MTU Courses - COMP8050 - Security for Software Systems

Module Details

Module Code:	COMP8050
Title:	Security for Software Systems
Long Title:	Security for Software Systems
NFQ Level:	Advanced
Valid From:	Semester 1 - 2017/18 ( September 2017 )

Duration:	1 Semester

Credits:	5

Field of Study:	4811 - Computer Science

Module Delivered in:	3 programme(s)

Module Description:

Software Development Life Cycle (or SDLC) defines a methodology to develop a software in a structured manner. Security challenges exists at every stage of this process from design, coding, testing and deployment. This module focuses on how to incorporate security into the various stages of the SDLC and will also explore the main mitigation techniques and typical code exploitation techniques. In addition, security issues particular to web applications will be explored.

Learning Outcomes
On successful completion of this module the learner will be able to:
#	Learning Outcome Description
LO1	Integrate security into web applications and test such applications for vulnerabilities
LO2	Assess the conditions that would lead to attacks as a result of insecure software development practices.
LO3	Apply and categorise mitigations for various forms of software based attacks
LO4	Apply Threat Modelling Techniques in the construction of a secure software system
LO5	Revise the security of code using various analysis techniques

Dependencies
Module Recommendations This is prior learning (or a practical skill) that is strongly recommended before enrolment in this module. You may enrol in this module if you have not acquired the recommended learning but you will have considerable difficulty in passing (i.e. achieving the learning outcomes of) the module. While the prior learning is expressed as named MTU module(s) it also allows for learning (in another module or modules) which is equivalent to the learning specified in the named module(s).

Incompatible Modules These are modules which have learning outcomes that are too similar to the learning outcomes of this module. You may not earn additional credit for the same learning and therefore you may not enrol in this module if you have successfully completed any modules in the incompatible list.
No incompatible modules listed
Co-requisite Modules
No Co-requisite modules listed
Requirements This is prior learning (or a practical skill) that is mandatory before enrolment in this module is allowed. You may not enrol on this module if you have not acquired the learning specified in this section.
No requirements listed

Indicative Content
Threat Modelling and Secure Software Development Lifecycle Applying Threat Modelling to a software project, DREAD, STRIDE, Microsoft's SDLC.
Code Review and Secure Coding Static and manual tools and approaches to code review. Secure coding in various high level languages.
Attacks based on vulnerable software Attack techniques on software based around modern and traditional methods including Buffer and Heap Overflow, Return-to-LibC, ROP, UAF, SEH Based Attacks
Mitigations Techniques to mitigate the main forms of attack on software including Stack Cookies, ASLR, DEP, SafeSEH, CFG, and EMET in general.
Security of Web Applications OWASP Top 10, Cross-Site Scripting, SQL Injection, Cross Sire Request Forgery, Secure Session handling.
Other Related Issues Cryptographic Systems. Authentication Systems e.g Kerberos

Assessment Breakdown	%
Module Content & Assessment
Coursework	40.00%
End of Module Formal Examination	60.00%

Assessments

Coursework

Assessment Type	Practical/Skills Evaluation	% of Total Mark	20
Timing	Week 6	Learning Outcomes	2,3,5
Assessment Description Students will be assigned projects centering on attack methods such as buffer overflow, heap overflow etc. and possibly involving secure coding.

Assessment Type	Practical/Skills Evaluation	% of Total Mark	20
Timing	Week 11	Learning Outcomes	1,3,4
Assessment Description Students will be assessed on assigned practical work centred on the security of Web Applications.

End of Module Formal Examination

Assessment Type	Formal Exam	% of Total Mark	60
Timing	End-of-Semester	Learning Outcomes	1,2,3,4,5
Assessment Description End-of-Semester Formal Examination.

Reassessment Requirement
Repeat examination Reassessment of this module will consist of a repeat examination. It is possible that there will also be a requirement to be reassessed in a coursework element.

The University reserves the right to alter the nature and timings of assessment

Module Workload

Workload: Full Time
Workload Type	Contact Type	Workload Description	Frequency	Average Weekly Learner Workload	Hours
Lecture	Contact	Lecture delivering theory underpinning learning outcomes.	Every Week	2.00	2
Lab	Contact	Lab to support learning outcomes.	Every Week	2.00	2
Directed Learning	Non Contact	Directed learning	Every Week	3.00	3
Total Hours					7.00
Total Weekly Learner Workload					7.00
Total Weekly Contact Hours					4.00

Workload: Part Time
Workload Type	Contact Type	Workload Description	Frequency	Average Weekly Learner Workload	Hours
Lecture	Contact	Lecture delivering theory underpinning learning outcomes.	Every Week	2.00	2
Lab	Contact	Lab to support learning outcomes.	Every Week	2.00	2
Directed Learning	Non Contact	Directed Learning	Every Week	3.00	3
Total Hours					7.00
Total Weekly Learner Workload					7.00
Total Weekly Contact Hours					4.00

Recommended Book Resources
Module Resources
Mark Dowd, John McDonald, Justin Schuh. (2007), The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities, Addison-Wesley, [ISBN: 9780321444424].
Supplementary Book Resources
Edward Griffor. (2016), Handbook of System Safety and Security: Cyber Risk and Risk Management, Cyber Security, Threat Analysis, Functional Safety, Software Systems, and Cyber Physical Systems, Syngress, [ISBN: 9780128037737]. Adam Shostack. (2014), Threat Modeling: Designing for Security, Wiley, [ISBN: 9781118809990]. James Ransome, Anmol Misra. (2013), Core Software Security: Security at the Source, Auerbach, [ISBN: 9781466560956]. Gene Kim, Patrick Debois, John Willis. (2016), The Devops Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations, Trade Select, [ISBN: 9781942788003].
This module does not have any article/paper resources
Other Resources
Report, NIST. (2016), Dramatically Reducing Software Vulnerabilities, http://nvlpubs.nist.gov/nistpubs/ir/2016 /NIST.IR.8151.pdf website, The Exploit Database – ultimate archive of Exploits, Shellcode, and Security Papers., https://www.exploit-db.com/ website, SANS Top 25 Most Dangerous Software Errors, https://www.sans.org/top25-software-erro rs/ website, OWASP's Application Threat Modeling resource, https://www.owasp.org/index.php/Applicat ion_Threat_Modeling

Programme Code	Programme	Semester	Delivery
Module Delivered in
CR_KSDEV_8	Bachelor of Science (Honours) in Software Development	7	Mandatory
CR_KITMN_8	Bachelor of Science (Honours) in IT Management	7	Elective
CR_KWEBD_8	Bachelor of Science (Honours) in Web Development	7	Mandatory

https://mtu.akarisoftware.com/

COMP8050 - Security for Software Systems

Module Details

Assessments

Module Workload