CS2S562-Secure Software Development- Curriculum Information

CS2S562 - Secure Software Development 01 Sep 2022 - 01 Aug 2028 | Version 3

Associated Module Information

Module Code:	CS2S562
Module Title:	Secure Software Development
Faculty:	Faculty of Computing, Engineering and Science
Faculty Group:	Computing and Mathematical Sciences
Faculty Sub Group:	Computer Science
Module Leader:	Janusz Kulon
Module Team:	Christopher Tubb, Alun King, Jennifer Whewell
First Intended Intake:	SEP 2016	Final Year of Intake:
Date Closed:
Credit Value:	20	Credit Level:	5
Language:	English
Percentage of Module Taught in Welsh:	0
Equivalent Module:
HECOS codes:	100956 - programming
HECOS Code Weighting:	100

Document Version Information

Version	3
Valid From	01 Sep 2022
Valid To	01 Aug 2028

Module Aims

To enable students to:

describe the requirements for integrating security into the software development lifecycle,
apply the concepts of the Design Principles for Protection Mechanisms, the Principles for Software Security, and the Principles for Secure Design on a software development project;
develop specifications for a software development effort that fully specify functional requirements and identifies the expected execution paths;
describe software development best practices for minimizing vulnerabilities in programming code; and conduct a security verification and assessment (static and dynamic) of a software application.

Content Summary

The module introduces the underlying tenets of software security (i.e. confidentiality, integrity, availability, authentication, authorisation, auditing). Then, possibly using the software development lifecycle as a structuring element, the module includes but is not necessarily restricted to:

Secure software specifications and requirements (e.g. requirement definitions, interaction of software with its intended environment including ethical issues, standards, legal requirements & regulatory processes and compliance, risk & hazard analysis)

Principles of secure software design and development, configuration management, coding practices (e.g. least privilege, fail-safe defaults, end-to-end, idioms, mechanisms for building quality programs, maintenance, complete mediation, security composability, threat modelling) and defensive coding (e.g. exception handling, input validation, race conditions, type safe languages, third-party components, deployment)

Security problems in programs (e.g. buffer and other types of overflows, race conditions, improper initialization, including choice of privileges, checking input)

Validation, verification, quality assurance and their tools (e.g. concepts, walkthroughs, reviews, audits, inspections, formal methods, error/fault estimation, planning) testing (e.g. benchmarking, static/dynamic analysis, defect tracking, limitations, conformance to specifications, usability, reliability, test plan creation, black box / white box, Uni testing)

Application of secure software design patterns (Authenticator & Authorization, Secure Logger, Secure Builder, Secure Command)

Deployment of software with secure features (e.g. defence in depth, post-mortem analysis of selected cases, release management)

Learning and Teaching Methods

Activity Type	Hours
Lecture	24
Practical classes and workshops	24
Independent Study	72
Directed Study	80
Total Hours Selected	200

Learning Outcomes

#	Learning Outcome
LO1	To be able to describe the integration of security into the software development life-cycle and reflect on best practice in minimising code vulnerabilities.
LO2	To be able to apply principles of protection mechanisms, software security and secure design pattens.
LO3	To be able to conduct static and dynamic security verification and assessment of a software application.

Module Requisites

N/A

Assessment Criteria

Assessment Category	Assessment Type	Description	Duration	Word Count	Weight (%)	Best of?	Pass Mark
Asynchronous Assessment	Practical Written Work 1	Asynchronous Assessment	0	2000	40	No	40
Asynchronous Assessment	Practical Coursework 1 (Asynch)	Apply security principles to a software application	0	3000	60	No	40

Assessment Matrix

Assessment Type	Learning Outcomes
Assessment Type	LO1	LO2	LO3
Practical Written Work 1	✔	✔	✔
Practical Coursework 1 (Asynch)	✔	✔	✔

Reading List

Secure and Resilient Software Development. Mark S. Merkow and Lakshmikanth Raghavan (2010), Auerbach Publications. ISBN: 978-1439826966 Preview: https://books.google.co.uk/books?isbn=1498759610

Robert Seacord, Secure Coding in C and C++ (SEI Series in Software Engineering), 2013, Addison Wesley; 2 edition, ISBN-13: 978-0321822130 Preview: http://resources.sei.cmu.edu/asset_files/BookChapter/2005_009_001_52692.pdf

David Basin, Patrick Schaller, Michael Schlapfer, 2011, Applied Information Security: A Hands-on Approach. Springer, ISBN-13: 978-3642244735 Preview: https://books.google.co.uk/books?isbn=3642244742

M. Howard and D. LeBlanc. Writing Secure Code, 2003, Microsoft Press, second edition, ISBN-13: 978-0735617223 Available as a free download from Pearson: https://ptgmedia.pearsoncmg.com/images/9780735617223/samplepages/9780735617223.pdf

BCS 'Code of Practice' (available at: http://bcs.org/upload/pdf/cop.pdf) in particular sections 3.3 (Security), 3.4 (Safety Engineering), 3.6 (Quality Management) and chapter 5 (Requirements Analysis and Specification, Software Development, System Installation, Training, System Operations, Support and Maintenance)

Fernandez, E. B. (2013) Security Patterns in Practice: Designing Secure Architectures Using Software Patterns. West Sussex, United Kingdom: Wiley. ISBN-10 ‏ : ‎ 1119998948