H9SPAD - Secure Programming for Application Development
Module Code:
H9SPAD
Long Title
Secure Programming for Application Development
Title
Secure Programming for Application Development
Module Level:
LEVEL 9
EQF Level:
7
EHEA Level:
Second Cycle
Credits:
5
Module Coordinator:
MICHAEL BRADFORD
Module Author:
Margarete Silva
Departments:
School of Computing
Specifications of the qualifications and experience required of staff
Learning Outcomes
On successful completion of this module the learner will be able to:
#
Learning Outcome Description
LO1
Investigate and critically assess the impact of application security vulnerabilities on users of software products.
LO2
Investigate and critically assess the state of the art in the latest programming paradigms to create security controls that prevent common application security vulnerabilities.
LO3
Design and develop solutions that fix common software application security vulnerabilities.
Dependencies
Module Recommendations
This is prior learning (or a practical skill) that is required before enrolment on this module. While the prior learning is expressed as named NCI module(s) it also allows for learning (in another module or modules) which is equivalent to the learning specified in the named module(s).
No recommendations listed
Co-requisite Modules
No Co-requisite modules listed
Entry requirements
Module Content & Assessment
Indicative Content
Introduction (10%)
· Security support for programming languages
· Seven Pernicious Kingdoms
· Native Code Exploitation Principles
· Stack and Function Call
Principles of Secure Design (15%)
· Least privilege and isolation
· Fail-safe defaults
· End-to-end security
· Defence in depth
· Security by design
· Threat modelling
· Tensions between security and other design goals
OS Exploit Mitigation (15%)
· Data Execution Prevention/Non-Executable Stack/Heap
· Return-to-libc and Return Oriented programming
· Address Space Layout Randomisation
· Heap Spray
Input Validation (20%)
· Buffer Overflow Exploitation
· Mitigating Controls: Canaries/Security Cookies/FORTIFY_SOURCE
· Heap Overflows
· Recommendations for Buffer Overflow
· Command Injection
· Recommendations for Command Injection
· Format String Vulnerabilities
· Recommendations for Format Strings
· Integer Issues
· Integer Overflow Exploitation
· Recommendations for Integer Issues
Time and State (15%)
· Race Conditions & TOCTOU
· Classic Unix TOCTOU access()/fopen()
· Recommendations for File system TOCTOU
· Insecure Temporary File
· Recommendations for Temporary Files
Assessment Description: Practical work will be conducted throughout the semester to assess the learner’s evaluation skills in terms of secure design strategies and secure application development.
Assessment Type:
Project
% of total:
40
Assessment Date:
n/a
Outcome addressed:
2,3
Non-Marked:
No
Assessment Description: Students are required to complete a practical where they find and fix security vulnerabilities in a software application.
No End of Module Assessment
No Workplace Assessment
Reassessment Requirement
Coursework Only This module is reassessed solely on the basis of re-submitted coursework. There is no repeat written examination.
NCIRL reserves the right to alter the nature and timings of assessment
Module Workload
Module Target Workload Hours 0 Hours
Workload: Full Time
Workload Type
Workload Description
Hours
Frequency
Average Weekly Learner Workload
Lecture
No Description
1
Every Week
1.00
Tutorial
No Description
2
Every Week
2.00
Independent Learning
No Description
7.5
Every Week
7.50
Total Weekly Contact Hours
3.00
Module Resources
Recommended Book Resources
R. C. Seacord. (2014), Secure Coding in C and C++, 2nd Edition. Addison-Wesley Professional.
J. C. Foster. (2005), Buffer Overflow Attacks: Detect, Exploit, Prevent, Syngress Press.
Supplementary Book Resources
D. LeBlank, M. Howard. (2004), Writing Secure Code, 2nd Edition. Microsoft Press.
J. Viega. (2003), Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More, O'Reilly Media.
This module does not have any article/paper resources