International Teaching | SECURE PROGRAMMING

cod. 0622700096

SECURE PROGRAMMING

	0622700096
	DEPARTMENT OF INFORMATION AND ELECTRICAL ENGINEERING AND APPLIED MATHEMATICS
	EQF7
	COMPUTER ENGINEERING
	2024/2025

CURRICULUM CYBERSECURITY

	YEAR OF COURSE 2
	YEAR OF DIDACTIC SYSTEM 2022
	AUTUMN SEMESTER

TEACHING UNITS

SSD	CFU	HOURS	ACTIVITY	TYPE OF ACTIVITY
ING-INF/05	6	48	LESSONS	COMPULSORY SUBJECTS, CHARACTERISTIC OF THE CLASS
ING-INF/05	2	16	LAB	COMPULSORY SUBJECTS, CHARACTERISTIC OF THE CLASS
ING-INF/05	1	8	EXERCISES	COMPULSORY SUBJECTS, CHARACTERISTIC OF THE CLASS

	Objectives
	THE COURSE PRESENTS THE PRINCIPAL SOURCES OF VULNERABILITY IN PROGRAMMING AND THE METHODOLOGIES AND TOOLS NECESSARY TO MITIGATE AND TO REMOVE SUCH VULNERABILITIES. KNOWLEDGE AND UNDERSTANDING PRINCIPLES AND PRACTICES OF SECURE PROGRAMMING. PRINCIPAL SOURCES OF VULNERABILITIES IN PROGRAMMING AND DEVELOPMENT METHODOLOGIES TO MITIGATE AND REMOVE SUCH VULNERABILITIES. NEW AND EMERGING LANGUAGE-BASED SECURITY MECHANISMS, INCLUDING THOSE FOR SPECIFYING AND APPLYING SECURITY POLICIES STATICALLY AND DYNAMICALLY. APPLIED KNOWLEDGE AND UNDERSTANDING DESIGNING AND REALIZING AN APPLICATION ADOPTING THE PRINCIPAL TECHNIQUES OF SECURE PROGRAMMING. USING APPROPRIATELY AND EFFECTIVELY SECURITY FUNCTIONS, SUCH AS AUTHENTICATION AND CRYPTOGRAPHY, PROVIDED BY THE LIBRARIES IN COMMON PROGRAMMING LANGUAGES. IDENTIFYING COMMON SECURITY-RELATED PROGRAMMING ERRORS DURING CODE REVIEWS. DEFINING SECURITY TESTS AND USING APPROPRIATE TOOLS FOR THEIR IMPLEMENTATION. APPLYING NEW MODELS AND TOOLS FOR SECURITY-ENHANCED PROGRAMMING, TO HELP MEETING THE SECURITY REQUIREMENTS.

THE COURSE PRESENTS THE PRINCIPAL SOURCES OF VULNERABILITY IN PROGRAMMING AND THE METHODOLOGIES AND TOOLS NECESSARY TO MITIGATE AND TO REMOVE SUCH VULNERABILITIES.

KNOWLEDGE AND UNDERSTANDING
PRINCIPLES AND PRACTICES OF SECURE PROGRAMMING. PRINCIPAL SOURCES OF VULNERABILITIES IN PROGRAMMING AND DEVELOPMENT METHODOLOGIES TO MITIGATE AND REMOVE SUCH VULNERABILITIES. NEW AND EMERGING LANGUAGE-BASED SECURITY MECHANISMS, INCLUDING THOSE FOR SPECIFYING AND APPLYING SECURITY POLICIES STATICALLY AND DYNAMICALLY.

APPLIED KNOWLEDGE AND UNDERSTANDING
DESIGNING AND REALIZING AN APPLICATION ADOPTING THE PRINCIPAL TECHNIQUES OF SECURE PROGRAMMING. USING APPROPRIATELY AND EFFECTIVELY SECURITY FUNCTIONS, SUCH AS AUTHENTICATION AND CRYPTOGRAPHY, PROVIDED BY THE LIBRARIES IN COMMON PROGRAMMING LANGUAGES. IDENTIFYING COMMON SECURITY-RELATED PROGRAMMING ERRORS DURING CODE REVIEWS. DEFINING SECURITY TESTS AND USING APPROPRIATE TOOLS FOR THEIR IMPLEMENTATION. APPLYING NEW MODELS AND TOOLS FOR SECURITY-ENHANCED PROGRAMMING, TO HELP MEETING THE SECURITY REQUIREMENTS.

