The University of Sheffield
Department of Computer Science

COM6015 Development of Secure Software

,
Summary

This module covers the security analysis as well as the secure development of software-based systems both on an architectural as well as a system level. The main goal of this module is to teach the foundations of secure software design, secure programming, and security testing.

The module requires a solid understanding of software development in general and, in particular, of at least one programming language (e.g., Java, JavaScript, Ruby, C#, F#, or C) and basic software development tools such as an IDE (e.g., Eclipse, VS Code), a revision system (e.g., git), or build systems (e.g., Maven, Gradle, npm, FAKE). Moreover, an understanding of database and Web applications is required. The labs require a basic command of Linux in general and the command line (shell) in particular.

Session Spring 2020/21
Credits 15
Assessment
  • Assessment will be Exam and Coursework
Lecturer(s) Dr Prosanta Gope & Dr Andrei Popescu
Resources
Aims

This unit aims to:

  • Provide students with the fundamental understanding of how secure software-based systems are developed and to provide first hand experience in the security analysis and the secure development of sotware-based systems.
  • Provide the student with the fundamental understanding of the threat landscape of software-based systems;
  • Provide the student with experience in detecting and assessing vulnerabilities and threats in the context of software-based systems;
  • Provide the student with fundamental understanding of how secure software is developed;
  • Provide experience in analysis and development approaches for secure system software.
Objectives

By the end of the unit, a candidate will be able to:

  • Understand and explain a Secure Software Development Lifecycle;
  • Understand threat modelling and apply it to assess the security risk of software architectures;
  • Understand the principles of secure software architectures and be able to compare weaknesses and strength wrt security and privacy of different architectures;
  • Understand software vulnerabilities, and be able to explain their causes and to assess their impact for a specific system, their causes, and impact;
  • Understand to develop secure software using defensive programming techniques and apply them to own development projects;
  • Understand the principles of static and dynamic security testing and verification techniques and be able to assess which method to use for a given system, e.g., based on the threat assessment and development technologies.
Content

Lectures will cover:

  • (Web) Application Security
  • Software Software Security
  • Threat Modelling
  • Secure Programming
  • Security Testing
  • Static code analysis

The lecture includes lab sessions that require an understanding of Linux systems and programming skills.

Pre-Requisite COM6014 Fundamental Security Properties and Mechanisms
Restrictions Not permitted for students that already have taken COM6501.
Teaching Method
  • The on-site parts of the module will be delivered as a combination of traditional lectures flipped classroom sessions, practical work. The lectures will be supported by exercise sheets and reference material to be studied by the students independently;
  • The on-line part of the module will replace the traditional lectures by short video lessons and the flipped classroom style sessions by discussions in an online forum. Practical parts (labs) will be provided in such a form that students can either execute them on their own computers or they will be made easily accessible over the internet;
  • The flipped classroom sessions will engage the students in discussing software security aspects both bases on the exercise sheets, taught materials, as well as reference material. This deepens the understanding of material discussed in the lecture and contributes to the business and management aspects.
Feedback Students will receive feedback in the tutorial sessions in which solutions for the problem sheets are discussed as well as in the lab sessions.
Recommended Reading

Online resources will be provided on Blackboard and more specific readings will be recommended as part of the exercise sheets and lab exercises.

  • Dafydd Stuttard and Macrus Pinto. The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws. O'Reilly. 2011.
  • R. J. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Inc., New York, NY, USA, 1st edition, 2001. ISBN 0471389226. The complete book is available at: http://www.cl.cam.ac.uk/~rja14/book.html.
  • Neil Daswani, Christoph Kern, and Anita Kesavan. Foundations of Security: What Every Programmer Needs to Know. Apress, Berkely, CA, USA, 2007.
  • Michael Howard, David LeBlanc, and John Viega. 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. McGraw-Hill, Inc., New York, NY, USA, 1 edition, 2010.
  • Brian Chess and Jacob West. Secure programming with static analysis. Addison-Wesley Professional, first edition, 2007.
  • Michael Felderer, Matthias Büchler, Martin Johns, Achim D. Brucker, Ruth Breu, and Alexander Pretschner. Security testing: A survey. Advances in Computers, 101:1–51, March 2016.
  • M. Huth and M. Ryan. Logic in Computer Science: Modelling and Reasoning About Systems. Cambridge University Press, New York, NY, USA, 2004. ISBN 052154310X.