EventoWeb
Zürcher Hochschule für Angewandte Wissenschaften
[
German (Switzerland)
German (Switzerland)
] [
English
English
]
Not registered
[home]
[Login]
[Print]
Navigation
Kontakt zu Service Desk
Online-Dokumentation
Allgemeiner Zugriff
Module suchen
t.BA.IT.SWS1-EN.15HS (Software and System Security 1)
Module: Software and System Security 1
This information was generated on: 29 April 2024
No.
t.BA.IT.SWS1-EN.15HS
Title
Software and System Security 1
Organised by
T InIT
Credits
4
Description
Version: 5.0 start 01 August 2018
Module coordinator:
Rennhard, Marc (rema)
Learning objectives:
Objectives
Competences
Taxonomy levels
You understand the overall secure software development lifecycle and the security activities that must be employed during the different phases; and you can apply these activities to any given software development process.
D, M
K2, K3
You know methods and tools to detect security vulnerabilities in implemented systems and you can apply these methods and tools to find and exploit vulnerabilities on your own. This is called penetration testing.
D, M
K3, K4, K5
You know methods to analyze the security of a system design and you can apply these methods to uncover conceptual security design flaws. This is often identified as threat modeling.
D, M
K3, K4, K5
You are capable of designing secure systems by defining appropriate security requirements and by applying typical secure design principles.
D, M
K3, K6
You are capable of developing secure applications. For this, Java will be used as the example language and technology, but most what you learn can directly be applied be applied to other languages and technologies.
D, M
K3, K6
Module contents:
News about massive data breaches or other security incidents are prevalent. The root causes are usually vulnerabilities in software and systems and the main reason why we have so many security vulnerabilities today is because many software engineers neither have profound knowledge about how to build secure IT systems, nor do they understand the attacks and threats that exist against these systems. In addition, many software engineers believe that knowing programming languages and frameworks, understands good software design, and applying agile development processes is sufficient to build secure software. But they are completely wrong: Security in software does not happen automatically. Instead, a good software engineer must
actively take care of security during the entire software lifecycle
, and this requires separate skills that have to be learned and mastered.
In this module, you will learn how to develop secure software and systems, which includes all phases of the development process.
For example, when specifying requirements, you will learn to ask the question «what can possibly go wrong, and how bad will it be?». Based on the derived security requirements, you will then learn how to design and implement secure software in practice so it can withstand cyber attacks. And furthermore, you will learn some hacking skills, because to become a security-aware software engineer, you have to know the hacker mindset. This also includes learning how to do a penetration test of your own software and of the software of others.
This module is highly recommended for everyone who plans to be involved in software engineering during the professional career and of course also for those who are interested generally in information security. A follow-up module, Software and System Security 2, elaborates on some topics, but also introduces new ones. We recommend that you take both modules, but it is also possible to take only the first one as a standalone module.
Module content:
Secure Software Development Process (10 lessons)
- Introduction to software security
- The secure development lifecycle
- Security design principles
- Security requirements engineering and threat modeling
- Security risk analysis
Security Testing (6 lessons)
- Web application security testing
- Security testing tools: static code analysis and vulnerability scanners
Practical Secure Software Development (12 lessons)
- Typical security-relevant programming errors and how to exploit them (buffer overflows, input validation issues, race conditions,...)
- Java security libraries for cryptographic operations and secure communication
- Secure development of web applications and web services, using Java EE as the example technology (authentication, access control, prevention of vulnerabilities,...)
In the labs, you will work on practical problems corresponding to all major topics covered in the lecture. The tasks are a mix of security analysis, security design, security testing and secure software development with Java
.
Literature:
Lecture slides with additional comments.
Supplementary literature:
There's no single book that covers all topics discussed in the module. To learn more about specific topics, the following books are well suited:
Gary McGraw. Software Security: Building Security In. Addison-Wesley Longman, ISBN 978-0321356703 (focus on overall secure development process)
Neil Daswani, Christoph Kern and Anita Kesavan. Foundations of Security: What every Programmer needs to know. Apress, ISBN 978-1590597842 (focus on security design and secure coding)
Dafydd Stuttard and Marcus Pinto: The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws. Wiley, ISBN 978-1118026472 (focus on web application penetration testing)
Brook S.E. Schoenfield. Securing Systems. CRC Press, ISBN 978-1482233971 (focus on security analysis and threat modeling)
Prerequisites:
The module IT-Sicherheit (basic study) must have been taken.
Teaching language:
English
Module structure:
Form of instruction:
Number of lessons per week:
Lecture:
14*2
Labs:
14*2
Block course:
Exams:
The regulation on graded class assignments is binding. However, it may be waived if a formal, written request is made by the lecturer in the first week of the semester.
Designation
Type
Form
Scope
Grade
Weighting
Graded assignments during teaching semester
Graded labs
Written and oral
All labs
Points that are added to the points achieved in the final exam
20%
End-of-semester exam
Exam
Written
90 minutes
Grading
80%
Remarks:
Note
Additional available versions:
1.0 start 01 February 2015
,
3.0 start 01 August 2015
,
4.0 start 01 August 2017
Course: Software and System Security 1 - Praktikum
No.
t.BA.IT.SWS1-EN.15HS.P
Title
Software and System Security 1 - Praktikum
Note
No module description is available in the system for the cut-off date of 29 April 2024.
Course: Software and System Security 1 - Vorlesung
No.
t.BA.IT.SWS1-EN.15HS.V
Title
Software and System Security 1 - Vorlesung
Note
No module description is available in the system for the cut-off date of 29 April 2024.