	Prerequisites
	IT IS HIGHLY RECOMMENDED THAT THE STUDENT HAS PREVIOUS KNOWLEDGE OF COMPUTER PROGRAMMING IN THE LANGUAGES C AND JAVA, AND KNOWLEDGE OF RELATIONAL DBMS AND OF THE SQL LANGUAGE. IT IS RECOMMENDED THAT THE STUDENT HAS PREVIOUS KNOWLEDGE ABOUT THE MAIN SERVICES OF AN OPERATING SYSTEM, WITH SPECIFIC REFERENCE TO THE UNIX FAMILY. IT IS ALSO RECOMMENDED A PREVIOUS KNOWLEGE ABOUT COMPUTER NETWORK ARCHITECTURES AND PROTOCOLS. IT IS ALSO RECOMMENDED PREVIOUS KNOWLEDGE ABOUT PRIVATE AND PUBLIC KEY CRYPTOGRAPHIC TECHNOLOGIES.

Prerequisites

IT IS HIGHLY RECOMMENDED THAT THE STUDENT HAS PREVIOUS KNOWLEDGE OF COMPUTER PROGRAMMING IN THE LANGUAGES C AND JAVA, AND KNOWLEDGE OF RELATIONAL DBMS AND OF THE SQL LANGUAGE.
IT IS RECOMMENDED THAT THE STUDENT HAS PREVIOUS KNOWLEDGE ABOUT THE MAIN SERVICES OF AN OPERATING SYSTEM, WITH SPECIFIC REFERENCE TO THE UNIX FAMILY.
IT IS ALSO RECOMMENDED A PREVIOUS KNOWLEGE ABOUT COMPUTER NETWORK ARCHITECTURES AND PROTOCOLS.
IT IS ALSO RECOMMENDED PREVIOUS KNOWLEDGE ABOUT PRIVATE AND PUBLIC KEY CRYPTOGRAPHIC TECHNOLOGIES.

	Contents
	INTRODUCTION TO SECURE PROGRAMMING. WEAKNESS, VULNERABILITY, EXPLOIT. VULNERABILITY REPOSITORIES. SCORING SYSTEMS. (LEZ:2/ESE:0/LAB:0) BUFFER OVERRUN. (LEZ:2/ESE:0/LAB:0) INTEGER OVERFLOW. (LEZ:2/ESE:0/LAB:0) COMMAND INJECTION. (LEZ:2/ESE:0/LAB:0) INFORMATION LEAKAGE. (LEZ:2/ESE:0/LAB:0) FUZZY TESTING WITH AFL. (LEZ:0/ESE:0/LAB:2) RACE CONDITIONS. (LEZ:2/ESE:0/LAB:0) SQL INJECTION. (LEZ:2/ESE:0/LAB:0) MEMORY MANAGEMENT ERRORS. (LEZ:2/ESE:0/LAB:0) DESERIALIZATION OF UNTRUSTED DATA. (LEZ:2/ESE:0/LAB:0) FAILURE TO HANDLE ERRORS CORRECTLY. (LEZ:2/ESE:0/LAB:0) FORMAT STRING PROBLEMS. (LEZ:2/ESE:0/LAB:0) WEB APPLICATION FUNDAMENTALS. (LEZ:4/ESE:0/LAB:0) STATIC FILES PROBLEMS. (LEZ:2/ESE:0/LAB:0) SERVER-SIDE XSS. (LEZ:2/ESE:0/LAB:0) CLIENT-SIDE XSS. (LEZ:2/ESE:0/LAB:0) CSRF. (LEZ:2/ESE:0/LAB:0) MAGIC URLS PREDICTABLE COOKIES AND HIDDEN FORM FIELDS. (LEZ:2/ESE:0/LAB:0) SECURITY TESTING WITH ZAP. (LEZ:0/ESE:2/LAB:2) CLICKJACKING AND CONTENT SNIFFING. (LEZ:2/ESE:0/LAB:0) SECURITY TESTING WITH SONARQUBE. (LEZ:0/ESE:0/LAB:2) POOR USABILITY PROBLEMS. (LEZ:2/ESE:0/LAB:0) UNCONTROLLED RESOURCE CONSUMPTION. (LEZ:2/ESE:0/LAB:0) SECURITY TESTING WITH FLAWFINDER. (LEZ:0/ESE:0/LAB:2) PROBLEMS WITH SOFTWARE UPDATES. (LEZ:2/ESE:0/LAB:0) SECURITY TESTING WITH BANDIT. (LEZ:0/ESE:0/LAB:2) THREAT MODELING AND THE STRIDE METHODOLOGY. (LEZ:2/ESE:0/LAB:0) THREAT MODELING WITH OWASP THREAT DRAGON. (LEZ:0/ESE:4/LAB:2) WEAK RANDOM NUMBERS. (LEZ:2/ESE:0/LAB:0) USING THE WRONG CRYPTOGRAPHY. (LEZ:2/ESE:0/LAB:0) SECURITY TESTING WITH SPOTBUGS AND FINDSECBUGS. (LEZ:0/ESE:0/LAB:2) TOTALE: LEZ:52/ESE:6/LAB:14

