubric itself was incorrect and the grade assigned needed to be revised. A fourth homework was assigned during the week of final exams which should have been announced earlier or released during the semester. I also think it's better policy to make the course requirements more challenging and curve up than to make the requirements trivial and to curve down (this is especially true when based on the results of a final that students cannot see since the semester is over). Not an incredibly demanding course but not particularly substantive or rewarding either.
I'm surprised this course doesn't have more positive reviews. It should. It's a lot of fun and you learn a good amount. The course essentially covers the whole spectrum when it comes to building a secure computer system. We touch on everything from buffer overflows, to real world cryptography issues, to social engineering attacks. This gave us a good overview of what security is about in a computing setting. Prof Bellovin is great. He's clearly extremely passionate amount the material and does a good job presenting it. He's a bit of a legend in the computer security world, and so has lots of great stories to tell; some of them even made us laugh. Definitely recommended.
Security Architecture is a great idea for a course, but I don't like how such an important topic gets watered down so much. In lecture, we just go over a bunch of security concepts like permissions and buffer overflows at a high level. Prof. Bellovin seems to avoid going into technical details when possible, so the lectures are not very information dense. (When I miss class, I usually watch at 1.25x and that speed feels about right.) Some lectures, Prof. Bellovin brings out his funny side and cracks a bunch of jokes, which is pretty nice.
I would recommend this class to anyone except the following two groups: 1) You hate programming in C/C++ 2) Thinking "outside the box" and "thinking like the bad guy" isn't your thing. Otherwise, I heartily recommend the course. Professor Bellovin's lectures are entertaining -- I actually looked forward to going to the lectures. His lectures are obviously well prepared; he seems to reuse the same slides but updates them the night before to keep them relevant. The lectures are organized and lively -- with a nice touch of sarcasm. The assignments are mostly about building a secure program that manages files. Watch out -- just because you "meet the specs" doesn't mean you will get full credit (or even a good grade). Unlike other classes where the professor would promise "you can assume you will get proper input," here you can assume the graders will be very creative about how they can cause your program to produce errors. You have to validate inputs like crazy. Writing the actual program isn't hard, but you will use some unusual/unfamiliar c libraries so don't start too late because you need a day or two to familiarize yourself with the documentation. Definitely do assignment 0 to get your C/C++ up to scratch (and you WILL need it for assignment 1). If you start a week early on pretty much any assignment, it will be a breeze. If you start 2-3 days before the deadline, you will be pulling consecutive late-nighters. The assignments aren't cakewalk, but they aren't complicated or ambitious either. The midterm and final are subjective (and easy), but graded fairly. They accept a lot of answers if the justification is good. They are still published on earlier versions of the course website if you want to have an idea of what they are like. If you know the lectures, can mix the concepts together, and can "think like a bad guy" you will do well on the midterms with little studying. If you pay attention in lecture and go over the slides, you will do well on the test. Overall, this is a really solid course, interesting, and not burdensome. I recommend it.
This course is fairly simple, and a good bet if you are trying to improve your GPA. 4-5 fairly easy, (written + programming) assignments (50%) that will be as simple or as complex as you want them to be; however, putting in extra effort to write an extraordinary program will not fetch you extra credits. Easy mid-term (20%) and finals (30%) that contain only open-ended, "open to interpretation" questions. There are no right or wrong answers to most of the questions. You are supposed to integrate all your knowledge to answer the questions, but basically the answers are so downright simplistic (and amusing) that they might not strike you at all. That is, if you have a rough idea of what has been taught in the class, and use appropriate terms from the slides and suggested reading materials while answering, and mention that your answer assumes "so-and-so", you can hardly get it wrong. The whole course is about applying common sense. I have to say that I didn't learn anything spectacular in this course. I goofed up in the midterms because I didn't apply "enough" common sense, and did very well in everything else. And I got an A- with a 92%, so that should say it all.
Professor Bellovin is an engaging and well-prepared lecturer. He's got a good sense of humor, he can draw you in to the material, and when he does he explains it very clearly. Of course, the material is intrinsically interesting, varied and with a strong focus on real-world security incidents. I'd recommend the course, but there are some caveats. There's no single textbook and the readings, while usually interesting, vary greatly in terms of how thoroughly they cover their subjects. On top of that, while lecture notes are posted online, they usually provide only a broad outline of what Bellovin says in class, so it can be hard to find reference material for homeworks or for studying if you missed a class or didn't take good notes. Also, Bellovin appears to be something of a big shot in the computer security world outside of academia (eg., helped write Usenet back in the day, won the 2007 NIST / NASA security award). This is kind of cool, but involves him missing a relatively large number of classes to travel to conferences and so on. When he's gone, classes are taught by the TA, and at least in our case, the TA was a non-native English speaker and a bad lecturer.