Secure Software Development

Course Description

The primary objective of this course is to provide a comprehensive understanding of the software production cycle, emphasizing the crucial points at which security considerations should be integrated. The aim is to instill confidence in the software’s deployment within the customer’s environment while minimizing its susceptibility to security threats.

It is imperative for students to recognize that security is not a post-production concern but a fundamental aspect that must be addressed from the inception of the software development process. Failure to do so can result in substantial costs for the software producer. In essence, security is likened to a parachute that demands consideration from the very beginning.

At the outset of the course, we will delve into a thorough model outlining the essential steps for conducting a comprehensive security analysis of all systems within an organization. Consequently, the discussion on Security Governance takes precedence, examining whether the target organization has established goals, strategies, policies, or educational programs pertaining to software security.

As we progress through the software life cycle, our focus shifts to security considerations. We commence with an analysis of the Risk Profile of the system, ensuring that stakeholder requirements are factored into the assessment and that security risks are systematically addressed during the design and architectural phases. The subsequent step involves engaging the software development team in Threat Modeling to proactively identify and address potential threats.

Moving forward, we explore security aspects related to software implementation activities, code testing, and incident management within the customer’s environment.

The topics outlined above encompass a significant portion of the semester. In the subsequent weeks, the course will cover additional pivotal subjects. The first among these is Identity and Access Management (IAM). Subsequently, we delve into an examination of the most significant attacks on software systems. Finally, we introduce students to machine learning techniques, specifically the Code Property Graph, to detect vulnerabilities at both the function and code line levels.

Prerequisites

Basic undergraduate courses in Software Analysis and Design or Software Engineering are strongly recommended.

Grading

Mid term exam: 30% (6/20)

Final exam: 45% (9/20)

Project: 25% (5/20) – (P1 to P5: 2.5/20 and P6: 2.5/20)

Schedule
Week Subject Project
1 Introduction
2 Governance: Strategy, Policy, and Education Plan
3 Governance: Strategy, Policy, and Education Plan P1: Security Assessment in Governance for an Organization
4 Design: Application Risk Profile and Threat Modeling
5 Design: Application Risk Profile and Threat Modeling P2: Security Assessment in Design for an Organization
6 Implementation: Secure Deployment and Defect Management
7 Implementation: Secure Deployment and Defect Management P3: Security Assessment in Implementation for an Organization
8 Verification: Requirement-driven Testing and Security Testing
9 Verification: Requirement-driven Testing and Security Testing P4: Security Assessment in Verification for an Organization
10 Operations: Incident Management and Operational Management P5: Security Assessment in Operations for an Organization
11 Identity and Access Management (IAM)
12 OWASP Top 10 Vulnerabilities
13 OWASP Top 10 Vulnerabilities P6: OWASP WebGoat
14 Machine Learning
15 Source Code Vulnerability Detection
16 Source Code Vulnerability Detection