t.BA.WV.SWS1-EN.19HS (Software and System Security 1) 
Module: Software and System Security 1
This information was generated on: 01 October 2022
No.
t.BA.WV.SWS1-EN.19HS
Title
Software and System Security 1
Organised by
T InIT
Credits
4

Description

Version: 5.0 start 01 August 2022
 

Short description

In this module you will learn how to develop secure software and systems. This is done using various methods and tools such as Security Requirements Engineering, Threat Modeling, Security Design & Controls, Secure Coding and Penetration Testing, all of which will be discussed comprehensively in the module.

Module coordinator

Rennhard, Marc (rema)

Learning objectives (competencies)

Objectives Competences Taxonomy levels
You understand the overall secure software development lifecycle and the security activities that must be employed during the different phases; and you can apply these activities to any given software development process. D, M K2, K3
You know methods and tools to detect security vulnerabilities in implemented systems and you can apply these methods and tools to find and exploit vulnerabilities on your own. This is called penetration testing. D, M K3, K4, K5
You know methods to analyze the security of a system design and you can apply these methods to uncover conceptual security design flaws. This is identified as threat modeling. D, M K3, K4, K5
You are capable of designing secure systems by defining appropriate security requirements and by integrating suitable security controls into a system design. D, M K3, K6
You are capable of developing secure applications. For this, Java will be used as the example language and technology, but most what you learn can directly be applied be applied to other languages and technologies. D, M K3, K6

Module contents

News about massive data breaches or other security incidents are prevalent. The root causes are usually vulnerabilities in software and systems and the main reason why we have so many security vulnerabilities today is because many software engineers neither have profound knowledge about how to build secure IT systems, nor do they understand the attacks and threats that exist against these systems. In addition, many software engineers believe that knowing programming languages and frameworks, understands good software design, and applying agile development processes is sufficient to build secure software. But they are completely wrong: Security in software does not happen automatically. Instead, a good software engineer must actively take care of security during the entire software lifecycle, and this requires separate skills that have to be learned and mastered. 

In this module, you will learn how to develop secure software and systems, which includes all phases of the development process. For example, when specifying requirements, you will learn to ask the question «what can possibly go wrong, and how bad will it be?». Based on the derived security requirements, you will then learn how to design and implement secure software in practice so it can withstand cyber attacks. And furthermore, you will learn some hacking skills, because to become a security-aware software engineer, you have to know the hacker mindset. This also includes learning how to do a penetration test of your own software and of the software of others.

This module is highly recommended for everyone who plans to be involved in software engineering during the professional career and of course also for those who are interested generally in information security. A follow-up module, Software and System Security 2, elaborates on some topics, but also introduces new ones. We recommend that you take both modules, but it is also possible to take only the first one as a standalone module.


The following topics are covered, in theory and practical application:

Secure Software Development Process
  • Introduction to software security
  • The secure development lifecycle
  • Fundamental security principles
  • Security requirements engineering and threat modeling
  • Security risk analysis
Security Testing
  • Web application security testing
  • Security testing tools: static code analysis and vulnerability scanners
Practical Secure Software Development
  • Typical security-relevant programming errors and how to exploit them (buffer overflows, input validation issues, race conditions,...)
  • Java security libraries for cryptographic operations and secure communication
  • Secure development of traditional (run mostly server-side and serve full HTML pages) and modern (Single Page Applications with REST APIs in the backend) web applications (authentication, access control, secure database access, input validation, session handling, JSON Web Tokens, prevention of vulnerabilities such as XSS and CSRF,...)
The theory part (lecture part) will be done through self-study, by means of pre-produced learning videos (screencasts). The videos contain integrated learning control questions so that you receive immediate feedback. The lab takes place on site, in classroom. In the lab exercises, you will work on practical problems related to the main topics of the lecture Also, as part of the lab, you will work on several hacking challenges from an attacker's perspective throughout the semester to continuously improve your penetration testing skills.

Teaching materials

  • Learning videos (screencasts) with learning control questions for the theory part (lecture part)
  • Slides used in the learning videos, including additional comments
  • Lab exercises including instructions
  • Hacking challenges including instructions

Supplementary literature

There's no single book that covers all topics discussed in the module. To learn more about specific topics, the following books are well suited:
  • Gary McGraw. Software Security: Building Security In. Addison-Wesley Longman, ISBN 978-0321356703 (focus on overall secure development process)
  • Neil Daswani, Christoph Kern and Anita Kesavan. Foundations of Security: What every Programmer needs to know. Apress, ISBN 978-1590597842 (focus on security design and secure coding)
  • Dafydd Stuttard and Marcus Pinto: The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws. Wiley, ISBN 978-1118026472 (focus on web application penetration testing)
  • Brook S.E. Schoenfield. Securing Systems. CRC Press, ISBN 978-1482233971 (focus on security analysis and threat modeling)

Prerequisites

The module IT-Sicherheit (basic study) must have been taken.

Teaching language

( ) German (X) English

Part of International Profile

(X) Yes ( ) No

Module structure

Type 3a
  For more details please click on this link: T_CL_Modulauspraegungen_SM2025

Exams

Description Type Form Scope Grade Weighting
Graded assignments during teaching semester Graded lab exercises and hacking challenges Written and oral   Points that are added to the points achieved in the final exam 20%
End-of-semester exam Exam Written 90 minutes Final grade 80%

Remarks

 

Legal basis

The module description is part of the legal basis in addition to the general academic regulations. It is binding. During the first week of the semester a written and communicated supplement can specify the module description in more detail.

Note

Course: Software and System Security 1 - Praktikum
No.
t.BA.WV.SWS1-EN.19HS.P
Title
Software and System Security 1 - Praktikum

Note

  • No module description is available in the system for the cut-off date of 01 October 2022.
Course: Software and System Security 1 - Vorlesung
No.
t.BA.WV.SWS1-EN.19HS.V
Title
Software and System Security 1 - Vorlesung

Note

  • No module description is available in the system for the cut-off date of 01 October 2022.