COP-6938 Special Topics: Software Supply Chain Security
Syllabus

Table of Contents

Course Details

Course COP-6938 Special Topics: Software Supply Chain Security
School University of Central Florida
Semester Spring 2026
Section 001
Prerequisites One of COP5621, CEN5016, COP5021, CAP5150, or COP5611
Lectures Mondays and Wednesdays, 12:00–13:15, 01/12–04/27 (inclusive)
Location VAB-0109
Final Wednesday, 04/29, 10:00–12:50
Instructor Paul Gazzillo paul.gazzillo@ucf.edu

Office hours

Date Day Time Location
01/19–05/01 Monday 11:00–12:00 HEC-239
01/19–05/01 Wednesday 11:00–12:00 HEC-239

Office hours will not be held on days on when there are no classes or campus is closed.

Weekly Topics

  • Software supply chain foundations, definitions, examples
  • Government and other organizational standards, including NIST, OWASP, and CISA
  • Software Bills of Materials (SBOM), current standards and research
  • SBOM practices, tooling, and data standards
  • Examples of supply chain versioning problems
  • Software development lifecycle automation, foundations, definitions, tooling, standard practices
  • Real-world attack examples on development automation, including the XZ Utils backdoor, the SolarWinds backdoors, and various pipeline poisoning attacks
  • Defensive practices and standards
  • Research on software supply chain security
    • Development automation analysis
    • Component interactions and downgrades
    • SBOM generation practices
    • Human factors in supply chain management
    • Vulnerabilities and attacks

Readings

Schedule

Date Topic Homework/Readings
01/12 Introduction None
01/14 Automated pipelines and attack overviews For 01/21 Read XZ Utils attack
01/21 XZ Utils in detail For 01/26 Readings
01/26 OWASP Top Ten CI/CD risks For 02/02-04 Prepare talk
01/28 Supply Chain Definitions/Discussions None
02/02 Student Presentations on attacks (For 02/09) Academic Practice Paper
02/04 Student Presentations on attacks None
02/09 Paper reading crash course None
02/11 Readings, attacks, summaries Summaries, mini-projects

Coursework

  • 25% Attendance and class participation
    • Attend class
    • Participate in class discussion
    • Lead class discussions, present papers
    • Notify instructor about any excused absence ahead of time (except of course due to emergencies)
  • 25% Paper readings and summaries
    • Regular readings
    • Answer questions and write summaries about papers
      • For academic papers, use the critical reading guidelines
  • 25% Homework and small projects
    • Periodic homework assignments and small projects
  • 25% Final project and presentation
    • Propose a project and get instructor approval
    • Complete the project and give a presentation

Academic Paper Reading and Summary Guidelines

When reading the papers, keep the follow questions in mind:

  • What is the problem and why does it matter?
  • What is the solution and how is it new/different?
  • What are the contributions and limitations?

For the summary of each paper, write one concise review paragraph:

  • A one sentence summary
  • Key strengths and weaknesses
  • Anything else important to you

(Adapted from Robert Grimm's Honors OS course.)

Course Information

Description

Foundations of software supply chain security, real-world examples of attacks, software engineering practices and tools, defenses, analysis of development automation, recent and historical research.

Core Policy Statements

Unauthorized Assistance with Coursework

Receiving a work product (e.g., a homework paper or code submitted in response to an assignment) from other individuals (other students in the course, former students, tutors, etc.) is considered "Unauthorized assistance". Giving such a work product to other individuals, either willfully or through negligence, is considered "Helping another violate academic behavior standards." Copying a work product from submissions from past semesters, or copying from an online repository is considered "Plagiarism." You are allowed to discuss class materials and high level concepts related to the assignment with others. However, you must work individually when creating the work product. For programming assignments, you must design algorithms, data structures, and develop code individually. Any violation to the above is considered Academic Integrity Violation. Students found to be in violation of academic integrity will be reported to the Office of Integrity and Ethical Development, in addition to receiving a zero grade on their assignments. Following the report, The Office may conduct hearing, and if found in violation, a student may receive penalties, up to and including dismissal from the university. Unless stated explicitly as team/group assignments, students should assume that assignments are to be performed individually, or ask the instructor for explicit clarification.

Academic Integrity

The Center for Academic Integrity (CAI) defines academic integrity as a commitment, even in the face of adversity, to five fundamental values: honesty, trust, fairness, respect, and responsibility. From these values flow principles of behavior that enable academic communities to translate ideals into action. http://academicintegrity.org/

UCF Creed: Integrity, scholarship, community, creativity, and excellence are the core values that guide our conduct, performance, and decisions.

  1. Integrity: I will practice and defend academic and personal honesty.
  2. Scholarship: I will cherish and honor learning as a fundamental purpose of my membership in the UCF community.
  3. Community: I will promote an open and supportive campus environment by respecting the rights and contributions of every individual.
  4. Creativity: I will use my talents to enrich the human experience.
  5. Excellence: I will strive toward the highest standards of performance in any endeavor I undertake.

