Course coordinator
Dr David Ross
Course overview
- Study period
- Semester 1, 2025 (24/02/2025 - 21/06/2025)
- Study level
- Undergraduate
- Location
- St Lucia
- Attendance mode
- In Person
- Units
- 2
- Administrative campus
- St Lucia
- Coordinating unit
- Elec Engineering & Comp Science School
The course provides an introduction to the methodologies and software tools of cyber security vulnerability assessment and cyber security penetration testing. It covers key concepts and topics in cyber security vulnerability assessment and penetration testing, as an integral part of overall enterprise information security management, including the vulnerability assessment process, host and network scanning techniques, the principles of penetration testing, and penetration testing techniques for network security, software security, web security and mobile device security.
This course is designed and delivered by industry experts. It includes a number of guest lectures by other industry professionals as well. The lecture topics include ethics, techniques, reconnaissance, open-source intelligence, network scanning, sniffing and spoofing, cryptography, password security, log files, software vulnerabilities, static/dynamic software assessment, fuzzing, embedded systems, memory corruption, Web hacking (backend/frontend), SSL/TLS, Windows hacking and also mobile device security. The course includes practical sessions on discovering, exploiting and mitigating vulnerabilities, and configuring and operating relevant software tools. Components of these practical sessions are assessed on-campus every week. The course uses only Unix-based tools and does not use Microsoft Windows or other GUI-based systems. All practical assessments use a shell command line (see Assumed Background). The prerequisite assumed knowledge will not be re-taught in this course. Every practical session develops new skills and assesses the application of the skills from the previous week's practical session. Thus, practical sessions are cumulative, each week building on the previous week.
The following aspects of the course have been changed from last year, in response to student feedback:
Regarding the speed of marking, the new practical exercises are now marked instantly, entirely during the running practical session with immediate feedback (previously the marking was performed up to 6 days after the practical), and the teaching staff can now concentrate on the Assignment marking rather than marking the practical exercises;
Regarding the practical assignments requiring hours of work before the practical session in order to finish them by the end of the allocated session (including suggestions that practical sessions should be longer than 2 hours per week), this is expected - students should be spending approximately 6 hours additional time every week, on top the contact hours, and this will now be emphasised during the initial lecture;
Regarding the suggestion of providing practical-style environments for students to "practice" on outside of their allocated "Practical" session, the teaching staff are setting similar environments up to practice on outside of the scheduled practical times (during any scheduled practical time all of our computing resources will be dedicated to the allocated practical class); and finally,
Regarding the "Assignment" (previously purely a research assignment) being too abstracted from the course, the "Penetration Testing Assignment" now covers greater working aspects of actual industry penetration testing in practice, rather than only research aspects.
Course requirements
Assumed background
This course has two pre-requisites and the knowledge from these courses is assumed prior knowledge and not taught in COMP3320:
CSSE2310/CSSE7231 Computer Systems Principles and Programming; AND
COMS3000/CYBR3000/CYBR7002 Information Security.
A strong understanding and practical knowledge of computer architecture, networking subsystems and operating systems is expected from Week 1. Alternative courses in computer or microprocessor design OR previous employment involving programming in assembly language and/or industrial PLC programming may be considered in lieu of CSSE2310/CSSE7231. To meet the second pre-requisite, students must have a working understanding of Information Security including; Cyber Security basics, hashes, secret-key and public-key cryptography, key strength, brute-force and dictionary attacks, digital signatures, session hijacking, cookie manipulation, authentication protocols, etc. Students must have technical skills including; using the Linux command line for all activities, using ssh and scp, generating cryptographic key-pairs, generating hashes, performing symmetric and asymmetric encryption with tools like OpenSSL, creating and validating digital signatures, manipulating file and directory permissions, and python programming.
Prior exposure to assembly code and Web programming (JavaScript, PHP) is recommended, but not essential as long as the prerequisite courses have been successfully completed.
The practical labs and assignments in this course will be primarily on Linux-based operating systems (some test targets are Microsoft-based operating systems, but the operations willl all be initiated from Linux systems). The practical assessed content is run entirely from the Linux command line.
