COMP08141 2018 Secure Software Development

General Details

Full Title
Secure Software Development
Transcript Title
Secure Software Development
Code
COMP08141
Attendance
N/A %
Subject Area
COMP - Computing
Department
COEL - Computing & Electronic Eng
Level
08 - NFQ Level 8
Credit
05 - 05 Credits
Duration
Semester
Fee
Start Term
2018 - Full Academic Year 2018-19
End Term
9999 - The End of Time
Author(s)
John Weir, Donny Hurley, Shaun McBrearty
Programme Membership
SG_KSODV_H08 201800 Bachelor of Science (Honours) in Computing in Software Development SG_KCMPU_H08 201800 Bachelor of Science (Honours) in Computing SG_KSODV_K08 201800 Level 8 Honours Degree Add-on in Software Development SG_KSFTD_K08 201800 Bachelor of Science (Honours) in Computing in Software Development (Add On) SG_KSOFT_E08 201800 Certificate in Software Development SG_KSECU_E08 201800 Certificate in Secure IT and Deep/Machine Learning SG_KSOFT_E08 201900 Certificate in Software Development SG_KSFTD_K08 201900 Bachelor of Science (Honours) in Computing in Software Development (Add On) SG_KSODV_K08 201900 Level 8 Honours Degree Add-on in Software Development SG_KSODV_H08 201900 Bachelor of Science (Honours) in Computing in Software Development SG_KCMPU_H08 201900 Bachelor of Science (Honours) in Computing SG_KSOFT_E08 202000 Certificate in Software Development SG_KCMPU_H08 202000 Bachelor of Science (Honours) in Computing SG_KSODV_H08 202000 Bachelor of Science (Honours) in Computing in Software Development SG_KSFTD_K08 202000 Bachelor of Science (Honours) in Computing in Software Development (Add On) SG_KSODV_K08 202000 Level 8 Honours Degree Add-on in Software Development SG_KSODV_H08 202100 Bachelor of Science (Honours) in Computing in Software Development SG_KCMPU_H08 202100 Bachelor of Science (Honours) in Computing SG_KSODV_H08 202200 Bachelor of Science (Honours) in Computing in Software Development SG_KSFTD_K08 202200 Bachelor of Science (Honours) in Computing in Software Development (Add-on) SG_KSODV_K08 202200 Bachelor of Science (Honours) in Computing in Software Development (Add-on) SG_KCMPU_H08 202200 Bachelor of Science (Honours) in Computing
Description

The aim of this module is to provide learners with an understanding of common security vulnerabilities associated with modern software applications and the various remediation strategies associated with same. In addition to this, the module covers the usage of cryptography in application software for securing both data at rest and data in transit.

Learning Outcomes

On completion of this module the learner will/should be able to;

1.

Analyse source code and identify the presence/absence of common security vulnerabilities.

2.

Compose countermeasure solutions when faced with security vulnerabilities at the source code level.

3.

Compose application security requirements as part of the Requirements Engineering and Software Design/Architecture phases of the SDLC.

4.

Discuss the role of cryptography in both the secure storage and transportation of data.

Teaching and Learning Strategies

Delivery of the module will comprise a one-hour lecture and a two-hour practical session.

The one-hour lecture will be used to introduce key concepts concepts relating to secure software development. These concepts will later be applied practically in the subsequent two-hour practical session.

Additionally, flipped-learning and inquiry based learning will be used where appropriate.

Module Assessment Strategies

Continuous Assessment for the module comprises two pieces of work.

The first assessment see's the learner develop a small software application of their choosing using their existing software development knowledge (Requirements Specification, Architecture/Design and Implementation). Following this, the learner will analyse the artefact produced to determine the presence/absence of common security vulnerabilities. Learners must document their findings, evaluate potential countermeasures, document the decisions taken and implement their chosen countermeasures.

With a view to promoting cross-module assesment with PRJ 400, it is envisioned that the second assignment will form part of the mid-semester report produced as part of PRJ 400. This assignment will require the student to produce a set of security requirements for their chosen project, as well as a Threat Model (based on the applications Architecture).

Repeat Assessments

Repeat exam and/or Continuous Assessment.

Indicative Syllabus

1) Analyse Source Code and Identify the Presence/Absence of Common Security Vulnerabilities.

  • Secure Coding Rules/Guidelines (General Guidelines, Language-Specific Guidelines, Framework-Specific Guideliness, Language-Developer Guidelines (Oracle, Microsoft, etc.), Community Guidelines (OWASP), Government Guidelines (CERT), Web/Mobile/Desktop/Client-Server Guidelines).
  • Memory Management (Manual/Automated) and Potential Security Implications.
  • Manual/Automated Code Reviews.
  • Documenting Findings.

