Difference between revisions of "IU:TestPage"

From IU
Jump to navigation Jump to search
Tag: Manual revert
Line 1: Line 1:
   
= IT COURSE =
+
= Secure development =
* '''Course name''': IT COURSE
+
* '''Course name''': Secure development
* '''Code discipline''': CSE807
+
* '''Code discipline''': XXX
* '''Subject area''': Software Engineering
+
* '''Subject area''': Security and Networks
   
 
== Short Description ==
 
== Short Description ==
  +
This course has two parts: 1) building and launching a user-facing software product with the special emphasis on understanding user needs and 2) the application of data-driven product development techniques to iteratively improve the product. Students will learn how to transform an idea into software requirements through user research, prototyping and usability tests, then they will proceed to launch the MVP version of the product. In the second part of the course, the students will apply an iterative data-driven approach to developing a product, integrate event analytics, and run controlled experiments.
 
   
 
== Prerequisites ==
 
== Prerequisites ==
   
 
=== Prerequisite subjects ===
 
=== Prerequisite subjects ===
* CSE101
+
* CSE101: Introduction to Programming
  +
* CSE112: Software Systems Analysis and Design
* CSE112
 
* CSE122 or CSE804 or CSE809 or CSE812
+
* CSE105 or CSE128 or CSE130
   
 
=== Prerequisite topics ===
 
=== Prerequisite topics ===
* Basic programming skills.
+
* Basic programming skills, C/C++ is recommended
* OOP, and software design.
+
* Software design or software architecture
  +
* Basics of compilers
* Familiarity with some development framework or technology (web or mobile)
 
  +
* Basics of computer architecture (Intel or ARM is preferrable)
   
 
== Course Topics ==
 
== Course Topics ==
Line 26: Line 27:
 
! Section !! Topics within the section
 
! Section !! Topics within the section
 
|-
 
|-
| From idea to MVP ||
+
| Basics of security ||
  +
# Security and safety. Security and code quality. Maintainability and security. Why it is so hard to develop a secure system and what approaches may be applied? When it makes sense to drive system secure?
# Introduction to Product Development
 
# Exploring the domain: User Research and Customer Conversations
 
# Documenting Requirements: MVP and App Features
 
# Prototyping and usability testing
 
 
|-
 
|-
| Development and Launch ||
+
| Security architecture ||
  +
# NIST recommendations
# Product backlog and iterative development
 
  +
# Security principles
# Estimation Techniques, Acceptance Criteria, and Definition of Done
 
  +
# Theoretical security: access matrix and security models
# UX/UI Design
 
  +
# Secure by design
# Software Engineering vs Product Management
 
 
|-
 
|-
  +
| Secure coding<br> ||
| Hypothesis-driven development ||
 
  +
# Security on the code level
# Hypothesis-driven product development
 
  +
# SDL
# Measuring a product
 
  +
# Main binary vulnerabilities and their mitigations
# Controlled Experiments and A/B testing
 
  +
|-
  +
| Secure operating ||
  +
# Security monitoring
  +
# DevSecOps
  +
# Dealing with 3rd parties
  +
|-
  +
| Security assurance ||
  +
# Pen testing
  +
# Fuzzing
  +
# Bug Bounty programs
  +
|-
  +
| Linux security ||
  +
# Keep it all together and see how Linux kernel deals with that.
  +
# SELinux
  +
# GrSec patches
  +
# Why Linux is not safety system
 
|}
 
|}
 
== Intended Learning Outcomes (ILOs) ==
 
== Intended Learning Outcomes (ILOs) ==
   
 
=== What is the main purpose of this course? ===
 
=== What is the main purpose of this course? ===
The main purpose of this course is to enable a student to go from an idea to an MVP with the focus on delivering value to the customer and building the product in a data-driven evidence-based manner.
+
The main purpose of this course is to give students a security vision from up to down, because the security principle of weakest link insist that the weakest part of the process/system would be the one to be attacked.
   