Prerequisites
You'll need to complete the following courses before enrolling in this one:
(CSSE2310 or CSSE7231) and (CYBR3000 or COMS3000 or CYBR7002)
Course contact
Course staff
Lecturer
Dr David Ross
Timetable
The timetable for this course is available on the UQ Public Timetable.
Additional timetable information
Note that the first of the practical assignments are issued in Week 1 and start with the first practical classes in Week 2. Weekly attendance at your allocated practical session is mandatory. There are a number of different practical sessions available. You must select a practical session that you can physically attend at the same time every week. Students adding this course during Week 2 after teaching has started must select and attend a remaining available practical session during Week 2. (Late addition of this course after Week 2 is not permitted.) Do not take this course if you cannot secure a practical session where you can attend the full 2 hours every week (some labs are made up of 2 different 1-hour sessions). Missed sessions are calculated as zero marks for that session. A lecture or practical class that would have been scheduled on a public holiday will not occur and will not be substituted for another date. The course schedule (including labs) has been planned to accommodate the missing dates. There are no practical sessions in Week 1 or Week 8.
Aims and outcomes
This course aims to provide students with the foundations of, and hands-on experience with the core technologies used for, vulnerability assessment and penetration testing. This prepares students for understanding the process of vulnerability assessment and penetration testing, identifying vulnerabilities, evaluating and reporting on the security of a system and proposing appropriate plans to mitigate security threats.
Learning outcomes
After successfully completing this course you should be able to:
LO1.
apply the ethical and legal aspects of conducting vulnerability assessment and penetration testing
LO2.
interpret the processes of vulnerability assessment and penetration testing
LO3.
select and apply suitable techniques and tools for reconnaissance, sniffing, scanning and enumeration
LO4.
recognise the known vulnerabilities in existing protocols, systems and applications
LO5.
design and compare suitable strategies and techniques for access gaining
LO6.
develop customised plans of vulnerability discovery, management and remediation
Assessment
Assessment summary
| Category | Assessment task | Weight | Due date |
|---|---|---|---|
| Practical/ Demonstration |
Practical Reports (Progressive Assessment)
|
35% |
Week 2 - Week 7 Week 9 - Week 13
Practical reports are submitted during the student's allocated practical session. |
| Paper/ Report/ Annotation | Penetration Testing Assignment | 15% |
15/04/2025 4:00 pm |
| Examination |
Final Exam
|
50% |
End of Semester Exam Period 7/06/2025 - 21/06/2025 |
A hurdle is an assessment requirement that must be satisfied in order to receive a specific grade for the course. Check the assessment details for more information about hurdle requirements.
Assessment details
Practical Reports (Progressive Assessment)
- Hurdle
- In-person
- Mode
- Activity/ Performance
- Category
- Practical/ Demonstration
- Weight
- 35%
- Due date
Week 2 - Week 7
Week 9 - Week 13
Practical reports are submitted during the student's allocated practical session.
- Other conditions
- Time limited.
- Learning outcomes
- L02, L03, L04, L05, L06
Task description
The weekly practical work will involve tasks and exercises to be progressively assessed each week during the student's allocated practical session. Practical classes start in Week 3. Weekly attendance at your allocated practical session is mandatory. Missed sessions are calculated as zero marks for that session. Late addition of this course after Week 2 is not permitted. Every practical session develops new skills and assesses the application of the skills from the previous week's practical session. Thus, practical sessions are cumulative, each week building on the previous week. The first practical class in week 3 provides the formative learning that will be assessed the following week.
The weekly practical reports must be submitted as part of the student’s allocated practical session - late submissions receive a 100% late penalty and no extensions are possible. Information required for your unique solution for the weekly assessments can only be obtained during your practical session. Target machines are only orchestrated for each hour of your scheduled lab session and are torn-down automatically and changed to accommodate the next session. You must select a single lab session that you can physically attend at the same time for the full 2 hours every week.
The Week 3 assessment is formative (practice). All nine remaining practical sessions start with summative assessments of the previous week's practical skills.
