Module Code: |
H9SAD |
Long Title
|
Secure Application Development
|
Title
|
Secure Application Development
|
Module Level: |
LEVEL 9 |
EQF Level: |
7 |
EHEA Level: |
Second Cycle |
Module Coordinator: |
Arghir Moldovan |
Module Author: |
Andrea Del Campo Dugova |
Departments: |
School of Computing
|
Specifications of the qualifications and experience required of staff |
PhD/Master’s degree in a computing or cognate discipline. May have industry experience also.
|
Learning Outcomes |
On successful completion of this module the learner will be able to: |
# |
Learning Outcome Description |
LO1 |
Investigate and critically assess the impact of application security vulnerabilities on users of software products. |
LO2 |
Analyse the security considerations associated with the state-of-the-art security toolchains for creating security controls that prevent common application security vulnerabilities. |
LO3 |
Implement secure coding solutions that fix common software application security vulnerabilities. |
LO4 |
Investigate the Secure Software Development Framework (SSDF) as supporting mechanisms for secure application development. |
LO5 |
Critically assess secure coding guideline best practice and standards as applied to produce high level security controls for application development |
Dependencies |
Module Recommendations
This is prior learning (or a practical skill) that is required before enrolment on this module. While the prior learning is expressed as named NCI module(s) it also allows for learning (in another module or modules) which is equivalent to the learning specified in the named module(s).
|
No recommendations listed |
Co-requisite Modules
|
No Co-requisite modules listed |
Entry requirements |
Programme entry requirements must be satisfied.
|
Module Content & Assessment
Indicative Content |
Introduction & module Overview followed by Impact of vulnerability exploits
Exploits: Examples of Identity Theft, data theft, ransom etc
Organisational level: Economic Cost, Reputational Cost, Legal Consequences.
|
Secure Coding Standards
Secure coding standards Cert Oracle or OWASP secure coding best practice, Principles of Secure Design
Input Validation
Output Encoding
Authentication and Password Management
Session Management
Access Control
Cryptographic Practices
Error Handling and Logging
|
Secure Coding Standards
Data Protection
Communication Security
System Configuration
Database Security
File Management
Memory Management
General Coding Practices
|
Understanding of how some exploits can happen
Password misuse, directory traversal, access control prevention, broken authentication etc
|
State of the art Tool Chains: The stack as a whole
Analyse the risk of applicable technology stacks (e.g., languages, environments, deployment models), and recommend or require the use of stacks that will reduce risk compared to others
|
State of the art Tool Chains: Individual tools
Evaluate, select, and acquire tools, and assess the security of each tool. Regular verification of tools
|
Software Security Checks
Define criteria for software security checks and track throughout the SDLC to prevent common application security vulnerabilities
|
Secure coding solutions The Problem:
Identify and explain the occurrence and consequence of a variety of the following: • Bugs • Exposure of sensitive data • Flaws in Injection • Buffer overflow • Security misconfiguration • Broken access control • Insecure deserialization • Broken/Missing Authentication
|
Secure coding solutions:
Examine a host of solutions to secure coding problems Part 1 with examples
|
Secure coding solutions:
Examine a host of solutions to secure coding problems Part 2 with examples
|
Testing Techniques
Testing Tools and Methodologies to find Bugs, Flaws, Black Box White Box Fuzz Testing Static Analysis & Dynamic Analysis
|
Secure Development Framework Part 1
Prepare The Organization
Protect Software
Produce Well Secured Software
Respond To Vulnerabilities
|
All Content Recap
Impact of application security vulnerabilities on users of software products
State of the art security toolchains for creating security controls Implement secure coding solutions that fix common software application security vulnerabilities
Critically assess Secure Software Development Framework (SSDF) as supporting mechanisms for secure application development.
|
Assessment Breakdown | % |
Coursework | 100.00% |
AssessmentsFull Time
Coursework |
Assessment Type: |
Formative Assessment |
% of total: |
Non-Marked |
Assessment Date: |
n/a |
Outcome addressed: |
1,2,3,4,5 |
Non-Marked: |
Yes |
Assessment Description: Formative assessment will be provided on the in-class individual or group activities. Feedback will be provided in written or oral format, or on-line through Moodle. In addition, in class discussions will be undertaken as part of the practical approach to learning. |
|
Assessment Type: |
Continuous Assessment |
% of total: |
30 |
Assessment Date: |
n/a |
Outcome addressed: |
1,5 |
Non-Marked: |
No |
Assessment Description: This assessment will consist of a written academic report supported by relevant research and conclusions. This will assess learners’ knowledge and competences on core secure application development concepts and methodologies covered so far. |
|
Assessment Type: |
Project |
% of total: |
70 |
Assessment Date: |
n/a |
Outcome addressed: |
1,2,3,4,5 |
Non-Marked: |
No |
Assessment Description: The terminal assessment will consist of a project that will evaluate all learning outcomes. Learners will have to develop a software application to a given specification utilising appropriate secure supplication development techniques, tools / frameworks / services. The final submission will consist of a written report and the implemented securely developed application. |
|
No End of Module Assessment |
Reassessment Requirement |
Coursework Only
This module is reassessed solely on the basis of re-submitted coursework. There is no repeat written examination.
|
Reassessment Description The reassessment strategy for this module will consist of a project that will assess all learning outcomes.
|
NCIRL reserves the right to alter the nature and timings of assessment
Module Workload
Module Target Workload Hours 0 Hours |
Workload: Full Time |
Workload Type |
Workload Description |
Hours |
Frequency |
Average Weekly Learner Workload |
Lecture |
Classroom and demonstrations |
24 |
Per Semester |
2.00 |
Tutorial |
Mentoring and small-group tutoring |
12 |
Per Semester |
1.00 |
Independent Learning |
Independent learning |
89 |
Per Semester |
7.42 |
Total Weekly Contact Hours |
3.00 |
Workload: Blended |
Workload Type |
Workload Description |
Hours |
Frequency |
Average Weekly Learner Workload |
Lecture |
Classroom and demonstrations |
12 |
Per Semester |
1.00 |
Tutorial |
Mentoring and small-group tutoring |
12 |
Per Semester |
1.00 |
Directed Learning |
Directed e-learning |
12 |
Per Semester |
1.00 |
Independent Learning |
Independent learning |
89 |
Per Semester |
7.42 |
Total Weekly Contact Hours |
3.00 |
Workload: Part Time |
Workload Type |
Workload Description |
Hours |
Frequency |
Average Weekly Learner Workload |
Lecture |
Classroom and demonstrations |
24 |
Per Semester |
2.00 |
Tutorial |
Mentoring and small-group tutoring |
12 |
Per Semester |
1.00 |
Independent Learning |
Independent learning |
89 |
Per Semester |
7.42 |
Total Weekly Contact Hours |
3.00 |
Module Resources
Recommended Book Resources |
---|
-
Daniel Deogun,Dan Bergh Johnsson,Daniel Sawano. (2019), Secure By Design, Manning Publications, [ISBN: 978-1617294358].
-
Loren Kohnfelder. (2021), Designing Secure Software: A Guide for Developers, No Starch Press, p.330, [ISBN: 978-1718501928].
| Supplementary Book Resources |
---|
-
Gerardus Blokdyk. (2020), Software Security Vulnerability A Complete Guide - 2020 Edition, 5STARCooks, p.310, [ISBN: 978-1867321460].
| This module does not have any article/paper resources |
---|
Other Resources |
---|
-
[Website], OWASP Secure Coding Practices Quick
Reference Guide (PDF),
-
[Website], SEI CERT Oracle Coding Standard for Java,
|
|