SCIA-425 โ Software Assurance & Quality: Labs¶
These 13 hands-on labs correspond to the weekly readings and build cumulatively toward the capstone. Each lab produces verifiable artifacts โ scan reports, test results, proof outputs, or pipeline runs โ not just screenshots of reading.
Lab Overview¶
| # | Lab | Week | Topic | Tools | Difficulty |
|---|---|---|---|---|---|
| 01 | Security Requirements & Misuse Cases | 2 | Ch02 | Python, jsonschema, pytest | โญโญ |
| 02 | Threat Modeling with STRIDE | 3 | Ch03 | pytm, Docker | โญโญ |
| 03 | Architecture Security Review | 4 | Ch04 | Python, CWE/CAPEC | โญโญโญ |
| 04 | Static Analysis & Code Inspection | 5 | Ch05 | Bandit, Semgrep, Docker | โญโญ |
| 05 | Test Design: Coverage, Equivalence & Mutation | 6 | Ch06 | pytest, pytest-cov, mutmut | โญโญโญ |
| 06 | Fuzzing & Dynamic Testing | 7 | Ch07 | Hypothesis, Docker | โญโญโญ |
| 07 | Security Testing & Penetration Testing | 8 | Ch08 | OWASP ZAP, DVWA, Docker | โญโญโญ |
| 08 | Quality Metrics & Statistical QC | 10 | Ch10 | Radon, matplotlib, scipy | โญโญ |
| 09 | Formal Verification & Model Checking | 11 | Ch11 | Z3 theorem prover | โญโญโญโญ |
| 10 | DevSecOps Pipeline | 12 | Ch12 | GitHub Actions, Gitleaks, Safety | โญโญโญ |
| 11 | Compliance Testing & Regulatory Assurance | 13 | Ch13 | ASVS checker, HIPAA evidence | โญโญโญ |
| 12 | Software Quality Audit & SQA Plan | 14 | Ch14 | Radon, pygount, IEEE 730 | โญโญโญ |
| 13 | Capstone: AI-Assisted Testing & Synthesis | 15 | Ch15 | All tools + OpenAI/Ollama | โญโญโญโญ |
Difficulty Key¶
| Rating | Meaning |
|---|---|
| โญ | Introductory โ follows guided steps |
| โญโญ | Intermediate โ applies concepts with scaffolding |
| โญโญโญ | Advanced โ requires independent reasoning and tool mastery |
| โญโญโญโญ | Expert โ integrates multiple skills, open-ended analysis |
Tool Stack Summary¶
Python Tools: pytest, pytest-cov, mutmut, hypothesis, radon, bandit, safety, z3-solver
Container Tools: Docker (Semgrep, ZAP, pytm/Graphviz, DVWA)
CI/CD: GitHub Actions (Lab 10)
Visualization: matplotlib, pandas
Formal Methods: Z3 SMT Solver
AI Assistance: OpenAI API or Ollama (Lab 13)
Prerequisites¶
- All labs: Python 3.10+, Docker Desktop or Docker Engine
- Lab 10: GitHub account (free tier sufficient)
- Lab 13: OpenAI API key (optional โ Ollama can substitute)
No cloud database accounts are required (unlike SCIA-340).
Capstone Dependency Map¶
Lab 01 (Requirements) โโโบ Lab 02 (Threat Model) โโโบ Lab 03 (Architecture)
โ โ
โโโโบ Lab 04 (SAST) โโโบ Lab 05 (Tests) โโโบ Lab 06 (Fuzzing)
โ
Lab 07 (Pentest) โโโบ Lab 08 (Metrics) โโโบ Lab 09 (Formal) โโโค
โ โ
โโโโบ Lab 10 (DevSecOps) โโโบ Lab 11 (Compliance) โโโโค
โ โ
Lab 12 (Audit) โโโโโโบ Lab 13 (Capstone)
All skills from Labs 01โ12 are exercised in the Lab 13 capstone assessment.