The practical sessions will be delivered in the Computer Labs in the General Purpose South building (78-116) or, for some weeks, in the UQ Cyber War Rooms on Level 4 of the General Purpose South building (78). Ensure you request practical sessions that you can physically attend the whole 2-hour session (all timetabling shows the location as 78-116). You may not attend another session that you are not allocated to. Lab sessions will be very full and the practical environments will be set up with the logins of the students allocated to each particular session in UQ's class allocation system.
The course uses only Unix-based tools and does not use Microsoft Windows or other GUI-based systems. All practical assessments use a shell command line (see Assumed Background). The prerequisite assumed knowledge will not be re-taught in this course.
Details of each weekly session's tasks and method for submission will be provided on the Lab Instructions each week (downloadable from Blackboard each week). There are no practical sessions in Week 1 or Week 8 (due to a public holiday affecting one of the classes in Week 8).
This task has been designed to be challenging, authentic and complex. Whilst students may use AI and/or MT technologies, successful completion of assessment in this course will require students to critically engage in specific contexts and tasks for which artificial intelligence will provide only limited support and guidance.
A failure to reference generative AI or MT use may constitute student misconduct under the Student Code of Conduct.
To pass this assessment, students will be required to demonstrate detailed comprehension of their written submission independent of AI and MT tools.
Hurdle requirements
If you fail to obtain at least 20% of the total possible marks for all of the assessed weekly practical lab exercises combined, your overall mark for this course will be capped to at most 46, corresponding to an overall grade of 2 or lower. If you fail to obtain at least 40% of the total possible marks for all of the assessed weekly practical lab exercises combined, your overall mark for this course will be capped to at most 49, corresponding to an overall grade of 3 or lower. If you fail to obtain at least 50% of the total possible marks for all of the assessed weekly practical lab exercises combined, your overall mark for this course will be capped to at most 64, corresponding to an overall grade of 4 or lower.Submission guidelines
The practical work is submitted during the practical session. Practical reports assess the practical skills developed the previous week. Additional submission details will be given in the lab sheet each week.
Deferral or extension
You cannot defer or apply for an extension for this assessment.
Practical reports are completed as part of a scheduled practical class.
If there are exceptional circumstances, an exemption may be approved and may involve submitting/discussing your work as it stands. Exemptions must be requested as an "extension" with a note specifying you are requesting an exemption via my.UQ.
Late submission
You will receive a mark of 0 if this assessment is submitted late.
Penetration Testing Assignment
- Mode
- Written
- Category
- Paper/ Report/ Annotation
- Weight
- 15%
- Due date
15/04/2025 4:00 pm
- Learning outcomes
- L01, L02, L04, L06
Task description
This assignment requires students to compile a report that demonstrates the ability to locate high quality sources of relevant information, to understand complex concepts, to analyse and organise information and ideas and to convey those ideas clearly and fluently; and the ability synthesize a clear and concise report of the appropriate level and style. The specific details, tasks, and assessment criteria for this assignment will be released during the first lecture on 25th February 2025 and will be due seven weeks later, on 15th April 2025. The assignment runs concurrently with the first half of the course's lectures and practicals, but assesses a completely different aspect of the course objectives, requiring a combination of risk assessment, legal, and ethical considerations that you have researched after the Week 1 lecture, and your solution is then presented in your report in a manner appropriate for the target audience.
This task has been designed to be challenging, authentic and complex. Whilst students may use AI and/or MT technologies, successful completion of assessment in this course will require students to critically engage in specific contexts and tasks for which artificial intelligence will provide only limited support and guidance.
A failure to reference generative AI or MT use may constitute student misconduct under the Student Code of Conduct.
To pass this assessment, students will be required to demonstrate detailed comprehension of their written submission independent of AI and MT tools.
Submission guidelines
Deferral or extension
You may be able to apply for an extension.
The maximum extension allowed is 28 days. Extensions are given in multiples of 24 hours.
The assignment is designed to be completed in the first half of the course in order to maximise students' remaining time for the practicals, which due to their progressive complexity, become increasingly challenging in the later weeks. While extensions are possible for this assignment, students must also be aware of the increasing practical workload as the course progresses. Any extension must be requested via my.UQ.