 
=== ILOs defined at three levels ===
 
=== ILOs defined at three levels ===
Line 52: Line 66:
 
==== Level 1: What concepts should a student know/remember/explain? ====
 
==== Level 1: What concepts should a student know/remember/explain? ====
 
By the end of the course, the students should be able to ...
 
By the end of the course, the students should be able to ...
  +
* Reason about the limitation of different security policies
* Describe the formula for stating a product idea and the importance of delivering value
 
* Remember the definition and main attributes of MVP
+
* Remember main security principles
  +
* List SDL stages
* Explain what are the main principles for building an effective customer conversation
 
* Describe various classification of prototypes and where each one is applied
+
* Describe the difference between security and safety
  +
* Explain basic binary vulnerabilities
* State the characteristics of a DEEP product backlog
 
  +
* Specify the required security assurance
* Elaborate on the main principles of an effective UI/UX product design (hierarchy, navigation, color, discoverability, understandability)
 
  +
* Describe the key elements of SOC systems
* List the key commonalities and differences between the mentality of a software engineer and a product manager
 
* Explain what is hypothesis-driven development
+
* Explain why fuzzing is not the same as unit or integration testing
* Describe the important aspects and elements of a controlled experiment
 
   
 
==== Level 2: What basic practical skills should a student be able to perform? ====
 
==== Level 2: What basic practical skills should a student be able to perform? ====
 
By the end of the course, the students should be able to ...
 
By the end of the course, the students should be able to ...
  +
* Read CVEs and understand its impact instead of trusting other experts
* Formulate and assess the product ideas
 
* Perform market research for existing products
+
* Perform Threat Modeling
  +
* Review code to find insecure patterns
* Design effective customer conversations
 
  +
* Deal with open source code securely
* Prototype UI, design and conduct usability tests
 
  +
* Explain the value of bug bounty programme and find the right moment to start it
* Prototype user interface
 
* Design and conduct usability testing
 
* Populate and groom a product backlog
 
* Conduct Sprint Planning and Review
 
* Choose product metrics and apply GQM
 
* Integrate a third-party Analytics tools
 
* Design, run and conclude Controlled experiments
 
   
 
==== Level 3: What complex comprehensive skills should a student be able to apply in real-life scenarios? ====
 
==== Level 3: What complex comprehensive skills should a student be able to apply in real-life scenarios? ====
 
By the end of the course, the students should be able to ...
 
By the end of the course, the students should be able to ...
  +
* Reason about security and safety of the system
* Conduct user and domain research to identify user needs and possible solutions
 
  +
* Suggest hardenings and architecture drifts to achieve required level of s&s
* Elicit and document software requirements
 
  +
* Propose process improvement in a cost-effective manner that would drastically improve the security and safety level.
* Organize a software process to swiftly launch an MVP and keep improving it in an iterative manner.
 
* Build a data pipeline to monitor metrics based on business goals and assess product progress in regards to design changes.
 
* Evolve and improve a product in a data-driven evidence-based iterative manner
 
 
== Grading ==
 
== Grading ==
   
Line 91: Line 96:
 
! Grade !! Range !! Description of performance
 
! Grade !! Range !! Description of performance
 
|-
 
|-
| A. Excellent || 90-100 || -
+
| A. Excellent || 80-100 || -
 
|-
 
|-
| B. Good || 75-89 || -
+
| B. Good || 60-79 || -
 
|-
 
|-
| C. Satisfactory || 60-74 || -
+
| C. Satisfactory || 40-59 || -
 
|-
 
|-
| D. Fail || 0-59 || -
+
| D. Fail || 0-39 || -
 
|}
 
|}
   
Line 106: Line 111:
 
