Logistics
Lecturer: Eduardo R. B. Marques
Class schedule: Thursday, 14:00 - 17:00
Questions & announcements: Piazza
Course description
> Aims & expected learning outcomes
QSES provides an introduction to secure software development. Students learn how to make use of core principles, techniques, and tools for secure software engineering to prevent/detect/fix some of the most common classes of software security vulnerabilities. These skills are exercised through project assignments.
"Exploits of a Mom" @ xkcd.com
> Syllabus
Security & software engineening
- Introductory concepts.
- Principles & pitfalls in secure software design.
- Security touchpoints in the software development life-cycle.
Building security in - techniques and tools for secure software development & validation, including:
- Input validation.
- Secure programming idioms.
- Security-oriented code reviews using static program analysis.
- Security-oriented program testing.
Handling of common security vulnerabilities, including:
- Injection (commands, code, SQL, ...).
- Buffer overflows.
- Web application specific vulnerabilities (XSS, CSRF, ...).
- Information flow & leakage.
- Concurrency-related vulnerabilities.
> Bibliography
Building Secure Software: How to Avoid Security Problems the Right Way
John Viega and Gary McGraw, Addison-Wesley, 2002
Segurança no Software, 2ª edição
Miguel Pupo Correia e Paulo Jorge Sousa, FCA, 2017
Secure Programming with Static Analysis: Getting Software Security Right with Static Analysis
Brian Chess and Jacob West, Addison-Wesley, 2007
Writing Secure Code, 2nd edition
Michael Howard and David LeBlanc, Microsoft Press, 2004
Software Security, Building Security In
Gary McGraw, Addison-Wesley, 2006
> Grading
- 60 %: final exam.
- 40 %: project assignments.