| Long Title: | Secure Application Programming |
|---|
| Language of Instruction: | English |
|---|
| Field of Study: |
Software and applications development and analysis
|
| Module Coordinator: |
Eugene McLaughlin |
| Module editor: |
Eugene McLaughlin |
| Teaching and Learning Strategy: |
Teaching & Learning will take place via lectures, lab work, case studies, class discussions and project.
This module is suitable for blended delivery. Techniques such as flipped classroom and online videos showing step by step instructions, links to extra material available on the Internet, Moodle forum may be used. Learners may also use collaborative tools for the development of the project.
The practical work will be submitted online on Moodle
|
| Learning Environment: |
Learning will take place in both a classroom and computer laboratory environment with access to IT resources. Learners will have access to library resources, both physical & electronic and to faculty outside of the classroom where required. Module materials will be placed on Moodle, the College’s virtual learning environment. |
| Module Description: |
The aim of the module is to investigate secure programming in the context of web applications. The module illustrates secure programming principles and analyses common application vulnerabilities. This module will also ensure students gain technical skills to mitigate exploits of these vulnerabilities. This module will also investigate best practices by the adoption of secure coding practices and processes associated with a secure software development lifecycle. |
| Learning Outcomes |
| On successful completion of this module the learner will be able to: |
| LO1 |
Identify and analyse common vulnerabilities of web applications and investigate counter-measures to mitigate the threats to applications resulting from such vulnerabilities. |
| LO2 |
Develop and implement code-based solutions to secure web applications from a set of prominent threats and attack vectors |
| LO3 |
Examine and implement secure coding practices and apply secure software development lifecycle processes |
| LO4 |
Identify a set of tools and techniques that can be utilized to identify vulnerabilities in web applications and establish how such tools and techniques can be subsequently utilized to develop solutions to strengthen application security |
| Pre-requisite learning |
Module Recommendations
This is prior learning (or a practical skill) that is required before enrolment on this module. While the prior learning is expressed as named NCI module(s) it also allows for learning (in another module or modules) which is equivalent to the learning specified in the named module(s).
|
| No recommendations listed |
Requirements
This is prior learning (or a practical skill) that is mandatory before enrolment in this module is allowed. You may not enrol on this module if you have not acquired the learning specified in this section.
|
| No requirements listed |
Module Content & Assessment
| Indicative Content |
|
Introduction and Overview (10%)
• Definitions
• Software Security Application Landscape
• Secure Coding
• Common Security Mistakes
|
|
Software Development Cycle – Security Placement (10%)
• Software Development Lifecycle (SDLC)
• Different Phases of SDLC and Security aspects
• Risk Assessment and Threat Modelling
• Vulnerability Cycle
• Secure Architecture
|
|
Web Security Model (5%)
• Browser security model including same-origin policy
• Client-server trust boundaries, e.g., cannot rely on secure execution in the client
|
|
Client-side Security (20%)
• Cookies security policy
• HTTP security extensions, e.g. HSTS
• Plugins, extensions, and web apps
• Web user tracking
• HTML 5 security
• JavaScript security
|
|
Server-side Security (5%)
• Secure server configuration
• Tools (e.g. Web Application Firewalls (WAFs) and fuzzers)
|
|
Application Vulnerabilities & Defences (30%)
• Input validation and output encoding
• XSS (Cross Site Scripting)
• CSRF (Cross Site Request Forgery)
• XSS, CRSF prevention
• SQL and NoSQL injection
• SQL and NoSQL injection prevention
• Other injection attacks (e.g., OS command injection, CRLF injection)
• XML security and parsing vulnerabilities
• Clickjacking
• Clickjacking prevention
|
|
Session Management (10%)
• Authentication and authorization
• Secure session lifecycle
• Managing session state
|
|
Security Testing (10%)
• OWASP Testing Guide
• Application Testing
• Tools for security testing
|
| Assessment Breakdown | % |
|---|
| Coursework | 100.00% |
Full Time
| Coursework |
|---|
| Assessment Type |
Assessment Description |
Outcome addressed |
% of total |
Assessment Date |
| Continuous Assessment (0200) |
Practical work will be conducted throughout the semester to assess the learner’s evaluation skills in terms of vulnerability identification and secure application development |
1,2,3,4 |
50.00 |
Every Week |
| Project (0050) |
Learners are required to complete a project where they follow a secure software development lifecycle process to develop a web application that is coded to mitigate threats from a set of common attack vectors (e.g., XSS, CSRF, SQL Injection). Learners must also compile an associated report detailing the development process and how security characteristics have been incorporated into the working application |
2,3,4 |
50.00 |
n/a |
| No End of Module Assessment |
| Reassessment Requirement |
Repeat examination
Reassessment of this module will consist of a repeat examination. It is possible that there will also be a requirement to be reassessed in a coursework element.
|
Reassessment Description
Learners who fail this module will be required to sit a repeat module assessment where all learning outcomes will be examined
|
NCIRL reserves the right to alter the nature and timings of assessment
Module Workload
| Workload: Full Time |
| Workload Type |
Workload Description |
Hours |
Frequency |
Average Weekly Learner Workload |
| Lecture |
No Description |
24 |
Every Week |
24.00 |
| Tutorial |
No Description |
12 |
Every Week |
12.00 |
| Independent Learning Time |
No Description |
89 |
Every Week |
89.00 |
| Total Hours |
125.00 |
| Total Weekly Learner Workload |
125.00 |
| Total Weekly Contact Hours |
36.00 |
| Workload: Part Time |
| Workload Type |
Workload Description |
Hours |
Frequency |
Average Weekly Learner Workload |
| Independent Learning Time |
No Description |
89 |
Every Week |
89.00 |
| Tutorial |
No Description |
12 |
Every Week |
12.00 |
| Lecture |
No Description |
24 |
Every Week |
24.00 |
| Total Hours |
125.00 |
| Total Weekly Learner Workload |
125.00 |
| Total Weekly Contact Hours |
36.00 |
Module Resources
| Recommended Book Resources |
|---|
- D. Stuttard, M. Pinto 2011, The Web Application Hackers Handbook: Finding a security Flaws, 2nd Ed., Wiley
- M. Zalewski 2011, The Tangled Web: A Guide to Securing Modern Web Applications, No Starch Press
- Matt Bishop 2015, Computer Security: Art and Science, Addison-Wesley Professional.
- J. Manico 2014, Iron-Clad Java: Building Secure Web Applications, McGraw-Hill Education
| | Supplementary Book Resources |
|---|
- J. P. Mueller 2015, ), Security for Web Developers: Using JavaScript, HTML, and CSS, O’Reilly Media
| | This module does not have any article/paper resources |
|---|
| Other Resources |
|---|
- Website: Web for Pentester
- Website: Web for Pentester 2
- Website: OWASP
- Website: Burp Suite
|
Module Delivered in
|