! Activity Type !! Percentage of the overall course grade
 
! Activity Type !! Percentage of the overall course grade
 
|-
 
|-
| Assignment || 50
+
| Assignment/Labs || 70
 
|-
 
|-
| Quizzes || 15
+
| Final quiz || 30
|-
 
| Peer review || 15
 
|-
 
| Demo day || 20
 
 
|}
 
|}
   
 
=== Recommendations for students on how to succeed in the course ===
 
=== Recommendations for students on how to succeed in the course ===
Participation is important. Showing up is the key to success in this course.<br>You will work in teams, so coordinating teamwork will be an important factor for success. This is also reflected in the peer review being a graded item.<br>Review lecture materials before classes to do well in quizzes.<br>Reading the recommended literature is optional, and will give you a deeper understanding of the material.
+
Participation is important. Showing up is the key to success in this course.<br>If you don’t have a corresponding technical background, please do not hesitate to ask lecturer. If you feel that the gap is deep, request for extra reading.<br>Reading the recommended literature is optional, and will give you a deeper understanding of the material.
   
 
== Resources, literature and reference materials ==
 
== Resources, literature and reference materials ==
   
 
=== Open access resources ===
 
=== Open access resources ===
  +
* Owasp.com
* Jackson, Michael. "The world and the machine." ICSE '95: Proceedings of the 17th international conference on Software engineeringApril 1995 Pages 283–292,
 
  +
* MITRE SOC Operations https://www.mitre.org/sites/default/files/publications/11-strategies-of-a-world-class-cybersecurity-operations-center.pdf
* The Guide to Product Metrics:
 
  +
* MISRA, AUTOSAR, SEI CERT
  +
* https://www.microsoft.com/en-us/securityengineering/sdl
  +
* Managing Security Risks Inherent in the Use of Third-Party Components
   
 
=== Closed access resources ===
 
=== Closed access resources ===
  +
* Matt Bishop, (2018) “Computer Security: Art and Science”
* Fitzpatrick, R. (2013). The Mom Test: How to talk to customers & learn if your business is a good idea when everyone is lying to you. Robfitz Ltd.
 
  +
* D Deougun, DB Jonhsson, D Sawano (2019) “Secure by design”
* Reis, E. (2011). The lean startup. New York: Crown Business, 27.
 
  +
* D LeBlanc, Michael Howard (2002) “Writing secure code”
* Rubin, K. S. (2012). Essential Scrum: A practical guide to the most popular Agile process. Addison-Wesley.
 
  +
* ISO26262
   
 
=== Software and tools used within the course ===
 
=== Software and tools used within the course ===
  +
* Some static analyser
* Firebase Analytics and A/B Testing, https://firebase.google.com/
 
  +
* AFL
* Amplitude Product Analytics, https://www.amplitude.com/
 
  +
* snyk.io
* MixPanel Product Analytics, https://mixpanel.com/
 
 
= Teaching Methodology: Methods, techniques, & activities =
 
= Teaching Methodology: Methods, techniques, & activities =
   
Line 139: Line 144:
 
|+ Teaching and Learning Methods within each section
 
|+ Teaching and Learning Methods within each section
 
|-
 
|-
! Teaching Techniques !! Section 1 !! Section 2 !! Section 3
+
! Teaching Techniques !! Section 1 !! Section 2 !! Section 3 !! Section 4 !! Section 5 !! Section 6
 
|-
 
|-
| Problem-based learning (students learn by solving open-ended problems without a strictly-defined solution) || 1 || 1 || 1
+
| Problem-based learning (students learn by solving open-ended problems without a strictly-defined solution) || 1 || 1 || 1 || 1 || 1 || 1
 
|-
 
|-
| Project-based learning (students work on a project) || 1 || 1 || 1
+
| Modular learning (facilitated self-study) || 1 || 1 || 1 || 1 || 1 || 1
 
|-
 
|-
| Differentiated learning (provide tasks and activities at several levels of difficulty to fit students needs and level) || 1 || 1 || 1
+
| Differentiated learning (provide tasks and activities at several levels of difficulty to fit students needs and level) || 1 || 1 || 1 || 1 || 1 || 1
 