Late submission
A penalty of 10% of the maximum possible mark will be deducted per 24 hours from time submission is due for up to 7 days. After 7 days, you will receive a mark of 0.
Final Exam
- Hurdle
- Identity Verified
- In-person
- Mode
- Written
- Category
- Examination
- Weight
- 50%
- Due date
End of Semester Exam Period
7/06/2025 - 21/06/2025
- Other conditions
- Time limited.
- Learning outcomes
- L01, L02, L03, L04, L05, L06
Task description
The final exam will be a summative assessment which covers all topics in this course.
The exam will be an on-campus paper-based exam. This exam will be closed-book and will contain a combination of problem-solving and short answer questions.
Hurdle requirements
If you fail to obtain at least 20% of the total possible marks for the exam, your overall mark for this course will be capped to at most 46, corresponding to an overall grade of 2 or lower. If you fail to obtain at least 40% of the total possible marks for the exam, your overall mark for this course will be capped to at most 49, corresponding to an overall grade of 3 or lower. If you fail to obtain at least 50% of the total possible marks for the exam, your overall mark for this course will be capped to at most 64, corresponding to an overall grade of 4 or lower.Exam details
| Planning time | 10 minutes |
|---|---|
| Duration | 120 minutes |
| Calculator options | Any calculator permitted |
| Open/closed book | Closed Book examination - no written materials permitted |
| Exam platform | Paper based |
| Invigilation | Invigilated in person |
Submission guidelines
Deferral or extension
You may be able to defer this exam.
Course grading
Full criteria for each grade is available in the Assessment Procedure.
| Grade | Cut off Marks | Description |
|---|---|---|
| 1 (Low Fail) | 0 - 19 |
Absence of evidence of achievement of course learning outcomes. Course grade description: To achieve a grade of 1, you must attempt at least one assessment item AND not meet the requirement for a higher grade. |
| 2 (Fail) | 20 - 46 |
Minimal evidence of achievement of course learning outcomes. Course grade description: To achieve a grade of 2, the weighted average of your combined overall assessments must be at least 20% of the total possible marks for the course AND not meet the requirement for a higher grade. Assessments that have not been submitted are included in the weighted average with a value of zero for that assessment. If you achieve less than 20% of the exam marks OR you achieve less than 20% of the practical progressive assessment marks, your overall mark will be capped to at most 46 marks. |
| 3 (Marginal Fail) | 47 - 49 |
Demonstrated evidence of developing achievement of course learning outcomes Course grade description: To achieve a grade of 3, you must achieve at least 20% of the exam marks AND you must achieve at least 20% of the practical progressive assessment marks AND the weighted average of your combined overall assessments must be at least 47% of the total possible marks for the course. If you achieve less than 40% of the exam marks OR you achieve less than 40% of the practical progressive assessment marks, your overall mark will be capped to at most 49 marks. |
| 4 (Pass) | 50 - 64 |
Demonstrated evidence of functional achievement of course learning outcomes. Course grade description: To achieve a grade of 4, you must achieve at least 40% of the exam marks AND you must achieve at least 40% of the practical progressive assessment marks AND the weighted average of your combined overall assessments must be at least 50% of the total possible marks for the course. If you achieve less than 50% of the exam marks OR you achieve less than 50% of the practical progressive assessment marks, your overall mark will be capped to at most 64 marks. |
| 5 (Credit) | 65 - 74 |
Demonstrated evidence of proficient achievement of course learning outcomes. Course grade description: To achieve a grade of 5, you must achieve at least 50% of the exam marks AND you must achieve at least 50% of the practical progressive assessment marks AND the weighted average of your combined overall assessments must be at least 65% of the total possible marks for the course. |
| 6 (Distinction) | 75 - 84 |
Demonstrated evidence of advanced achievement of course learning outcomes. Course grade description: To achieve a grade of 6, the weighted average of your combined overall assessments must be at least 75% of the total possible marks for the course. |
| 7 (High Distinction) | 85 - 100 |
Demonstrated evidence of exceptional achievement of course learning outcomes. Course grade description: To achieve a grade of 7, the weighted average of your combined overall assessments must be at least 85% of the total possible marks for the course. |
Additional course grading information
Adequate performance is required in both the progressive assessment and the final exam to successfully complete this course. Hurdles apply to your overall performance in all the assessed weekly practical exercises combined (not for individual weeks) and also to your performance in the final exam. Particularly poor performance in either of these two areas will impose limits on your overall mark and hence your final grade, as described above.
