Secure Software Development

Overview

Lectures:
• Introduction to the threat landscape
o Attack surface and vectors
o Attacker’s perspective (Bad actors)
• Software assurance initiatives and standards
o The need for software assurance (famous disaster)
o OWASP, CWE , SANS, etc.
• Secure software development lifecycle
o Examine the different approaches to software management
• Security issues, risks and risk management
o Types of attacks/vulnerabilities
o Roles and Responsibilities
o Vulnerability management (CVE)
• Requirements specification and threat modelling
o Identifying risks
o Misuse and Abuse Cases
o Model and manage risks
• Secure architecture and design
o Asset Protection
o Authentication, Authorisation
o Risk management
o Code deployment (signing)
• Secure coding, principles and practice
o Secure Coding standards
o Examine different programming languages
• Security analysis and testing
o Testing principles
o Black/white Box, Unit testing, Integration and Regression testing
o Testability of software (third party etc.)
• Development and code analysis tools
o Types of code analysis tools
o Scanner and penetration tools
Coursework:
• Implement an SQL filter to detect attack strings
• Secure Code Review Report
Practical Labs:
• Investigate three forms of injection attacks- Implement three attacks on a Weak-Server and write an evaluation report.
• Scanner Analysis tools – Perform a security risk assessment on a web application using appropriate scanner tools.
• Code analysis tools – Using both static and dynamic code analysis, evaluate a software program for vulnerabilities.

Learning Objectives

A successful student will be able to:
• Explain industry's approach to software assurance
• Manage and implement software assurance processes
• Understand and critically assess security requirements
• Identify software risks and vulnerabilities
• Implement secure coding standards
• Demonstrate the use of software vulnerability verification tools

Skills

Successful participation in this module will enable students to develop skills in the following areas:
• Manage one’s own learning and development including time management and organisational skills
• Good cyber security practice in the specification, design, implementation, evaluation and maintenance of security solutions.
o Adversarial thinking, threat landscape and attack vector evaluation.
o Perform risk assessment and identify countermeasures.
o Understanding impact and consequences
o Design and development secure software programs
o Software security testing and vulnerability analysis

Assessment

None