|-
 
|-
  +
| Contextual learning (activities and tasks are connected to the real world to make it easier for students to relate to them); || 1 || 1 || 1 || 1 || 1 || 1
| развивающего обучения (задания и материал "прокачивают" ещё нераскрытые возможности студентов); || 1 || 1 || 1
 
 
|-
 
|-
  +
| Business game (learn by playing a game that incorporates the principles of the material covered within the course). || 1 || 1 || 1 || 1 || 1 || 1
| концентрированного обучения (занятия по одной большой теме логически объединяются); || 1 || 1 || 1
 
|-
 
| inquiry-based learning || 1 || 1 || 1
 
 
|}
 
|}
 
{| class="wikitable"
 
{| class="wikitable"
 
|+ Activities within each section
 
|+ Activities within each section
 
|-
 
|-
! Learning Activities !! Section 1 !! Section 2 !! Section 3
+
! Learning Activities !! Section 1 !! Section 2 !! Section 3 !! Section 4 !! Section 5 !! Section 6
|-
 
| Lectures || 1 || 1 || 1
 
|-
 
| Interactive Lectures || 1 || 1 || 1
 
|-
 
| Lab exercises || 1 || 1 || 1
 
|-
 
| Development of individual parts of software product code || 1 || 1 || 1
 
|-
 
| Group projects || 1 || 1 || 1
 
|-
 
| Quizzes (written or computer based) || 1 || 1 || 1
 
|-
 
| Peer Review || 1 || 1 || 1
 
|-
 
| Discussions || 1 || 1 || 1
 
|-
 
| Presentations by students || 1 || 1 || 1
 
 
|-
 
|-
| Written reports || 1 || 1 || 1
+
| Lectures || 1 || 1 || 1 || 1 || 1 || 1
 
|-
 
|-
| Experiments || 0 || 0 || 1
+
| Lab exercises || 1 || 1 || 1 || 1 || 1 || 1
 
|}
 
|}
 
== Formative Assessment and Course Activities ==
 
== Formative Assessment and Course Activities ==
Line 190: Line 175:
 
! Activity Type !! Content !! Is Graded?
 
! Activity Type !! Content !! Is Graded?
 
|-
 
|-
  +
| Individual Assignments || A2: Product Ideation and Market Research<br>Find all weakness in the code snippet. Suggest how to fix them in a secure way. What is your recommendation for the code author? || 1
| Quiz || 1. What is a product? What are the techniques for describing a product idea in a clear concise manner?<br>2. What user research techniques do you know? In what situations are they applied?<br>3. What are the key customer conversation principles according to the Mom Test technique? Bring an example of bad and good questions to ask.<br>4. What are the 4 phases of the requirements engineering process? <br>5. How do we document requirements? What techniques do you know? || 1
 
|-
 
| Presentation || Prepare a short 2-minutes pitch for your project idea (2-5 slides). <br><br>Suggested structure:<br>What problem you are solving:<br>- State the problem clearly in 2-3 short sentences.<br><br>Who are you solving it for:<br>- Who is your user/customer?<br>- Why will they be attracted to it?<br><br>What is your proposed solution to solve that problem:<br>- One sentence description<br>- What main feature(s) will it have? || 0
 
|-
 
| Individual Assignments || A1: Product Ideation and Market Research<br>Formulate 3 project ideas in the following format:<br>X helps Y to do Z – where X is your product’s name, Y is the target user, and Z is what user activity product help with.<br><br>Submit Link to Screenshot board and Feature Analysis Table:<br>- Pick and explore 5 apps similar to your idea<br>- Take screenshots along the way and collect them on a board.<br>- Make a qualitative analysis table for app features.<br><br>Prepare a short 2-minutes pitch for your project idea (2-5 slides). <br><br>Suggested structure:<br>What problem you are solving:<br>- State the problem clearly in 2-3 short sentences.<br><br>Who are you solving it for:<br>- Who is your user/customer?<br>- Why will they be attracted to it?<br><br>What is your proposed solution to solve that problem:<br>- One sentence description<br>- What main feature(s) will it have? || 1
 
