IS2S582 - Secure Software Development 04 Feb 2019 - 31 Aug 2027 | Version 1
Associated Module Information
| Module Code: | IS2S582 | ||
|---|---|---|---|
| Module Title: | Secure Software Development | ||
| Faculty: | Faculty of Computing, Engineering and Science | ||
| Faculty Group: | Information and Electronics | ||
| Faculty Sub Group: | informatics | ||
| Module Leader: | Emlyn Everitt, Ian Fitzell | ||
| Module Team: | |||
| First Intended Intake: | SEP 2019 | Final Year of Intake: | |
| Date Closed: | |||
| Credit Value: | 20 | Credit Level: | 5 |
| Language: | English | ||
| Percentage of Module Taught in Welsh: | 0 | ||
| Equivalent Module: | |||
| HECOS codes: | |||
| HECOS Code Weighting: | |||
Document Version Information
| Version | 1 |
|---|---|
| Valid From | 04 Feb 2019 |
| Valid To | 31 Aug 2027 |
Module Aims
To enable students:
- to describe the requirements for integrating security into the software development lifecycle,
- to apply the concepts of the Design Principles for Protection Mechanisms, the Principles for Software Security, and the Principles for Secure Design on a software development project;
- to develop specifications for a software development effort that fully specify functional requirements and identifies the expected execution paths;
- to describe software development best practices for minimizing vulnerabilities in programming code; and
- to conduct a security verification and assessment (static and dynamic) of a software application.
Content Summary
The module introduces the underlying tenets of software security (i.e. confidentiality, integrity, availability, authentication, authorisation, auditing). Then, possibly using the software development lifecycle as a structuring element, the module includes but is not necessarily restricted to the following:
- Secure software specifications and requirements (e.g. requirement definitions, interaction of software with its intended environment including ethical issues, standards, legal requirements & regulatory processes and compliance, risk & hazard analysis)
- Principles of secure software design and development, configuration management, coding practices (e.g. least privilege, fail-safe defaults, end-to-end, idioms, patterns, mechanisms for building quality programs, maintenance, complete mediation, security composability, threat modelling) and defensive coding (e.g. exception handling, input validation, race conditions, type safe languages, third-party components, deployment)
- Security problems in programs (e.g. buffer and other types of overflows, race conditions, improper initialization, including choice of privileges, checking input)
- Validation, verification, quality assurance and their tools (e.g. concepts, walkthroughs, reviews, audits, inspections, formal methods, error/fault estimation, planning) testing (e.g. benchmarking, static/dynamic analysis, defect tracking, limitations, conformance to specifications, usability, reliability, test plan creation, black box / white box)
- Deployment of software with secure features (e.g. defence in depth, post-mortem analysis of selected cases, release management)
Learning and Teaching Methods
| Activity Type | Hours |
|---|---|
| Lecture | 10 |
| Practical classes and workshops | 10 |
| Work based learning | 80 |
| Directed Study | 28 |
| Formative Assessment - Independent | 72 |
| Total Hours Selected | 200 |
Learning Outcomes
| # | Learning Outcome |
|---|---|
| LO1 | To be able to describe and implement the integration of security into the software development life-cycle, and to reflect on best practice in minimising code vulnerabilities. |
| LO2 | To be able to conduct static and dynamic security verification and assessment of a software application. |
Module Requisites
N/A
Assessment Criteria
| Assessment Category | Assessment Type | Description | Duration | Word Count | Weight (%) | Best of? | Pass Mark |
|---|---|---|---|---|---|---|---|
| Practical Assessment (CW) | Practical Coursework 1 | Apply security principles to a software application, drawing on knowledge and material presented, supplemented by personal research and/or requirements specification from company. | 0 | 2000 | 60 | No | 40 |
| Written Assignment (CW) | Report (CW) 1 | Conduct a security verification and assessment of a software application, drawing on knowledge and material presented, supplemented by personal research and/or requirements specification from company. | 0 | 3000 | 40 | No | 40 |
Assessment Matrix
| Assessment Type | Learning Outcomes | ||
|---|---|---|---|
| LO1 | LO2 | ||
| Practical Coursework 1 | ✔ | ✔ | |
| Report (CW) 1 | ✔ | ✔ | |