2) Compose Countermeasure Solutions When Faced with Security Vulnerabilities at the Source Code Level.

  • Secure Coding Rules/Guidelines - Countermeasures.
  • Memory Management (Manual/Automated) - Countermeasures.
  • Identify False Positivies Produced By Automated Source Code Analysis Tools.

3) Compose Application Security Requirements as part of the Requireme nts Engineering and Software Design/Architecture Phases of the SDLC.

  • The Need to Identify Vulnerabilities and Implement Countermeasures as Early as Possible in the SDLC.
  • Secure Software Development Lifecycle.
  • Security Requirements Engineering.
  • Threat Modelling.

4) Discuss the role of Cryptography in both the Secure Storage and Transportation of Data.

  • Confidentiality, Integrity, Availability, Non-Repudiation.
  • Identification of Data Which Must Be Legally Encrypted (GDPR, Health Data, Financial Data, etc.).
  • Symmetric-Key Cryptography.
  • Public-Key Cryptography.
  • Cryptographic Hashing.
  • Binary/Cryptographic Auditing of Executable Files/Shared Libraries.
  • Utilise Cryptography for Secure Storage of Data (File System Storage, SQL Database Storage).
  • Certificate Authorities (CA's).
  • Acquisition and Installation of Digital Certificates on Industry Standard PAAS Platforms (Apache, IIS, Azure).
  • Utilise Cryptography for Secure Transportation of Data (HTTPS/SSL).

Coursework & Assessment Breakdown

End of Semester / Year Formal Exam
100 %

Coursework Assessment

Title Type Form Percent Week Learning Outcomes Assessed
1 Secure An Existing Software Aretefact Which Contains Vulnerabilities Coursework Assessment Assignment 30 % End of Semester 1,2
2 PRJ 400 - Project Security Requirements and Threat Model. Coursework Assessment Individual Project 20 % End of Semester 3,4
             

End of Semester / Year Assessment

Title Type Form Percent Week Learning Outcomes Assessed
1 Final Exam Final Exam Closed Book Exam 50 % End of Semester 1,2,3,4
             
             

Full Time Mode Workload


Type Location Description Hours Frequency Avg Workload
Lecture Computer Laboratory Lecture 1 Weekly 1.00
Practical / Laboratory Computer Laboratory Practical 2 Weekly 2.00
Independent Learning Not Specified Independent Learning 4 Weekly 4.00
Total Full Time Average Weekly Learner Contact Time 3.00 Hours

Online Learning Mode Workload


Type Location Description Hours Frequency Avg Workload
Lecture Distance Learning Suite Lecture 1.5 Weekly 1.50
Directed Learning Not Specified Directed Learning 1.12 Weekly 1.12
Independent Learning Not Specified Independent Learning 4.5 Weekly 4.50
Total Online Learning Average Weekly Learner Contact Time 2.62 Hours

Required & Recommended Book List

Recommended Reading
2015-12-10 Automated Security Analysis of Android and iOS Applications with Mobile Security Framework Syngress

Risky Behaviours in the Top 400 iOS and Android Apps is a concise overview of the security threats posed by the top apps in iOS and Android apps. These apps are ubiquitous on a phones and other mobile devices, and are vulnerable to a wide range digital systems attacks, This brief volume provides security professionals and network systems administrators a much-needed dive into the most current threats, detection techniques, and defences for these attacks.

  • An overview of security threats posed by iOS and Android apps.
  • Discusses detection techniques and defenses for these attacks

Recommended Reading
2013-03-06 Cryptography and Network Security: Principles and Practice Pearson
ISBN 0133354695 ISBN-13 9780133354690

Cryptography and Network Security For one-semester, undergraduate- or graduate-level courses in Cryptography, Computer Security, and Network Security. The book is suitable for self-study and so provides a solid and up-to-date tutorial. The book is also a comprehensive treatment of cryptography and network security and so is suitable as a reference for a system engineer, programmer, system manager, network manager, product marketin... Full description

Recommended Reading
2015-01-09 Gray Hat Hacking The Ethical Hacker's Handbook, Fourth Edition McGraw-Hill Education

Cutting-edge techniques for finding and fixing critical security flaws

Fortify your network and avert digital catastrophe with proven strategies from a team of security experts. Completely updated and featuring 12 new chapters, Gray Hat Hacking: The Ethical Hacker's Handbook, Fourth Edition explains the enemys current weapons, skills, and tactics and offers field-tested remedies, case studies, and ready-to-deploy testing labs. Find out how hackers gain access, overtake network devices, script and inject malicious code, and plunder Web applications and browsers. Android-based exploits, reverse engineering techniques, and cyber law are thoroughly covered in this state-of-the-art resource.

