SP: Secure Programming

illustration of a padlock, with the words "Secure Programming"

Welcome to Secure Programming

Learning Outcomes

On successful completion of this course, you should be able to: 

  1. Know how to respond to security alerts specifying CVE ID numbers which identify software issues
  2. Identify possible security programming errors when conducting code reviews in languages such as Java, C or Python
  3. Define a methodology for security testing and use appropriate tools in its implementation
  4. Apply new security-enhanced programming models and tools which help ensure security goals, e.g.,with access control, information flow tracking, protocol implementation, or atomicity enforcement

Course Outline

  • Security maintainance of deployed software systems, including "penetrate-and-patch", vulnerability enumeration (CVE IDs) and classification (CWE taxonomy).
  • Secure programming techniques and common pitfalls, covering input validation, output filtering, use of cryptography and authentication. Standards such as the OWASP guidelines and the CERT Secure Coding Standards.
  • Malware (including adware, spyware) and its use of software vulnerabilities as an attack vector. Programming resilience against malware.
  • Low-level programming platforms, VMs and their security provisions, for example including process isolation, capabilities and permissions. Mobile operating system platforms as examples.
  • Web programming platforms and security provisions. HTTP protocol, forms, clientside and server-side threats and their avoidance.
  • High-level and Enterprise security programming, including cryptography via cryptographic libraries, authentication via GSSAPI.
  • Security APIs and their distinction from cryptography APIs. Use and design of security APIs for key management, hashing and encryption. Implementation in hardware and software.
  • Language-based techniques for assisting security programming, using dynamic enforcement via runtime monitoring and static enforcement via program analysis. Example tools.
  • Methods and tools for taint checking and information flow tracking to manage programming with sensitive data. Privacy risks with lack of encapsulation.
  • Methods and tools for controlling resource usage with permissions and capabilities, and static analysis for guarantees in advance.
License
All rights reserved The University of Edinburgh