Difference between revisions of "BSc: Secure System Development"

From IU
Jump to navigation Jump to search
(Created page with "= Secure Systems Development = * <span>'''Course name:'''</span> Secure Systems Development * <span>'''Course number:'''</span> xyz == Course Characteristics == === Key con...")
 
(No difference)

Revision as of 10:00, 20 April 2022

Secure Systems Development

  • Course name: Secure Systems Development
  • Course number: xyz

Course Characteristics

Key concepts of the class

  • Identification of security risk, system requirements, and processes
  • Design and development of secure systems
  • Principles of secure programming
  • Secure software development
  • Security assurance and evaluation
  • Vulnerability and system security analysis

What is the purpose of this course?

After the fundamentals of computer security are taught to the students, it is essential for cybersecurity students to understand the principles of secure systems development. In a broader term, secure systems development include security aspects in software development, secure programming, threat intelligence, security requirements, risks, and vulnerability analysis. Therefore, this course is aimed at equipping the students with required skills to design and develop secure systems and exercise secure programming practices during development. In essence, this course is at the crossroads of the software engineering and cybersecurity and complements both the fields.

Course objectives based on Bloom’s taxonomy

- What should a student remember at the end of the course?

By the end of the course, the students should be able to remember the followings:

  • How to identify security risk
  • How to exercise secure design and coding
  • Understand and demonstrate the steps involved in secure software development
  • Perform vulnerability analysis
  • Manage and implement security assurance

- What should a student be able to understand at the end of the course?

By the end of the course, the students should be able to understand the design and basic principles of secure systems development. Furthermore, the student will be able to:

  • Understand how to identify security risk
  • Demonstrate how to exercise secure design and coding
  • Understand and demonstrate the steps involved in secure software development
  • Perform vulnerability analysis
  • Manage and implement security assurance
  • Identify the research and development challenges for a security project and propose/develop relevant solutions
  • Use existing frameworks for analysing network traffic, identifying adversaries, and deploy attacks
  • Include security, cryptography and access control elements in mobile and web-based applications

- What should a student be able to apply at the end of the course?

By the end of the course, the students should be able to develop, manage and implement different secure system development techniques that will include:

  • Secure software development life-cycle
  • Secure coding
  • Security and vulnerability analysis and testing
  • Risk assessment and management
  • Assess the existing products for security and risk
  • Develop and design secure systems including software

Course evaluation

Course grade breakdown
Proposed points
Labs/seminar classes 20 35
Interim performance assessment 30 35
Exams 50 30

Grades range

Course grading range
Proposed range
A. Excellent 90-100 90-100
B. Good 75-89 75-89
C. Satisfactory 60-74 60-74
D. Poor 0-59 0-59

Resources and reference material

Since the course is multi-dimensional, therefore, there is no single source that will cover all the topics. For reference, the following sources (and their updated versions) might be considered.

  • Bishop, M. (2018). Computer Security: Art and Science. Addison-Wesley Professional
  • Secure Coding in C and C++, Robert C. Seacord, Addition-wesley
  • Software Security - Building Security In, Gary McGraw, Addition-Wesley Software Security Series
  • Secure Systems Development with UML – Jan Jurjens

Course Sections

The main sections of the course and approximate hour distribution between them is as follows:

Course Sections
Section Section Title Teaching Hours
1 Security assessment and Vulnerability analysis 16
2 Software Security and secure coding 16
3 Secure software development techniques and frameworks 16
4 Best practices in secure systems development 16

Section 1

Section title:

Security assessment and Vulnerability analysis

Topics covered in this section:

  • Security requirements and rationale
  • Security assessment
  • Penetration testing
  • Vulnerability analysis
  • Tools and methods

What forms of evaluation were used to test students’ performance in this section?

|a|c| & Yes/No
Development of individual parts of software product code & 1
Homework and group projects & 1
Midterm evaluation & 1
Testing (written or computer based) & 1
Reports & 0
Essays & 0
Oral polls & 0
Discussions & 1


Typical questions for ongoing performance evaluation within this section

  1. How to perform security assessment and which method is used in a particular environment?
  2. Why security assessment is essential?
  3. What is the role of penetration testing in security assessment and what methods are currently used in the industry?
  4. What is the difference between vulnerability and exploit and how a vulnerability can be converted into an exploit?
  5. What are the pros and cons of the existing security assessment tools?

Typical questions for seminar classes (labs) within this section

  1. Perform security assessment of an example application and/or service.
  2. Use a particular penetration testing method to find vulnerability in an application.
  3. Select at least 3 existing industry-grade tools and perform vulnerability assessment of an example application.
  4. After using particular tools and methods, document their pros and cons.

Test questions for final assessment in this section

  1. How to perform port scanning and when it is dangerous to do that?
  2. Choose any of the security assessment method to use and justify your choice.
  3. Can we skip the vulnerability assessment? Yes or No? Justify your answer in detail. What would be the downside of either skipping or not skipping it?
  4. How would you covert a vulnerability to an exploit and what are the essential methods to contain an exploit?
  5. What are the drawbacks of the existing security assessment tools?

Section 2

Section title:

Software Security and secure coding

Topics covered in this section:

  • Software security
  • Security in software development life-cycle
  • Software security requirements and testing
  • Secure programming
  • Best practices in secure coding

What forms of evaluation were used to test students’ performance in this section?

|a|c| & Yes/No
Development of individual parts of software product code & 1
Homework and group projects & 1
Midterm evaluation & 1
Testing (written or computer based) & 1
Reports & 0
Essays & 0
Oral polls & 0
Discussions & 1


Typical questions for ongoing performance evaluation within this section

  1. At which step of software development, security must be considered?
  2. What are the principle of software security?
  3. What frameworks are proven to be the best for software security and why?
  4. What are the principles of secure coding?
  5. Explain the pitfalls of secure programming?
  6. How the requirements gathering for software can affect software security?

Typical questions for seminar classes (labs) within this section

  1. Given the scenario, document the requirements (both traditional and security)?
  2. Explain a scenario where the software development will pose a security risk?
  3. Demonstrate non-standard practices in software development that will lead to security issues?
  4. What assessment techniques can be used to detect software security issues in earlier stages of the software development?
  5. What are the best practices in software development from a security perspective?

Test questions for final assessment in this section

  1. same as above.

Section 3

Section title:

Secure software development techniques and frameworks

Topics covered in this section:

  • Software security development frameworks
  • System security development frameworks
  • Security development and design techniques
  • Integration of security solutions

What forms of evaluation were used to test students’ performance in this section?

|a|c| & Yes/No
Development of individual parts of software product code & 1
Homework and group projects & 1
Midterm evaluation & 1
Testing (written or computer based) & 1
Reports & 0
Essays & 0
Oral polls & 0
Discussions & 1


Typical questions for ongoing performance evaluation within this section

  1. Explain the existing software security and development frameworks?
  2. Given a software development scenario, how to select a particular framework?
  3. Does software development method affect the software security? Justify your answer.
  4. At which stage of a particular software development method, security is considered?
  5. Describe the rationale for security at every step of software development process?
  6. What is the difference between software and system security?
  7. Can software security techniques be used in system security? Justify your answer.

Typical questions for seminar classes (labs) within this section

  1. Through secure programming and security frameworks of software, demonstrate the software resilience.
  2. Demonstrate the software security (with respect to requirements) at each step of the development process?
  3. What are the vulnerabilities and attacks associated with insecure programming practices? Demonstrate.
  4. Demonstrate if different programming paradigms have any effect on the software security?
  5. Through a proof-of-concept, demonstrate the difference between software and system security.

Test questions for final assessment in this section

  1. same as above.

Section 4

Section title:

Best practices in secure systems development

Topics covered in this section:

  • Industrial view on the systems security
  • Usage of best practices in software and system security
  • Secure development standards
  • Role of emerging technologies in secure systems development
  • Ongoing secure system development standardization activities
  • Existing projects considering secure system development

What forms of evaluation were used to test students’ performance in this section?

|a|c| & Yes/No
Development of individual parts of software product code & 1
Homework and group projects & 1
Midterm evaluation & 1
Testing (written or computer based) & 1
Reports & 0
Essays & 0
Oral polls & 0
Discussions & 1


Typical questions for ongoing performance evaluation within this section

  1. What are the best practices in the industry for secure system development?
  2. What are the current issues with the best practices in the industry and what are their limitations?
  3. Cross-platform system development might affect the security of the system. Do you agree or not?
  4. Briefly explain the standardization efforts in the industry and academia regarding the secure system development?
  5. Can we apply the best practices of secure software development in secure system development? Justify your answer.

Typical questions for seminar classes (labs) within this section

  1. Demonstrate the effectiveness of secure system development best practices.
  2. Demonstrate the analysis of using different development platforms on the secure system and software development.
  3. What is the role of traditional security mechanisms such as cryptography on the secure system development?
  4. With toy examples, demonstrate the attacker perspective and behavior on the (in)secure system development.
  5. Analyze the security of a given system by choosing any of the secure development framework?

Test questions for final assessment in this section

  1. same as above.