  • Build and launch spoofing exploits with Ettercap and Evilgrade
  • Induce error conditions and crash software using fuzzers
  • Hack Cisco routers, switches, and network hardware
  • Use advanced reverse engineering to exploit Windows and Linux software
  • Bypass Windows Access Control and memory protection schemes
  • Scan for flaws in Web applications using Fiddler and the x5 plugin
  • Learn the use-after-free technique used in recent zero days
  • Bypass Web authentication via MySQL type conversion and MD5 injection attacks
  • Inject your shellcode into a browser's memory using the latest Heap Spray techniques
  • Hijack Web browsers with Metasploit and the BeEF Injection Framework
  • Neutralize ransomware before it takes control of your desktop
  • Dissect Android malware with JEB and DAD decompilers
  • Find one-day vulnerabilities with binary diffing

Recommended Reading
2012-07-23 Hacking Exposed 7: Network Security Secrets and Solutions McGraw-Hill Education

The latest tactics for thwarting digital attacks

Our new reality is zero-day, APT, and state-sponsored attacks. Today, more than ever, security professionals need to get into the hackers mind, methods, and toolbox to successfully deter such relentless assaults. This edition brings readers abreast with the latest attack vectors and arms them for these continually evolving threats. --Brett Wahlin, CSO, Sony Network Entertainment

Stop taking punches--lets change the game; its time for a paradigm shift in the way we secure our networks, and Hacking Exposed 7 is the playbook for bringing pain to our adversaries. --Shawn Henry, former Executive Assistant Director, FBI

Bolster your systems security and defeat the tools and tactics of cyber-criminals with expert advice and defense strategies from the world-renowned Hacking Exposed team. Case studies expose the hackers latest devious methods and illustrate field-tested remedies. Find out how to block infrastructure hacks, minimize advanced persistent threats, neutralize malicious code, secure web and database applications, and fortify UNIX networks. Hacking Exposed 7: Network Security Secrets & Solutions contains all-new visual maps and a comprehensive countermeasures cookbook.

  • Obstruct APTs and web-based meta-exploits
  • Defend against UNIX-based root access and buffer overflow hacks
  • Block SQL injection, spear phishing, and embedded-code attacks
  • Detect and terminate rootkits, Trojans, bots, worms, and malware
  • Lock down remote access using smartcards and hardware tokens
  • Protect 802.11 WLANs with multilayered encryption and gateways
  • Plug holes in VoIP, social networking, cloud, and Web 2.0 services
  • Learn about the latest iPhone and Android attacks and how to protect yourself

Recommended Reading
2007-06-29 Secure Programming with Static Analysis: Getting Software Security Right with Static Analysis (Addison-Wesley Software Security Series) Addison-Wesley Professional

The First Expert Guide to Static Analysis for Software Security!

 

Creating secure code requires more than just good intentions. Programmers need to know that their code will be safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine-toothed comb and uncover the kinds of errors that lead directly to security vulnerabilities. Now, theres a complete guide to static analysis: how it works, how to integrate it into the software development processes, and how to make the most of it during security code review. Static analysis experts Brian Chess and Jacob West look at the most common types of security defects that occur today. They illustrate main points using Java and C code examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar mistakes. This book is for everyone concerned with building more secure software: developers, security engineers, analysts, and testers.

 

Recommended Reading
2006-11-20 The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities Addison-Wesley Professional

The Definitive Insiders Guide to Auditing Software Security

 

This is one of the most detailed, sophisticated, and useful guides to software security auditing ever written. The authors are leading security consultants and researchers who have personally uncovered vulnerabilities in applications ranging from sendmail to Microsoft Exchange, Check Point VPN to Internet Explorer. Drawing on their extraordinary experience, they introduce a start-to-finish methodology for ripping apart applications to reveal even the most subtle and well-hidden security flaws.

 

The Art of Software Security Assessment covers the full spectrum of software vulnerabilities in both UNIX/Linux and Windows environments. It demonstrates how to audit security in applications of all sizes and functions, including network and Web software. Moreover, it teaches using extensive examples of real code drawn from past flaws in many of the industry's highest-profile applications.

 

Coverage includes

 

Code auditing: theory, practice, proven methodologies, and secrets of the trade

Bridging the gap between secure software design and post-implementation review

Performing architectural assessment: design review, threat modeling, and operational review

Identifying vulnerabilities related to memory management, data types, and malformed data

UNIX/Linux assessment: privileges, files, and processes

Windows-specific issues, including objects and the filesystem

Auditing interprocess communication, synchronization, and state

Evaluating network software: IP stacks, firewalls, and common application protocols

Auditing Web applications and technologies

 

Module Resources

Journal Resources

---

URL Resources

Common Vulnerabilities/Secure-Coding Guidelines:

https://www.owasp.org

https://www.cert.org/secure-coding/

Other Resources

---

Additional Information

---