THE UNIVERSITY of EDINBURGH

DEGREE REGULATIONS & PROGRAMMES OF STUDY 2024/2025

Timetable information in the Course Catalogue may be subject to change.

University Homepage
DRPS Homepage
DRPS Search
DRPS Contact
DRPS : Course Catalogue : School of Informatics : Informatics

Postgraduate Course: Secure Programming (INFR11098)

Course Outline
SchoolSchool of Informatics CollegeCollege of Science and Engineering
Credit level (Normal year taken)SCQF Level 11 (Year 4 Undergraduate) AvailabilityAvailable to all students
SCQF Credits10 ECTS Credits5
SummaryThis course studies the principles and practices of secure programming. Secure programming means writing programs in a safe fashion, to avoid vulnerabilities that can be exploited by attackers. It also means using security features provided by libraries, such as authentication and encryption, appropriately and effectively. A range of programming platforms will be considered, ranging from low-level (e.g. Android OS), through web programming (e.g., JavaScript and Python) to high-level large-scale languages (e.g., Java). New and emerging language-based security mechanisms will be examined, including ways of specifying and enforcing security policies statically and dynamically (e.g., to enforce access controls or information flow policies).
Course description - Security maintainance of deployed software systems, including "penetrate-and-patch", vulnerability enumeration (CVE IDs) and classification (CWE taxonomy).
- Secure programming techniques and common pitfalls, covering input validation, output filtering, use of cryptography and authentication. Standards such as the OWASP guidelines and the CERT Secure Coding Standards.
- Malware (including adware, spyware) and its use of software vulnerabilities as an attack vector. Programming resilience against malware.
- Low-level programming platforms, VMs and their security provisions, for example including process isolation, capabilities and permissions. Mobile operating system platforms as examples.
- Web programming platforms and security provisions. HTTP protocol, forms, clientside and server-side threats and their avoidance.
- High-level and Enterprise security programming, including cryptography via cryptographic libraries, authentication via GSSAPI.
- Security APIs and their distinction from cryptography APIs. Use and design of security APIs for key management, hashing and encryption. Implementation in hardware and software.
- Language-based techniques for assisting security programming, using dynamic enforcement via runtime monitoring and static enforcement via program analysis. Example tools.
- Methods and tools for taint checking and information flow tracking to manage programming with sensitive data. Privacy risks with lack of encapsulation.
- Methods and tools for controlling resource usage with permissions and capabilities, and static analysis for guarantees in advance.
Entry Requirements (not applicable to Visiting Students)
Pre-requisites It is RECOMMENDED that students have passed Computer Security (INFR10067) OR Research Methods in Security, Privacy, and Trust (INFR11188)
Co-requisites
Prohibited Combinations Other requirements This course is open to all Informatics students including those on joint degrees. For external students where this course is not listed in your DPT, please seek special permission from the course organiser.
Information for Visiting Students
Pre-requisitesNone
High Demand Course? Yes
Course Delivery Information
Academic year 2024/25, Available to all students (SV1) Quota:  None
Course Start Semester 1
Timetable Timetable
Learning and Teaching activities (Further Info) Total Hours: 100 ( Programme Level Learning and Teaching Hours 2, Directed Learning and Independent Learning Hours 98 )
Assessment (Further Info) Written Exam 70 %, Coursework 30 %, Practical Exam 0 %
Additional Information (Assessment) 70% Exam
30% Coursework

You should expect to spend approximately 20 hours on the coursework for this course.
Feedback Not entered
Exam Information
Exam Diet Paper Name Hours & Minutes
Main Exam Diet S1 (December)Secure Programming (INFR11098)2:120
Learning Outcomes
On completion of this course, the student will be able to:
  1. know how to respond to security alerts specifying CVE ID numbers which identify software issues
  2. identify possible security programming errors when conducting code reviews in languages such as Java, C or Python
  3. define a methodology for security testing and use appropriate tools in its implementation
  4. apply new security-enhanced programming models and tools which help ensure security goals, e.g.,with access control, information flow tracking, protocol implementation, or atomicity enforcement
Reading List
- J. Viega and G. McGraw. Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley, 2001.
- M. Howard and D. LeBlanc. Writing Secure Code. Microsoft Press, second edition, 2003.
- David Basin, Patrick Schaller, Michael Schlapfer. Applied Information Security: A Hands-on Approach. Springer, 2011.
- Fred Long et al. The Oracle/CERT Secure Coding Standard for Java, Addison-Wesley, 2011. Available online at http://www.cert.org/secure-coding/.
- B. Chess and J. West. Secure Programming with Static Analysis. Addison-Wesley, 2007.
- The OWASP web application security project: https://www.owasp.org/.
Additional Information
Course URL https://opencourse.inf.ed.ac.uk/sp
Graduate Attributes and Skills Not entered
KeywordsNot entered
Contacts
Course organiserProf David Aspinall
Tel: (0131 6)50 5177
Email: David.Aspinall@ed.ac.uk
Course secretaryMiss Yesica Marco Azorin
Tel: (0131 6)50 5194
Email: ymarcoa@ed.ac.uk
Navigation
Help & Information
Home
Introduction
Glossary
Search DPTs and Courses
Regulations
Regulations
Degree Programmes
Introduction
Browse DPTs
Courses
Introduction
Humanities and Social Science
Science and Engineering
Medicine and Veterinary Medicine
Other Information
Combined Course Timetable
Prospectuses
Important Information