The following definitions of plagiarism and misuse of sources come from the Council of Writing Program Administrators http://wpacouncil.org/node/9 and have been adopted by UCF's Department of Writing & Rhetoric.

Plagiarism

In an instructional setting, plagiarism occurs when a writer deliberately uses someone else's language, ideas, or other original (not common-knowledge) material without acknowledg­ing its source. This definition applies to texts published in print or on-line, to manuscripts, and to the work of other student writers.

Misuse of Sources

A student who attempts (even if clumsily) to identify and credit his or her source, but who misuses a specific citation format or incorrectly uses quotation marks or other forms of identifying material taken from other sources, has not plagiarized. Instead, such a student should be considered to have failed to cite and document sources appropri­ately.

Responses to Academic Dishonesty, Plagiarism, or Cheating

UCF faculty members have a responsibility for your education and the value of a UCF degree, and so seek to prevent unethical behavior and when necessary respond to infringements of academic integrity. Penalties can include a failing grade in an assignment or in the course, suspension or expulsion from the university, and/or a "Z Designation" on a student's official transcript indicating academic dishonesty, where the final grade for this course will be preceded by the letter Z. For more information about the Z Designation, see http://goldenrule.sdes.ucf.edu/zgrade.

For more information about UCF's Rules of Conduct, see http://www.osc.sdes.ucf.edu/.

Unauthorized Use of Class Materials

There are many fraudulent websites claiming to offer study aids to students but are actually cheat sites. They encourage students to upload course materials, such as test questions, individual assignments, and examples of graded material. Such materials are the intellectual property of instructors, the university, or publishers and may not be distributed without prior authorization. Students who engage in such activity are in violation of academic conduct standards and may face penalties.

Unauthorized Use of Class Notes

Faculty have reported errors in class notes being sold by third parties, and the errors may be contributing to higher failure rates in some classes. The following is a statement appropriate for distribution to your classes or for inclusion on your syllabus:

Third parties may be selling class notes from this class without my authorization. Please be aware that such class materials may contain errors, which could affect your performance or grade. Use these materials at your own risk.

In-Class Recording Policy

Outside of the notetaking and recording services offered by Student Accessibility Services, the creation of an audio or video recording of all or part of a class for personal use is allowed only with the advance and explicit written consent of the instructor. Such recordings are only acceptable in the context of personal, private studying and notetaking and are not authorized to be shared with anyone without the separate written approval of the instructor.

Course Accessibility Statement

The University of Central Florida is committed to providing access and inclusion for all persons with disabilities. This syllabus is available in alternate formats upon request. Students with disabilities who need specific access in this course, such as accommodations, should contact the professor as soon as possible to discuss various access options. Students should also connect with Student Accessibility Services (Ferrell Commons, 7F, Room 185, sas@ucf.edu, phone (407) 823-2371). Through Student Accessibility Services, a Course Accessibility Letter may be created and sent to professors, which informs faculty of potential access and accommodations that might be reasonable.

Campus Safety Statement

Emergencies on campus are rare, but if one should arise in our class, we will all need to work together. Everyone should be aware of the surroundings and familiar with some basic safety and security concepts.

  • In case of an emergency, dial 911 for assistance.
  • Every UCF classroom contains an emergency procedure guide posted on a wall near the door. Please make a note of the guide's physical location and consider reviewing the online version at http://emergency.ucf.edu/emergency_guide.html.
  • Familiarize yourself with evacuation routes from each of your classrooms and have a plan for finding safety in case of an emergency. (Insert class-specific details if appropriate)
  • If there is a medical emergency during class, we may need to access a first aid kit or AED (Automated External Defibrillator). To learn where those items are located in this building, see http://www.ehs.ucf.edu/AEDlocations-UCF (click on link from menu on left). (insert class specific information if appropriate)
  • To stay informed about emergency situations, sign up to receive UCF text alerts by going to my.ucf.edu and logging in. Click on "Student Self Service" located on the left side of the screen in the tool bar, scroll down to the blue "Personal Information" heading on your Student Center screen, click on "UCF Alert", fill out the information, including your e-mail address, cell phone number, and cell phone provider, click "Apply" to save the changes, and then click "OK."
  • If you have a special need related to emergency situations, please speak with me during office hours.
  • Consider viewing this video (https://youtu.be/NIKYajEx4pk) about how to manage an active shooter situation on campus or elsewhere.

Deployed Active Duty Military Students

If you are a deployed active duty military student and feel that you may need a special accommodation due to that unique status, please contact your instructor to discuss your circumstances.

Author: Paul Gazzillo

Created: 2026-01-14 Wed 12:05

Validate