|-
 
| Group Project Work || A2: Forming Teams and Identifying Stakeholders<br>Students are distributed into teams. <br>Meet your team <br>Discuss the idea<br>Agree on the roles<br>Setup task tracker (Trello or similar)<br>Identify 3-5 stakeholders and how to approach them<br>Compose a set of 5 most important questions you would ask from each stakeholder when interviewing them<br><br>Submit<br>A pdf with the idea description, roles distribution among the team, identified stakeholders, ways to approach them, a set of questions for each stakeholder.<br>An invite link to join your task tracker<br><br>A3: Domain Exploration and Requirements<br>User Research Process:<br>Compose the questionnaire for each stakeholder type. <br>Talk to 5-7 stakeholders.<br>Keep updating the questionnaire throughout the process<br>Compose an interview results table<br>Produce personas<br>Summarize most important learning points<br>Describe features your MVP will have (use case diagram + user story mapping)<br><br>Submit a pdf report with:<br>Personas + corresponding questionnaires<br>Interview results table (can provide a link to spreadsheet, make sure to open access)<br>Learning points summary<br>MVP features.<br><br>Optional: <br>Start implementation of the functionality you are certain about.<br><br>Assignment 4. UI design, Prototyping, MVP, and Usability Testing<br>Break down MVP features into phases and cut down the specification to implement MVP V1<br>Produce low and high fidelity designs for your product.<br>Review the phases breakdown.<br>Follow either the Prototyping or MVP path to complete the assignment.<br><br>Prototyping path:<br>Make a clickable prototype with Figma or a similar tool<br>Make 5-10 offline stakeholders use your prototype, observe them and gather feedback<br>Embed your prototype into an online usability testing tool (e.g. Maze).<br>Run an online usability test with 5-10 online stakeholders.<br>Summarize key learning points<br><br>MVP path:<br>Review your MVP phases.<br>Build MVP V1 <br>Make 5-10 offline stakeholders use your MVP, observe them and gather feedback<br>Integrate an online usability testing tool to observe user sessions (e.g. Smartlook).<br>Distribute the MVP to 5-10 online stakeholders and run an online usability test.<br>Summarize key learning points<br><br><br>Submit all of the below in one PDF:<br>Link to sketches and designs.<br>Link to your MVP/Clickable prototype.<br>Link to online usability test.<br>Names of people you conducted the tests with and which stakeholder type are they.<br>Key learning points summary.<br><br>Make sure all links are accessible/viewable. || 1
 
 
|}
 
|}
 
==== Section 2 ====
 
==== Section 2 ====
  +
{| class="wikitable"
 
|+
 
|-
 
! Activity Type !! Content !! Is Graded?
 
|-
 
| Quiz || 1. What does the acronym MVP stand for? What types of MVP do you know of?<br>2. Define roles, activities, and artefacts of Scrum. What differentiates Scrum from other Agile frameworks, e.g. Kanban?<br>3. What does DEEP criteria stand for when discussing Product Backlog? Explain each of the aspects with examples.<br>4. Describe how Scrum activities are performed. Which of them are essential and which of them can vary depending on the product. || 1
 
|-
 
| Presentation || Prepare a 5-mins presentation describing your: <br>product backlog<br>sprint results<br>MVP-launch plan<br>Each team will present at the class. The assessment will be based on the presentation delivery, reasoning for decision making and asking questions and providing suggestions for other teams. || 0
 
