Welcome to Secure Programming
Learning Outcomes
On successful completion of this course, you should be able to:
- Know how to respond to security alerts specifying CVE ID numbers which identify software issues
- Identify possible security programming errors when conducting code reviews in languages such as Java, C or Python
- Define a methodology for security testing and use appropriate tools in its implementation
- Apply new security-enhanced programming models and tools which help ensure security goals, e.g.,with access control, information flow tracking, protocol implementation, or atomicity enforcement
Course Outline
- Security maintainance of deployed software systems, including "penetrate-and-patch", vulnerability enumeration (CVE IDs) and classification (CWE taxonomy).
- Secure programming techniques and common pitfalls, covering input validation, output filtering, use of cryptography and authentication. Standards such as the OWASP guidelines and the CERT Secure Coding Standards.
- Malware (including adware, spyware) and its use of software vulnerabilities as an attack vector. Programming resilience against malware.
- Low-level programming platforms, VMs and their security provisions, for example including process isolation, capabilities and permissions. Mobile operating system platforms as examples.
- Web programming platforms and security provisions. HTTP protocol, forms, clientside and server-side threats and their avoidance.
- High-level and Enterprise security programming, including cryptography via cryptographic libraries, authentication via GSSAPI.
- Security APIs and their distinction from cryptography APIs. Use and design of security APIs for key management, hashing and encryption. Implementation in hardware and software.
- Language-based techniques for assisting security programming, using dynamic enforcement via runtime monitoring and static enforcement via program analysis. Example tools.
- Methods and tools for taint checking and information flow tracking to manage programming with sensitive data. Privacy risks with lack of encapsulation.
- Methods and tools for controlling resource usage with permissions and capabilities, and static analysis for guarantees in advance.
License
All rights reserved The University of Edinburgh