The overall mark is between 0-100 inclusive and you will be awarded a grade between 1-7 inclusive as described above.
Your overall mark will be the weighted sum of the marks for all assessment components, based on the weighting in the Assessment Items table above. Your overall mark will be calculated by adding your total mark for all the assessed progressive practical sessions (weighted to 35%), the assignment (weighted toᅠ15%), and the final exam (weighted toᅠ50%). If any of the performance hurdles above apply, your overall mark will be capped, as described above, before the next step.
If your overall mark (only) finishes with a fractional component, that fraction will be rounded up to the next whole number before any grade cut-offs apply. Individual assessment component marks and weighted values are not rounded.
In other words, where P, A, and E represent your mark as a percentage (between 0-100 inclusive) on the Practicals, the Assignment, and the Final Exam respectively, your overall mark out of 100, M, will be:
M = ROUND(0.35 × P + 0.15 × A + 0.5 × E) any final mark fraction rounded up, not down.
The course coordinator reserves the right to moderate marks.
Supplementary assessment
Supplementary assessment is available for this course.
Additional assessment information
Having Troubles?
If you are having difficulties with any aspect of the course material, you should seek help and speak to the course teaching staff.
If external circumstances are affecting your ability to work on the course, you should seek help as soon as possible. The University and UQ Union have organisations and staff who are able to help. For example, UQ Student Services are able to help with study and exam skills, tertiary learning skills, writing skills, financial assistance, personal issues, and disability services (among other things).
Complaints and criticisms should be directed in the first instance to the course coordinator. If you are not satisfied with the outcome, you may bring the matter to the attention of the Director of Teaching and Learning.
Learning resources
You'll need the following resources to successfully complete the course. We've indicated below if you need a personal copy of the reading materials or your own item.
Library resources
Find the required and recommended resources for this course on the UQ Library website.
Additional learning resources information
Facilities
EECS computing laboratories where you can work on assignments are normally open (accessible using swipe card) 24 hours a day, 7 days per week.ᅠ Note that students officially enrolled in COMP3320 will have accounts and disk space created for them.
Handouts
Electronic copies of all handouts will be made available on the course Blackboard site.
Distribution of notices
Announcements will be made in the lectures and on the course Blackboard site.ᅠ You are expected to read the notices on the course Blackboard site (at least once a week and more often near assignment deadlines).ᅠ
Learning activities
The learning activities for this course are outlined below. Learn more about the learning outcomes that apply to this course.
Filter activity type by
Please select
| Learning period | Activity type | Topic |
|---|---|---|
Multiple weeks From Week 1 To Week 13 |
Lecture |
Lectures Lectures will be mainly used to introduce new material. Learning materials are available on Blackboard. Learning outcomes: L01, L02, L03, L04, L05, L06 |
Multiple weeks From Week 2 To Week 13 |
Practical |
Practical lab sessions Practical sessions are based on the topics covered by lectures. They will be mainly used to work on hands-on exercises and challenges. This will be a more interactive process than lecture presentations. The intent is to provide a learning environment that provides better support for developing practical skills. There will also be time during practical sessions specifically for getting help and being assessed by lab demonstrators. Learning outcomes: L02, L03, L04, L05, L06 |
Policies and procedures
University policies and procedures apply to all aspects of student life. As a UQ student, you must comply with University-wide and program-specific requirements, including the:
- Student Code of Conduct Policy
- Student Integrity and Misconduct Policy and Procedure
- Assessment Procedure
- Examinations Procedure
- Reasonable Adjustments - Students Policy and Procedure
Learn more about UQ policies on my.UQ and the Policy and Procedure Library.
School guidelines
Your school has additional guidelines you'll need to follow for this course: