Postgraduate Course: Secure Programming (INFR11098)
|School||School of Informatics
||College||College of Science and Engineering
||Availability||Available to all students
|Credit level (Normal year taken)||SCQF Level 11 (Year 4 Undergraduate)
|Home subject area||Informatics
||Other subject area||None
||Taught in Gaelic?||No
Entry Requirements (not applicable to Visiting Students)
|| It is RECOMMENDED that students have passed
Computer Security (INFR09025)
||Other requirements|| This course is open to all Informatics students including those on joint degrees. For external students where this course is not listed in your DPT, please seek special permission from the course organiser.
|Additional Costs|| None
Information for Visiting Students
|Displayed in Visiting Students Prospectus?||Yes
Course Delivery Information
|Delivery period: 2013/14 Semester 2, Available to all students (SV1)
||Learn enabled: No
|Course Start Date
|Breakdown of Learning and Teaching activities (Further Info)
Lecture Hours 16,
Supervised Practical/Workshop/Studio Hours 16,
Summative Assessment Hours 2,
Programme Level Learning and Teaching Hours 2,
Directed Learning and Independent Learning Hours
|Breakdown of Assessment Methods (Further Info)
||Hours & Minutes
|Main Exam Diet S2 (April/May)||2:00|
Summary of Intended Learning Outcomes
|1. know how to respond to security alerts specifying CVE ID numbers which identify software issues;
2. identify possible security programming errors when conducting code reviews in languages such as Java, C or Python;
3. define a methodology for security testing and use appropriate tools in its implementation;
4. apply new security-enhanced programming models and tools which help ensure security goals, e.g.,with access control, information flow tracking, protocol implementation, or atomicity enforcement.
|Written Examination: 70%|
Assessed Assignments: 30%
||- Security maintainance of deployed software systems, including "penetrate-andpatch", vulnerability enumeration (CVE IDs) and classification (CWE taxonomy).
- Secure programming techniques and common pitfalls, covering input validation, output filtering, use of cryptography and authentication. Standards such as the OWASP guidelines and the CERT Secure Coding Standards.
- Malware (including adware, spyware) and its use of software vulnerabilities as an attack vector. Programming resilience against malware.
- Low-level programming platforms, VMs and their security provisions, for example including process isolation, capabilities and permissions. Mobile operating system platforms as examples.
- Web programming platforms and security provisions. HTTP protocol, forms, clientside and server-side threats and their avoidance.
- High-level and Enterprise security programming, including cryptography via cryptographic libraries, authentication via GSSAPI.
- Security APIs and their distinction from cryptography APIs. Use and design of security APIs for key management, hashing and encryption. Implementation in hardware and software.
- Language-based techniques for assisting security programming, using dynamic enforcement via runtime monitoring and static enforcement via program analysis. Example tools.
- Methods and tools for taint checking and information flow tracking to manage programming with sensitive data. Privacy risks with lack of encapsulation.
- Methods and tools for controlling resource usage with permissions and capabilities, and static analysis for guarantees in advance.
||- J. Viega and G. McGraw. Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley, 2001.
- M. Howard and D. LeBlanc. Writing Secure Code. Microsoft Press, second edition, 2003.
- David Basin, Patrick Schaller, Michael Schl¨apfer. Applied Information Security: A Hands-on Approach. Springer, 2011.
- Fred Long et al. The Oracle/CERT Secure Coding Standard for Java, Addison-Wesley, 2011. Available online at http://www.cert.org/secure-coding/.
- B. Chess and J. West. Secure Programming with Static Analysis. Addison-Wesley, 2007.
- The OWASP web application security project: https://www.owasp.org/.
Timetabled Laboratories 16
Coursework Assessed for Credit 20
Other Coursework / Private Study 48
|Course organiser||Dr Mary Cryan
Tel: (0131 6)50 5153
|Course secretary||Miss Kate Farrow
Tel: (0131 6)50 2706
© Copyright 2013 The University of Edinburgh - 13 January 2014 4:28 am