COMP08141 2018 Secure Software Development
The aim of this module is to provide learners with an understanding of common security vulnerabilities associated with modern software applications and the various remediation strategies associated with same. In addition to this, the module covers the usage of cryptography in application software for securing both data at rest and data in transit.
On completion of this module the learner will/should be able to;
Analyse source code and identify the presence/absence of common security vulnerabilities.
Compose countermeasure solutions when faced with security vulnerabilities at the source code level.
Compose application security requirements as part of the Requirements Engineering and Software Design/Architecture phases of the SDLC.
Discuss the role of cryptography in both the secure storage and transportation of data.
Teaching and Learning Strategies
Delivery of the module will comprise a one-hour lecture and a two-hour practical session.
The one-hour lecture will be used to introduce key concepts concepts relating to secure software development. These concepts will later be applied practically in the subsequent two-hour practical session.
Additionally, flipped-learning and inquiry based learning will be used where appropriate.
Module Assessment Strategies
Continuous Assessment for the module comprises two pieces of work.
The first assessment see's the learner develop a small software application of their choosing using their existing software development knowledge (Requirements Specification, Architecture/Design and Implementation). Following this, the learner will analyse the artefact produced to determine the presence/absence of common security vulnerabilities. Learners must document their findings, evaluate potential countermeasures, document the decisions taken and implement their chosen countermeasures.
With a view to promoting cross-module assesment with PRJ 400, it is envisioned that the second assignment will form part of the mid-semester report produced as part of PRJ 400. This assignment will require the student to produce a set of security requirements for their chosen project, as well as a Threat Model (based on the applications Architecture).
Repeat exam and/or Continuous Assessment.
1) Analyse Source Code and Identify the Presence/Absence of Common Security Vulnerabilities.
- Secure Coding Rules/Guidelines (General Guidelines, Language-Specific Guidelines, Framework-Specific Guideliness, Language-Developer Guidelines (Oracle, Microsoft, etc.), Community Guidelines (OWASP), Government Guidelines (CERT), Web/Mobile/Desktop/Client-Server Guidelines).
- Memory Management (Manual/Automated) and Potential Security Implications.
- Manual/Automated Code Reviews.
- Documenting Findings.
2) Compose Countermeasure Solutions When Faced with Security Vulnerabilities at the Source Code Level.
- Secure Coding Rules/Guidelines - Countermeasures.
- Memory Management (Manual/Automated) - Countermeasures.
- Identify False Positivies Produced By Automated Source Code Analysis Tools.
3) Compose Application Security Requirements as part of the Requireme nts Engineering and Software Design/Architecture Phases of the SDLC.
- The Need to Identify Vulnerabilities and Implement Countermeasures as Early as Possible in the SDLC.
- Secure Software Development Lifecycle.
- Security Requirements Engineering.
- Threat Modelling.
4) Discuss the role of Cryptography in both the Secure Storage and Transportation of Data.
- Confidentiality, Integrity, Availability, Non-Repudiation.
- Identification of Data Which Must Be Legally Encrypted (GDPR, Health Data, Financial Data, etc.).
- Symmetric-Key Cryptography.
- Public-Key Cryptography.
- Cryptographic Hashing.
- Binary/Cryptographic Auditing of Executable Files/Shared Libraries.
- Utilise Cryptography for Secure Storage of Data (File System Storage, SQL Database Storage).
- Certificate Authorities (CA's).
- Acquisition and Installation of Digital Certificates on Industry Standard PAAS Platforms (Apache, IIS, Azure).
- Utilise Cryptography for Secure Transportation of Data (HTTPS/SSL).
Coursework & Assessment Breakdown
|Title||Type||Form||Percent||Week||Learning Outcomes Assessed|
|1||Secure An Existing Software Aretefact Which Contains Vulnerabilities||Continuous Assessment||Assignment||30 %||End of Semester||1,2|
|2||PRJ 400 - Project Security Requirements and Threat Model.||Continuous Assessment||Individual Project||20 %||End of Semester||3,4|
End of Semester / Year Assessment
|Title||Type||Form||Percent||Week||Learning Outcomes Assessed|
|1||Final Exam||Final Exam||Closed Book Exam||50 %||End of Semester||1,2,3,4|
Full Time Mode Workload
|Laboratory Practical||Computer Laboratory||Practical||2||Weekly||2.00|
|Independent Learning||Not Specified||Independent Learning||4||Weekly||4.00|
Online Learning Mode Workload
|Lecture||Distance Learning Suite||Lecture||1.5||Weekly||1.50|
|Directed Learning||Not Specified||Directed Learning||1.12||Weekly||1.12|
|Independent Learning||Not Specified||Independent Learning||4.5||Weekly||4.50|
Required & Recommended Book List
2006-11-20 The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities Addison-Wesley Professional
The Definitive Insiders Guide to Auditing Software Security
This is one of the most detailed, sophisticated, and useful guides to software security auditing ever written. The authors are leading security consultants and researchers who have personally uncovered vulnerabilities in applications ranging from sendmail to Microsoft Exchange, Check Point VPN to Internet Explorer. Drawing on their extraordinary experience, they introduce a start-to-finish methodology for ripping apart applications to reveal even the most subtle and well-hidden security flaws.
The Art of Software Security Assessment covers the full spectrum of software vulnerabilities in both UNIX/Linux and Windows environments. It demonstrates how to audit security in applications of all sizes and functions, including network and Web software. Moreover, it teaches using extensive examples of real code drawn from past flaws in many of the industry's highest-profile applications.