|-
 
| Group Project Work || Assignment 5. Launching an MVP<br>1. Populate and groom product backlog: <br>Comply with the DEEP criteria. <br>2. Run two one-week sprints:<br>Conduct two Sprint plannings, i.e. pick the tasks for Sprint Backlog.<br>Conduct two Sprint reviews<br>Run one Sprint Retrospective<br>3. Make a launch plan and release:<br>You need to launch in the following two weeks.<br>Decide what functionality will go into the release.<br>Release your first version in Google Play.<br>Hint: Focus on a small set of features solving a specific problem for a specific user, i.e. MVP.<br>4. Prepare a 5-mins presentation describing your: <br>product backlog<br>sprint results<br>MVP-launch plan.<br>Demo for your launched MVP.<br>Each team will present at the class. The assessment will be based on the presentation delivery, reasoning for decision making and asking questions and providing suggestions for other teams.<br>5. Submit a PDF with:<br>Backlogs and Launch plan<br>Link to the launched product<br>Assignment 6. AC, DoD and Midterm Presentation<br>1. Produce acceptance criteria for 3-5 most important user stories in your product.<br>2. Produce definition of done checklist<br>3. Estimate the items in your product backlog<br>4. Prepare a midterm presentation for 10-mins in which you cover:<br>The problem you are trying to solve<br>Your users and customers (personas)<br>Your solution and it's core value proposition<br>Current state of your product<br>Clear plan for the upcoming weeks<br>Your team and distribution of responsibilities<br>Demo<br>Retrospective and learning points<br>Link to your app<br><br>Submit a pdf with:<br>Items 1, 2, 3<br>link to the presentation<br> || 1
 
|}
 
 
==== Section 3 ====
 
==== Section 3 ====
  +
{| class="wikitable"
 
  +
==== Section 4 ====
|+
 
  +
|-
 
  +
==== Section 5 ====
! Activity Type !! Content !! Is Graded?
 
  +
|-
 
  +
==== Section 6 ====
| Quiz || 1. What are common product hypotheses present? How can we formulate them as questions about our UX?<br>2. Explain what is hypothesis-driven development<br>3. Describe the important aspects and elements of a controlled experiment || 1
 
  +
|-
 
| Presentation || Prepare a short 2-minutes pitch for your project idea (2-5 slides). <br><br>Suggested structure:<br>What problem you are solving:<br>- State the problem clearly in 2-3 short sentences.<br><br>Who are you solving it for:<br>- Who is your user/customer?<br>- Why will they be attracted to it?<br><br>What is your proposed solution to solve that problem:<br>- One sentence description<br>- What main feature(s) will it have? || 0
 
|-
 
| Group project work || Assignment 7: Development, Observation, and Product Events.<br>1. Continue with your development process:<br>- Hold sprint planning and reviews.<br>- Revisit estimations and keep track for velocity calculation.<br>- Host demos and release new versions to your users<br><br>2. Observing users:<br>- Integrate a user sessions recording tool into your product<br>- As a team: watch 100 user sessions and outline common user behavior patterns.<br>- Each team member: give product to 3 new people and observe them use it.<br><br>3. Product events:<br>Create a product events table.<br>Integrate a free analytics tool that supports events reporting (e.g. Amplitude, MixPanel).<br><br>Write and submit a report:<br>- describe user behavior patterns (main ways how people use your product).<br>- learning points from the observations<br>- add the events table.<br>- describe which analytics tool you chose and why<br><br>Assignment 8: GQM, Metrics, and Hypothesis-testing.<br>1. GQM and Metrics Dashboard<br>- Compose a GQM for your product.<br>- Identify your focus and L1 metrics<br>- Setup an Analytics Dashboard with the metrics you chose.<br>- Add the instructors to your Analytics Dashboard.<br><br>Hypothesis-testing:<br>- answer clarity and hypotheses: do users understand your product, is it easy for them to get started, and do they return?<br>- suggest product improvements to increase clarity, ease of starting and retention.<br>- based on the suggestions formulate 3 falsifiable hypotheses<br>- design a simple test to check each of them<br>- pick one test that could be conducted by observing your users<br>- conduct the test<br><br>Submit:<br>- GQM, Focus and L1 Metrics breakdown.<br>- Report on the hypothesis-testing activities<br>- Access link to the dashboard.<br>Assignment 9: Running an A/B test<br>Compose an A/B test:<br>- Design a change in your product<br>- Hypothesis: Clearly state what you expect to improve as the result of the change.<br>- Parameter and Variants: Describe both A and B variants (and other if you have more).<br>- Intended sample size.<br>- OEC: Determine the target metric to run the experiment against.<br><br>Then do one of the two options:<br>Option 1: Conduct the A/B test using a remote control and A/B testing tool (Firebase, Optimizely or like)<br><br>Option 2: Do the statistical math yourself<br>Conduct an A/B test and collect data.<br>Do the math manually using the standard Student T-test.<br><br>Submit a PDF with:<br>- the A/B test description <br>- report on how the experiment went.<br>- either screenshots from the tool or math calculations. || 1
 
