SP: Secure Programming

Welcome to Secure Programming

Learning Outcomes

On successful completion of this course, you should be able to: 

1. Know how to respond to security alerts specifying CVE ID numbers which identify software issues
2. Identify possible security programming errors when conducting code reviews in languages such as Java, C or Python
3. Define a methodology for security testing and use appropriate tools in its implementation
4. Apply new security-enhanced programming models and tools which help ensure security goals, e.g.,with access control, information flow tracking, protocol implementation, or atomicity enforcement

• Security maintainance of deployed software systems, including "penetrate-and-patch", vulnerability enumeration (CVE IDs) and classification (CWE taxonomy).  Software security lifecycles and security activities (e.g., as in BSIMM).
• Secure programming techniques and common pitfalls, covering input validation, output filtering, use of cryptography and authentication. Standards such as the OWASP guidelines and the CERT Secure Coding Standards.
• Low-level programming platforms their (in)security provisions, for example memory safety, type safety, process isolation, capabilities and permissions.
• Web programming platforms and security provisions. HTTP protocol, forms, client-side and server-side threats and their avoidance.
• Language-based techniques for assisting security programming, using dynamic enforcement via runtime monitoring and static enforcement via program analysis. Example tools.
• Methods and tools for taint checking and information flow tracking to manage programming with sensitive data. Privacy risks with lack of encapsulation.
• Malware (including adware, spyware) and its use of software vulnerabilities as an attack vector. Programming resilience against malware.
• Methods and tools for controlling resource usage with permissions and capabilities, and static analysis for guarantees in advance.