SECURE SOFTWARE DEVELOPMENT

SHE Level 4
SCQF Credit Points 20.00
ECTS Credit Points 10.00
Module Code MHI325106
Module Leader n/a
School School of Computing, Engineering and Built Environment
Subject Computing
Trimester
  • A (September start)

Pre-Requisite Knowledge

Programming 2, Database Systems Development, Fundamentals Software Engineering or equivalent

Summary of Content

Poor software design is at the core of many software vulnerabilities. This module equips students with deep knowledge and understanding of the risk to information security and the principles and skills of building secure software systems. Security is considered throughout the software development life cycle. Students examine the technologies that underpin software security and develop advanced skills in testing software for vulnerabilities and applying secure programming techniques. The percentage of Work Based Learning for this module, as represented by the proportion of the Activity Types which take place off campus, is 79%. The percentage of Work Based Assessment for this module is 0%.

Syllabus

Security objectives including authentication, authorization, access control, data integrity and non-repudiation. Fundamentals of cryptography: symmetrical and asymmetrical encryption, e.g. Diffie-Hellman, Station-to-Station, Needham-Schroeder, Kerberos key exchange protocols, public key infrastructure (PKI) systems, digital signatures, Transport Layer Security, secure hash algorithms. Secure Software Development Lifecycle: secure software requirements, secure software design, secure programming principles, security testing and secure deployment. Secure Software Design Principles: securing the weakest link, defence in depth, diversity in defence, failing securely, least privilege, economy of mechanism, complete mediation, open design, separation of privilege, least common mechanism, psychological acceptability, fail-safe defaults. Secure Programming Practices: input validation, output encoding, authentication and password management, session management, access control, cryptographic practices, error handling and logging, data protection, communication security, system configuration, database security, file management, memory management. The use of off-the-shelf tools to analyse and secure software. Trends in software security.

Learning Outcomes

On successful completion of this module students should be able to:1 - Explain and discuss security objectives.2 - Explain and critically evaluate the technologies that underpin software security.3 - Critically analyse the software development life cycle and explain and discuss how security assurance can be incorporated into the software development life cycle. 4 - Critically analyse security design principles.5 - Critically analyse the security of software systems and apply secure programming practices.

Teaching / Learning Strategy

Work based Education aims to maximise the direct and digitally mediated contact time with students by practicing teaching and learning strategies that use authentic work based scenarios and encourage action learning, enquiry based learning, problem based learning and peer learning. All these approaches aim to directly involve the students in the process of learning and to encourage sharing of learning between students. The module team will determine the level and accuracy of knowledge acquisition at key points in the delivery, inputting when necessary either directly or with the support of external experts who will add to the authenticity, the credibility and application of the education and learning in the workplace. The course material is introduced through lectures in the form of online presentations. Students will engage with practical assignments and online tutorial material which may include instructor and peer-created content, and there will be seminars on campus which will allow students to discuss key concepts and issues with peers and with instructors. Students will be expected to undertake a significant level of independent study within the workplace, including practical activities, and links will be provided to appropriate external material such as podcasts, MOOCs, videos and literature to supplement the module content. Students will also be encouraged to reflect upon the theoretical learning within the work place and the application of newly learned concepts to the work environment. Students will receive feedback on their performance throughout the module through undertaking the practical assignments and tutorial exercises and participating in the seminars.

Indicative Reading

J. Viega, G. McGraw. Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley, 2001. J. Viega, M. Messier "Secure Programming Cookbook", O'Reilley 2003 M. Howard, D. LeBlanc "Writing Secure Code", Microsoft, 2002 M. Howard, S. Lipner "The Security Development Lifecycle Book", Microsoft Press 2006 C Adams, S Lloyd "Understanding PKI: concepts, standards, and deployment considerations" Addison-Wesley Professional 2003 W. Mao "Modern Cryptography: Theory and Practice", Prentice Hall 2003 G. McGraw, Software Security: Building Security in, Addison Wesley 2006

Transferrable Skills

Specialist knowledge and application Critical thinking and problem solving Critical analysis Communication skills, written, oral and listening Numeracy Computer literacy Self confidence, self discipline & self reliance (independent working) Creativity, innovation & independent thinking Appreciating and desiring the need for continuing professional development Reliability, integrity, honesty and ethical awareness Ability to prioritise tasks and time management Develop an understanding of the practical considerations that constrain the application of theory in the workplace.

Module Structure

Activity Total Hours
Seminars (FT) 24.00
Independent Learning (FT) 110.00
Lectures (FT) 24.00
Assessment (FT) 18.00
Practicals (FT) 24.00

Assessment Methods

Component Duration Weighting Threshold Description
Course Work 01 n/a 50.00 35% Practical Assignment
Exam 01 2.00 50.00 35% Unseen written examination