|}
 
 
=== Final assessment ===
 
=== Final assessment ===
 
'''Section 1'''
 
'''Section 1'''
  +
# Grading criteria for the final project presentation:
 
# Problem: short clear statement on what you are solving, and why it’s important.
 
# User: should be a specific user, can start from generic and then show how you narrowed it.
 
# Solution: how do you target the problem, what were the initial assumptions/hypotheses
 
# Elicitation process: interviews, how many people, what questions you asked, what you learnt.
 
 
'''Section 2'''
 
'''Section 2'''
  +
# Arriving at MVP: how you chose features, describe prototyping and learning from it, when did you launch, and how it went.
 
# Team and development process: how it evolved, what were the challenges, what fixes you made to keep progressing.
 
# Product demo: make it clear what your current product progress is.
 
 
'''Section 3'''
 
'''Section 3'''
  +
# Hypothesis-driven development: how did you verify value and understandability of your product, what were the main hypotheses you had to check through MVP.
 
  +
'''Section 4'''
# Measuring product: what metrics you chose, why, what funnels did you set for yourself, and what was the baseline for your MVP.
 
  +
# Experimentation: What usability tests and experiments you conducted, what did you learn, how did it affect your funnels and metrics.
 
  +
'''Section 5'''
  +
  +
'''Section 6'''
  +
   
 
=== The retake exam ===
 
=== The retake exam ===
 
'''Section 1'''
 
'''Section 1'''
  +
# .3 The retake exam.
 
# For the retake, students have to implement a product and follow the guidelines of the course. The complexity of the product can be reduced, if it is one person working on it. The grading criteria for each section are the same as for the final project presentation. There has to be a meeting before the retake itself to plan and agree on the product ideas, and to answer questions.
 
 
'''Section 2'''
 
'''Section 2'''
   
 
'''Section 3'''
 
'''Section 3'''
  +
  +
'''Section 4'''
  +
  +
'''Section 5'''
  +
  +
'''Section 6'''

Revision as of 12:06, 12 September 2022

Secure development

  • Course name: Secure development
  • Code discipline: XXX
  • Subject area: Security and Networks

Short Description

Prerequisites

Prerequisite subjects

  • CSE101: Introduction to Programming
  • CSE112: Software Systems Analysis and Design
  • CSE105 or CSE128 or CSE130

Prerequisite topics

  • Basic programming skills, C/C++ is recommended
  • Software design or software architecture
  • Basics of compilers
  • Basics of computer architecture (Intel or ARM is preferrable)

Course Topics

Course Sections and Topics
Section Topics within the section
Basics of security
  1. Security and safety. Security and code quality. Maintainability and security. Why it is so hard to develop a secure system and what approaches may be applied? When it makes sense to drive system secure?
Security architecture
  1. NIST recommendations
  2. Security principles
  3. Theoretical security: access matrix and security models
  4. Secure by design
Secure coding
  1. Security on the code level
  2. SDL
  3. Main binary vulnerabilities and their mitigations
Secure operating
  1. Security monitoring
  2. DevSecOps
  3. Dealing with 3rd parties
Security assurance
  1. Pen testing
  2. Fuzzing
  3. Bug Bounty programs
Linux security
  1. Keep it all together and see how Linux kernel deals with that.
  2. SELinux
  3. GrSec patches
  4. Why Linux is not safety system

Intended Learning Outcomes (ILOs)

What is the main purpose of this course?

