This module will develop a mastery of processes and models underpinning secure software development, help the student to gain an insight into the inherent security drawbacks in various programming languages and architectures. The module also will investigate best practices in the adoption of secure coding practices.
Introduction and Overview
Definition, Software Security Scenario, Secure Coding, Common Security Mistakes, Why Security Mistakes Are Made, Need for Secure Programming, Building Blocks of Software Security, Types of Security Vulnerabilities, Vulnerability Cycle, Types of Attacks, Hackers and Crackers or Attackers, Risk Assessment and Threat Modelling, Security Architecture, Security Principles, Secure Development Checklists
Secure Coding Vulnerabilities
Security overview and patching, Public vulnerability databases, Secure design, principles and process, Security assessment and testing, Shell and environment, Resource exhaustion, Trust management, Buffer Overflows, Format Strings, Input Validation, Serialisation and deserialization, Input validation, Accessibility and Extensibility, Effects of superclass on subclass, Mutable class, Mutable input, Mutable output, Wrapper methods, Constants, Exceptions, SecurityManager checks,methods and non-final classes, Char and Byte array vs. String, Threads, JVM.
Designing Secure Architecture
Introduction, Secure Architecture, Application Security, Factors Affecting Application Security, Software Engineering and System Development Life Cycle (SDLC), Different Phases of Software Development Life Cycle, Software Methodology Models, The Rules and Practices of Extreme Programming, Vulnerabilities and Other Security Issues in a Software Application like Security Through Obscurity, Buffer Overflows, Format String Vulnerabilities/ Race Conditions, Locking Problems, Exception Handling.
Secure Java and JSP Programming
Introduction to Java, JVM, Java Security, Sandbox Model, Security Issues with Java, SQL Injection Attack, SQL Injection using UNION, Preventive Measures for SQL Injection, URL Tampering, Denial-of-Service (DoS) Attack on Applet, Sample Code for DoS Attack, DoS by Opening Untrusted Windows, Preventing DOS Attacks, Class File Format, Byte Code Attack, Reverse Engineering/ Decompilation by Mocha, Obfuscation Tools: Jmangle, Byte Code Verifier, Class Loader, Building a SimpleClassLoader, Security Manager, jarsigner - JAR Signing and Verification Tool, Signing an Applet Using RSA-Signed Certificates, Signing Tools, Getting RSA Certificates, Bundling Java Applets as JAR Files, Signing Java Applets Using Jarsigner, Signing Java Applets Using Netscape Signing Tool, Security Extensions, Java Authentication and Authorization Service (JAAS), Java Cryptographic Extension (JCE), Java Cryptography Architecture, JCE: Pseudo Code for Encryption, JCE: Pseudo Code for Decryption, Sample Code for Encryption and Decryption, Java(TM) Secure Socket Extension (JSSE), Creating Secure Client Sockets, Creating Secure Server Sockets, Choosing the Cipher Suites, Java GSS Security, Code for GSS Server, Code for GSS Client, Problem of Untrusted User Input, Security From Untrusted User Input, Permissions in Java, How to create new types of permissions?, Security Policy, Specifying an additional Policy File at runtime, Policy Tool, Policy Tool: Creating a new Policy File, Best practices for developing secure Java Code
Secure Network Programming
Client Server Model, Basic Web Concepts, Benefits of Secure Network Programming, Network Interface, How to Secure Sockets, Server Program, Client Program, Ports, UDP Datagram and Sockets, Internet Address, How to connect to secure websites, URL Decoder, Reading Directly from a URL, Content Handler, Cookie Policy, RMI Connector, .Net : Internet Authentication, Network Programming Best Practices, Wireless, xSEC & IPv6.
| Module Content & Assessment | |
|---|---|
| Assessment Breakdown | % |
| Other Assessment(s) | 100 |