EventoWeb
Zürcher Hochschule für Angewandte Wissenschaften
[
German (Switzerland)
German (Switzerland)
] [
English
English
]
Not registered
[home]
[Login]
[Print]
Navigation
Kontakt zu Service Desk
Online-Dokumentation
Allgemeiner Zugriff
Module suchen
t.BA.WV.SWS1-EN.19HS (Software and System Security 1)
Module: Software and System Security 1
This information was generated on: 25 April 2024
No.
t.BA.WV.SWS1-EN.19HS
Title
Software and System Security 1
Organised by
T InIT
Credits
4
Description
Version: 5.0 start 01 August 2022
Short description
In this module you will learn how to develop secure software and systems. This is done using various methods and tools such as Security Requirements Engineering, Threat Modeling, Security Design & Controls, Secure Coding and Penetration Testing, all of which will be discussed comprehensively in the module.
Module coordinator
Rennhard, Marc (rema)
Learning objectives (competencies)
Objectives
Competences
Taxonomy levels
You understand the overall secure software development lifecycle and the security activities that must be employed during the different phases; and you can apply these activities to any given software development process.
D, M
K2, K3
You know methods and tools to detect security vulnerabilities in implemented systems and you can apply these methods and tools to find and exploit vulnerabilities on your own. This is called penetration testing.
D, M
K3, K4, K5
You know methods to analyze the security of a system design and you can apply these methods to uncover conceptual security design flaws. This is identified as threat modeling.
D, M
K3, K4, K5
You are capable of designing secure systems by defining appropriate security requirements and by integrating suitable security controls into a system design.
D, M
K3, K6
You are capable of developing secure applications. For this, Java will be used as the example language and technology, but most what you learn can directly be applied be applied to other languages and technologies.
D, M
K3, K6
Module contents
News about massive data breaches or other security incidents are prevalent. The root causes are usually vulnerabilities in software and systems and the main reason why we have so many security vulnerabilities today is because many software engineers neither have profound knowledge about how to build secure IT systems, nor do they understand the attacks and threats that exist against these systems. In addition, many software engineers believe that knowing programming languages and frameworks, understands good software design, and applying agile development processes is sufficient to build secure software. But they are completely wrong: Security in software does not happen automatically. Instead, a good software engineer must
actively take care of security during the entire software lifecycle
, and this requires separate skills that have to be learned and mastered.
In this module, you will learn how to develop secure software and systems, which includes all phases of the development process.
For example, when specifying requirements, you will learn to ask the question «what can possibly go wrong, and how bad will it be?». Based on the derived security requirements, you will then learn how to design and implement secure software in practice so it can withstand cyber attacks. And furthermore, you will learn some hacking skills, because to become a security-aware software engineer, you have to know the hacker mindset. This also includes learning how to do a penetration test of your own software and of the software of others.
This module is highly recommended for everyone who plans to be involved in software engineering during the professional career and of course also for those who are interested generally in information security. A follow-up module, Software and System Security 2, elaborates on some topics, but also introduces new ones. We recommend that you take both modules, but it is also possible to take only the first one as a standalone module.
The following topics are covered, in theory and practical application:
Secure Software Development Process
Introduction to software security
The secure development lifecycle
Fundamental security principles
Security requirements engineering and threat modeling
Security risk analysis
Security Testing
Web application security testing
Security testing tools: static code analysis and vulnerability scanners
Practical Secure Software Development
Typical security-relevant programming errors and how to exploit them (buffer overflows, input validation issues, race conditions,...)
Java security libraries for cryptographic operations and secure communication
Secure development of traditional (run mostly server-side and serve full HTML pages) and modern (Single Page Applications with REST APIs in the backend) web applications (authentication, access control, secure database access, input validation, session handling, JSON Web Tokens, prevention of vulnerabilities such as XSS and CSRF,...)
The theory part (lecture part) will be done through self-study, by means of pre-produced learning videos (screencasts). The videos contain integrated learning control questions so that you receive immediate feedback. The lab takes place on site, in classroom. In the lab exercises, you will work on practical problems related to the main topics of the lecture Also, as part of the lab, you will work on several hacking challenges from an attacker's perspective throughout the semester to continuously improve your penetration testing skills.
Teaching materials
Learning videos (screencasts) with learning control questions for the theory part (lecture part)
Slides used in the learning videos, including additional comments
Lab exercises including instructions
Hacking challenges including instructions
Supplementary literature
There's no single book that covers all topics discussed in the module. To learn more about specific topics, the following books are well suited:
Gary McGraw. Software Security: Building Security In. Addison-Wesley Longman, ISBN 978-0321356703 (focus on overall secure development process)
Neil Daswani, Christoph Kern and Anita Kesavan. Foundations of Security: What every Programmer needs to know. Apress, ISBN 978-1590597842 (focus on security design and secure coding)
Dafydd Stuttard and Marcus Pinto: The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws. Wiley, ISBN 978-1118026472 (focus on web application penetration testing)
Brook S.E. Schoenfield. Securing Systems. CRC Press, ISBN 978-1482233971 (focus on security analysis and threat modeling)
Prerequisites
The module IT-Sicherheit (basic study) must have been taken.
Teaching language
( ) German (X) English
Part of International Profile
(X) Yes ( ) No
Module structure
Type 3a
For more details please click on this link:
T_CL_Modulauspraegungen_SM2025
Exams
Description
Type
Form
Scope
Grade
Weighting
Graded assignments during teaching semester
Graded lab exercises and hacking challenges
Written and oral
Points that are added to the points achieved in the final exam
20%
End-of-semester exam
Exam
Written
90 minutes
Final grade
80%
Remarks
Legal basis
The module description is part of the legal basis in addition to the general academic regulations. It is binding. During the first week of the semester a written and communicated supplement can specify the module description in more detail.
Note
Additional available versions:
4.0 start 01 February 2021
,
2.0 start 01 August 2021
Course: Software and System Security 1 - Praktikum
No.
t.BA.WV.SWS1-EN.19HS.P
Title
Software and System Security 1 - Praktikum
Note
No module description is available in the system for the cut-off date of 25 April 2024.
Course: Software and System Security 1 - Vorlesung
No.
t.BA.WV.SWS1-EN.19HS.V
Title
Software and System Security 1 - Vorlesung
Note
No module description is available in the system for the cut-off date of 25 April 2024.