The main purpose of this course is to give students a security vision from up to down, because the security principle of weakest link insist that the weakest part of the process/system would be the one to be attacked.

ILOs defined at three levels

Level 1: What concepts should a student know/remember/explain?

By the end of the course, the students should be able to ...

  • Reason about the limitation of different security policies
  • Remember main security principles
  • List SDL stages
  • Describe the difference between security and safety
  • Explain basic binary vulnerabilities
  • Specify the required security assurance
  • Describe the key elements of SOC systems
  • Explain why fuzzing is not the same as unit or integration testing

Level 2: What basic practical skills should a student be able to perform?

By the end of the course, the students should be able to ...

  • Read CVEs and understand its impact instead of trusting other experts
  • Perform Threat Modeling
  • Review code to find insecure patterns
  • Deal with open source code securely
  • Explain the value of bug bounty programme and find the right moment to start it

Level 3: What complex comprehensive skills should a student be able to apply in real-life scenarios?

By the end of the course, the students should be able to ...

  • Reason about security and safety of the system
  • Suggest hardenings and architecture drifts to achieve required level of s&s
  • Propose process improvement in a cost-effective manner that would drastically improve the security and safety level.

Grading

Course grading range

Grade Range Description of performance
A. Excellent 80-100 -
B. Good 60-79 -
C. Satisfactory 40-59 -
D. Fail 0-39 -

Course activities and grading breakdown

Activity Type Percentage of the overall course grade
Assignment/Labs 70
Final quiz 30

Recommendations for students on how to succeed in the course

Participation is important. Showing up is the key to success in this course.
If you don’t have a corresponding technical background, please do not hesitate to ask lecturer. If you feel that the gap is deep, request for extra reading.
Reading the recommended literature is optional, and will give you a deeper understanding of the material.

Resources, literature and reference materials

Open access resources

Closed access resources

  • Matt Bishop, (2018) “Computer Security: Art and Science”
  • D Deougun, DB Jonhsson, D Sawano (2019) “Secure by design”
  • D LeBlanc, Michael Howard (2002) “Writing secure code”
  • ISO26262

Software and tools used within the course

  • Some static analyser
  • AFL
  • snyk.io

Teaching Methodology: Methods, techniques, & activities

Activities and Teaching Methods

Teaching and Learning Methods within each section
Teaching Techniques Section 1 Section 2 Section 3 Section 4 Section 5 Section 6
Problem-based learning (students learn by solving open-ended problems without a strictly-defined solution) 1 1 1 1 1 1
Modular learning (facilitated self-study) 1 1 1 1 1 1
Differentiated learning (provide tasks and activities at several levels of difficulty to fit students needs and level) 1 1 1 1 1 1
Contextual learning (activities and tasks are connected to the real world to make it easier for students to relate to them); 1 1 1 1 1 1
Business game (learn by playing a game that incorporates the principles of the material covered within the course). 1 1 1 1 1 1
Activities within each section
Learning Activities Section 1 Section 2 Section 3 Section 4 Section 5 Section 6
Lectures 1 1 1 1 1 1
Lab exercises 1 1 1 1 1 1

Formative Assessment and Course Activities

Ongoing performance assessment

Section 1

Activity Type Content Is Graded?
Individual Assignments A2: Product Ideation and Market Research
Find all weakness in the code snippet. Suggest how to fix them in a secure way. What is your recommendation for the code author?
1

Section 2

Section 3

Section 4

Section 5

Section 6

Final assessment

Section 1

Section 2

Section 3

Section 4

Section 5

Section 6


The retake exam

Section 1

Section 2

Section 3

Section 4

Section 5

Section 6