Code auditing: theory, practice, proven methodologies, and secrets of the trade
Bridging the gap between secure software design and post-implementation review
Performing architectural assessment: design review, threat modeling, and operational review
Identifying vulnerabilities related to memory management, data types, and malformed data
UNIX/Linux assessment: privileges, files, and processes
Windows-specific issues, including objects and the filesystem
Auditing interprocess communication, synchronization, and state
Evaluating network software: IP stacks, firewalls, and common application protocols
Auditing Web applications and technologies
2013-03-06 Cryptography and Network Security: Principles and Practice Pearson
ISBN 0133354695 ISBN-13 9780133354690
Cryptography and Network Security For one-semester, undergraduate- or graduate-level courses in Cryptography, Computer Security, and Network Security. The book is suitable for self-study and so provides a solid and up-to-date tutorial. The book is also a comprehensive treatment of cryptography and network security and so is suitable as a reference for a system engineer, programmer, system manager, network manager, product marketin... Full description
2007-06-29 Secure Programming with Static Analysis: Getting Software Security Right with Static Analysis (Addison-Wesley Software Security Series) Addison-Wesley Professional
The First Expert Guide to Static Analysis for Software Security!
Creating secure code requires more than just good intentions. Programmers need to know that their code will be safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine-toothed comb and uncover the kinds of errors that lead directly to security vulnerabilities. Now, theres a complete guide to static analysis: how it works, how to integrate it into the software development processes, and how to make the most of it during security code review. Static analysis experts Brian Chess and Jacob West look at the most common types of security defects that occur today. They illustrate main points using Java and C code examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar mistakes. This book is for everyone concerned with building more secure software: developers, security engineers, analysts, and testers.
2015-01-09 Gray Hat Hacking The Ethical Hacker's Handbook, Fourth Edition McGraw-Hill Education
Cutting-edge techniques for finding and fixing critical security flaws
Fortify your network and avert digital catastrophe with proven strategies from a team of security experts. Completely updated and featuring 12 new chapters, Gray Hat Hacking: The Ethical Hacker's Handbook, Fourth Edition explains the enemys current weapons, skills, and tactics and offers field-tested remedies, case studies, and ready-to-deploy testing labs. Find out how hackers gain access, overtake network devices, script and inject malicious code, and plunder Web applications and browsers. Android-based exploits, reverse engineering techniques, and cyber law are thoroughly covered in this state-of-the-art resource.
- Build and launch spoofing exploits with Ettercap and Evilgrade
- Induce error conditions and crash software using fuzzers
- Hack Cisco routers, switches, and network hardware
- Use advanced reverse engineering to exploit Windows and Linux software
- Bypass Windows Access Control and memory protection schemes
- Scan for flaws in Web applications using Fiddler and the x5 plugin
- Learn the use-after-free technique used in recent zero days
- Bypass Web authentication via MySQL type conversion and MD5 injection attacks
- Inject your shellcode into a browser's memory using the latest Heap Spray techniques
- Hijack Web browsers with Metasploit and the BeEF Injection Framework
- Neutralize ransomware before it takes control of your desktop
- Dissect Android malware with JEB and DAD decompilers
- Find one-day vulnerabilities with binary diffing
2012-07-23 Hacking Exposed 7: Network Security Secrets and Solutions McGraw-Hill Education
The latest tactics for thwarting digital attacks
Our new reality is zero-day, APT, and state-sponsored attacks. Today, more than ever, security professionals need to get into the hackers mind, methods, and toolbox to successfully deter such relentless assaults. This edition brings readers abreast with the latest attack vectors and arms them for these continually evolving threats. --Brett Wahlin, CSO, Sony Network Entertainment
Stop taking punches--lets change the game; its time for a paradigm shift in the way we secure our networks, and Hacking Exposed 7 is the playbook for bringing pain to our adversaries. --Shawn Henry, former Executive Assistant Director, FBI
Bolster your systems security and defeat the tools and tactics of cyber-criminals with expert advice and defense strategies from the world-renowned Hacking Exposed team. Case studies expose the hackers latest devious methods and illustrate field-tested remedies. Find out how to block infrastructure hacks, minimize advanced persistent threats, neutralize malicious code, secure web and database applications, and fortify UNIX networks. Hacking Exposed 7: Network Security Secrets & Solutions contains all-new visual maps and a comprehensive countermeasures cookbook.
- Obstruct APTs and web-based meta-exploits
- Defend against UNIX-based root access and buffer overflow hacks
- Block SQL injection, spear phishing, and embedded-code attacks
- Detect and terminate rootkits, Trojans, bots, worms, and malware
- Lock down remote access using smartcards and hardware tokens
- Protect 802.11 WLANs with multilayered encryption and gateways
- Plug holes in VoIP, social networking, cloud, and Web 2.0 services
- Learn about the latest iPhone and Android attacks and how to protect yourself
2015-12-10 Automated Security Analysis of Android and iOS Applications with Mobile Security Framework Syngress
Risky Behaviours in the Top 400 iOS and Android Apps is a concise overview of the security threats posed by the top apps in iOS and Android apps. These apps are ubiquitous on a phones and other mobile devices, and are vulnerable to a wide range digital systems attacks, This brief volume provides security professionals and network systems administrators a much-needed dive into the most current threats, detection techniques, and defences for these attacks.
- An overview of security threats posed by iOS and Android apps.
- Discusses detection techniques and defenses for these attacks
Common Vulnerabilities/Secure-Coding Guidelines: