Subject: SVILUPPO DI SOFTWARE SICURO (A.A. 2020/2021)
Unit Sviluppo di software sicuro
Information Technology (lesson)
Learning goals of the course:
* develop a perception of security risks in source code of applications
* become able to evaluate the security level of an existing source code base
* become able to harden an existing source code base
* design ex-novo an application with security, safety, privacy by default
* Operating systems: knowledge of the inner workings of a modern operating system
* Command line interface: BASH shell, UNIX base system commands
* Languages: C plus one among Java, Python, Ruby or Perl
* Software Development: basic library functions (I/O, memory management, process management), UNIX software development and debugging tools
- Motivations for this course.
- Learning goals.
- Detailed program schedule.
* Main vulnerabilities in current applications.
- Missing input validation.
- Weak authentication.
- Insufficient session handling.
- Clear-text data storage.
- Clear-text data communication.
* Tools for analysis of existing code bases.
- Static analysis.
- Dynamic analysis.
* Secure software development life cycle.
- Security, Safety, Privacy.
- Risk analysis.
- Principles of secure design.
- Security-oriented unit testing.
- Acceptance test plans.
- Secure software distribution.
* Lectures (concepts, demos) * Lab (experimenting concepts seen during classes) * Weekly assignments to be done autonomously Lectures will be available onsite or online according to the evolving COVID19 pandemic.
* Oral exam * Three questions on theory and practice labs * First question acts as screening (failing it will results in a failed exam) Exams will be performed onsite or online according to the evolving of the COVID19 pandemic.
* Knowledge and comprehension.
The student acquires proficiency in the following fields: software development, programming, security.
Knowledge is transmitted through classes, labs and individual study. The teacher monitors learning goals through oral exams and the discussion of assignments.
* Ability of applying knowledge and comprehension.
The student is able to develop secure applications from scratch, recognize and correct vulnerabilities in existing code bases.
These abilities are monitored through labs, assignments and the final exam.
* Independent judgement.
The student is able to express independently an informed opinion about the security level of an existing code base.
This ability is exercised and monitored mainly through the weekly assignments.
* Communication skills.
The student is able to communicate his work in a written form and orally; he is able to adapt to different audiences (managers, programmers, system administrators).
This ability is taught during classes and trainged through the weekly assignments.
The teacher monitors the communication skills of his students during the correction of weekly assignments and
during the final exam.
* Learning ability.
The student is able to update indipendently his knowledge base. Specifically:
- he is able to evaluate his current skill level with respect to current state of the art
- he can point out specific weaknesses in his preparation
- he is able to retrieve the necessary documentation from appropriate sources
- he is able to study and absorb new material.
Learning abilties are:
- exercised by the teacher through guidance towards in-depth analysis and real case studies
- monitored during the final exam.
* David LeBlanc,
“Writing Secure Code” (2a ed.),
Microsoft Press, 2002
* Michael Howard,
“24 deadly sins of software security: programming
flaws and how to fix them” (1a ed.),
McGraw-Hill Education, 2009
* Dispense fornite dal docente