Security in Software Engineering

Code:

CC4078

Acronym:

CC4078

Level:

400

Keywords
Classification	Keyword
OFICIAL	Computer Science

Instance: 2021/2022 - 2S

Active?	Yes
Responsible unit:	Department of Computer Science
Course/CS Responsible:	Master in Information Security

Cycles of Study/Courses

Acronym	No. of Students	Study Plan	Curricular Years	Credits UCN	Credits ECTS	Contact hours	Total Time
M:SI	29	Study plan since 2020/2021	1	-	6	42	162

Teaching language

Suitable for English-speaking students

Objectives

The course provides an introduction to secure software engineering. Students learn how to make use of core principles, techniques, and tools for secure software engineering to prevent/detect/fix some of the most common classes of software security vulnerabilities. These skills are exercised through laboratory and project assignments.

Learning outcomes and competences

By the end of the course,  students should be able to:

1. Understand the software development cycle from the point of view of security in terms of general principles and concrete processes in the various development stages.
2. Be able in practice to apply / use concrete methodologies / tools in the development of secure software in order to prevent / detect / mitigate common security vulnerabilities.

Working method

Presencial

Program

Security & software engineening

• Security goals.
• Threat modeling and risk analysis.
• Principles & pitfalls in secure software design.
• Security touchpoints in the software development life-cycle.

 

Building security in -- techniques and tools for secure software development & validation, including:

• Input validation.
• Secure programming idioms.
• Security-oriented code reviews using static program analysis.
• Security-oriented program testing.

 

Handling of common security vulnerabilites, including:

• Injection (commands, code, SQL, ...).
• Buffer overflows.
• Web application specific vulnerabilities (XSS, CSRF, ...).
• Information flow & leakage.
• Concurrency-related vulnerabilities.

Mandatory literature

Jonh Viega e Gary McGraw; Building Secure Software: How to Avoid Security Problems the Right Way, Addison-Wesley, 2006. ISBN: 978-0201721522
William Stallings, Lawrie Brown; Computer Security: Principles and Practice, 4th Edition, Pearson, 2018. ISBN: 978-1292220611 (https://catalogo.up.pt/F/?func=direct&doc_number=000538196)

Complementary Bibliography

Miguel Pupo Correia e Paulo Jorge Sousa; Segurança no Software, 2ª edição, FCA, 2017. ISBN: 978-972-722-662-7
Michael Howard, David LeBlanc; Writing Secure Code, 2nd edition, Microsoft Press, 2004. ISBN: 978-0735617223
Brian Chess, Jacob West; Secure Programming with Static Analysis: Getting Software Security Right with Static Analysis, Addison-Wesley, 2007. ISBN: 978-0321424778
Gary McGraw; Software Security, Building Security In , Addison Wesley, 2006. ISBN: 9780321356703
Wenliang Du; Computer & Internet Security: A Hands-on Approach, Second Edition, 2019. ISBN: 978-1733003902

Teaching methods and learning activities

The classes will comprise the presentation and discussion of topics and the development of projects by the students. Slots will be reserved for the presentation of special topics explored by the students (having an article and presentation as output).

Evaluation Type

Distributed evaluation with final exam

Assessment Components

designation	Weight (%)
Exame	50,00
Trabalho prático ou de projeto	30,00
Trabalho laboratorial	20,00
Total:	100,00

Amount of time allocated to each course unit

designation	Time (hours)
Elaboração de projeto	60,00
Frequência das aulas	42,00
Estudo autónomo	60,00
Total:	162,00

Eligibility for exams

Delivery of all assignments and final exam.

Calculation formula of final grade

- Final Exam (50 % of the final grade)
- Project assignments (30 % of the final grade) 
- Laboratory assignments (20 % of the final grade)

For passing this course a minimum of 40% in the final exam is required.

 

Classification improvement

- The grade obtained in the final exam can be improved in the supplementary phase.