COM6015 Development of Secure Software
This module covers the security analysis as well as the secure development of software-based systems both on an architectural as well as a system
level. The main goal of this module is to teach the foundations of secure software design, secure programming, and security testing.
- Assessment will be Exam and Coursework
|| Dr Prosanta Gope & Dr Andrei Popescu
This unit aims to:
- Provide students with the fundamental understanding of how secure software-based systems are developed and to
provide first hand experience in the security analysis and the secure development of sotware-based systems.
- Provide the student with the fundamental understanding of the threat landscape of software-based systems;
- Provide the student with experience in detecting and assessing vulnerabilities and threats in the context of software-based systems;
- Provide the student with fundamental understanding of how secure software is developed;
- Provide experience in analysis and development approaches for secure system software.
By the end of the unit, a candidate will be able to:
- Understand and explain a Secure Software Development Lifecycle;
- Understand threat modelling and apply it to assess the security risk of software architectures;
- Understand the principles of secure software architectures and be able to compare weaknesses and strength wrt security and
privacy of different architectures;
- Understand software vulnerabilities, and be able to explain their causes and to assess their impact for a specific system, their
causes, and impact;
- Understand to develop secure software using defensive programming techniques and apply them to own development
- Understand the principles of static and dynamic security testing and verification techniques and be able to assess which
method to use for a given system, e.g., based on the threat assessment and development technologies.
Lectures will cover:
- (Web) Application Security
- Software Software Security
- Threat Modelling
- Secure Programming
- Security Testing
- Static code analysis
The lecture includes lab sessions that require an understanding of Linux systems and programming skills.
||COM6014 Fundamental Security Properties and Mechanisms
||Not permitted for students that already have taken COM6501.
- The on-site parts of the module will be delivered as a combination of traditional lectures flipped classroom sessions, practical work. The
lectures will be supported by exercise sheets and reference material to be studied by the students independently;
- The on-line part of the module will replace the traditional lectures by short video lessons and the flipped classroom style sessions by
discussions in an online forum. Practical parts (labs) will be provided in such a form that students can either execute them on their own
computers or they will be made easily accessible over the internet;
- The flipped classroom sessions will engage the students in discussing software security aspects both bases on the exercise sheets, taught
materials, as well as reference material. This deepens the understanding of material discussed in the lecture and contributes to the business
and management aspects.
||Students will receive feedback in the tutorial sessions in which solutions for the problem sheets are discussed as well as in the lab sessions.
Online resources will be provided on Blackboard and more specific readings will be recommended as part of the exercise sheets and lab exercises.
- Dafydd Stuttard and Macrus Pinto. The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws. O'Reilly. 2011.
- R. J. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Inc., New York, NY, USA, 1st edition, 2001. ISBN 0471389226. The complete book is available at: http://www.cl.cam.ac.uk/~rja14/book.html.
- Neil Daswani, Christoph Kern, and Anita Kesavan. Foundations of Security: What Every Programmer Needs to Know. Apress, Berkely, CA, USA, 2007.
- Michael Howard, David LeBlanc, and John Viega. 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. McGraw-Hill, Inc., New York, NY, USA, 1 edition, 2010.
- Brian Chess and Jacob West. Secure programming with static analysis. Addison-Wesley Professional, first edition, 2007.
- Michael Felderer, Matthias Büchler, Martin Johns, Achim D. Brucker, Ruth Breu, and Alexander Pretschner. Security testing: A survey. Advances in Computers, 101:1–51, March 2016.
- M. Huth and M. Ryan. Logic in Computer Science: Modelling and Reasoning About Systems. Cambridge University Press, New York, NY, USA, 2004. ISBN 052154310X.