Course Description
The primary objective of this course is to provide a comprehensive understanding of the software production cycle, emphasizing the crucial points at which security considerations should be integrated. The aim is to instill confidence in the software’s deployment within the customer’s environment while minimizing its susceptibility to security threats.
It is imperative for students to recognize that security is not a post-production concern but a fundamental aspect that must be addressed from the inception of the software development process. Failure to do so can result in substantial costs for the software producer. In essence, security is likened to a parachute that demands consideration from the very beginning.
At the outset of the course, we will delve into a thorough model outlining the essential steps for conducting a comprehensive security analysis of all systems within an organization. Consequently, the discussion on Security Governance takes precedence, examining whether the target organization has established goals, strategies, policies, or educational programs pertaining to software security.
As we progress through the software life cycle, our focus shifts to security considerations. We commence with an analysis of the Risk Profile of the system, ensuring that stakeholder requirements are factored into the assessment and that security risks are systematically addressed during the design and architectural phases. The subsequent step involves engaging the software development team in Threat Modeling to proactively identify and address potential threats.
Moving forward, we explore security aspects related to software implementation activities, code testing, and incident management within the customer’s environment.
The topics outlined above encompass a significant portion of the semester. In the subsequent weeks, the course will cover additional pivotal subjects. The first among these is Identity and Access Management (IAM). Subsequently, we delve into an examination of the most significant attacks on software systems. Finally, we introduce students to machine learning techniques, specifically the Code Property Graph, to detect vulnerabilities at both the function and code line levels.
Prerequisites
Basic undergraduate courses in Software Analysis and Design or Software Engineering are strongly recommended.
Grading
Mid term exam: 30% (6/20)
Final exam: 45% (9/20)
Project: 25% (5/20) – (P1 to P5: 2.5/20 and P6: 2.5/20)
Schedule
| Week | Subject | Project |
|---|---|---|
| 1 | Introduction | |
| 2 | Governance: Strategy, Policy, and Education Plan | |
| 3 | Governance: Strategy, Policy, and Education Plan | P1: Security Assessment in Governance for an Organization |
| 4 | Design: Application Risk Profile and Threat Modeling | |
| 5 | Design: Application Risk Profile and Threat Modeling | P2: Security Assessment in Design for an Organization |
| 6 | Implementation: Secure Deployment and Defect Management | |
| 7 | Implementation: Secure Deployment and Defect Management | P3: Security Assessment in Implementation for an Organization |
| 8 | Verification: Requirement-driven Testing and Security Testing | |
| 9 | Verification: Requirement-driven Testing and Security Testing | P4: Security Assessment in Verification for an Organization |
| 10 | Operations: Incident Management and Operational Management | P5: Security Assessment in Operations for an Organization |
| 11 | Identity and Access Management (IAM) | |
| 12 | OWASP Top 10 Vulnerabilities | |
| 13 | OWASP Top 10 Vulnerabilities | P6: OWASP WebGoat |
| 14 | Machine Learning | |
| 15 | Source Code Vulnerability Detection | |
| 16 | Source Code Vulnerability Detection |