Contents

INTRODUCTION TO SECURE PROGRAMMING. WEAKNESS, VULNERABILITY, EXPLOIT. VULNERABILITY REPOSITORIES. SCORING SYSTEMS. (LEZ:2/ESE:0/LAB:0)

BUFFER OVERRUN. (LEZ:2/ESE:0/LAB:0)

INTEGER OVERFLOW. (LEZ:2/ESE:0/LAB:0)

COMMAND INJECTION. (LEZ:2/ESE:0/LAB:0)

INFORMATION LEAKAGE. (LEZ:2/ESE:0/LAB:0)

FUZZY TESTING WITH AFL. (LEZ:0/ESE:0/LAB:2)

RACE CONDITIONS. (LEZ:2/ESE:0/LAB:0)

SQL INJECTION. (LEZ:2/ESE:0/LAB:0)

MEMORY MANAGEMENT ERRORS. (LEZ:2/ESE:0/LAB:0)

DESERIALIZATION OF UNTRUSTED DATA. (LEZ:2/ESE:0/LAB:0)

FAILURE TO HANDLE ERRORS CORRECTLY. (LEZ:2/ESE:0/LAB:0)

FORMAT STRING PROBLEMS. (LEZ:2/ESE:0/LAB:0)

WEB APPLICATION FUNDAMENTALS. (LEZ:4/ESE:0/LAB:0)

STATIC FILES PROBLEMS. (LEZ:2/ESE:0/LAB:0)

SERVER-SIDE XSS. (LEZ:2/ESE:0/LAB:0)

CLIENT-SIDE XSS. (LEZ:2/ESE:0/LAB:0)

CSRF. (LEZ:2/ESE:0/LAB:0)

MAGIC URLS PREDICTABLE COOKIES AND HIDDEN FORM FIELDS. (LEZ:2/ESE:0/LAB:0)

SECURITY TESTING WITH ZAP. (LEZ:0/ESE:2/LAB:2)

CLICKJACKING AND CONTENT SNIFFING. (LEZ:2/ESE:0/LAB:0)

SECURITY TESTING WITH SONARQUBE. (LEZ:0/ESE:0/LAB:2)

POOR USABILITY PROBLEMS. (LEZ:2/ESE:0/LAB:0)

UNCONTROLLED RESOURCE CONSUMPTION. (LEZ:2/ESE:0/LAB:0)

SECURITY TESTING WITH FLAWFINDER. (LEZ:0/ESE:0/LAB:2)

PROBLEMS WITH SOFTWARE UPDATES. (LEZ:2/ESE:0/LAB:0)

SECURITY TESTING WITH BANDIT. (LEZ:0/ESE:0/LAB:2)

THREAT MODELING AND THE STRIDE METHODOLOGY. (LEZ:2/ESE:0/LAB:0)

THREAT MODELING WITH OWASP THREAT DRAGON. (LEZ:0/ESE:4/LAB:2)

WEAK RANDOM NUMBERS. (LEZ:2/ESE:0/LAB:0)

USING THE WRONG CRYPTOGRAPHY. (LEZ:2/ESE:0/LAB:0)

SECURITY TESTING WITH SPOTBUGS AND FINDSECBUGS. (LEZ:0/ESE:0/LAB:2)

TOTALE: LEZ:52/ESE:6/LAB:14

	Teaching Methods
	THE COURSE CONTAINS THEORETICAL LECTURES, IN-CLASS EXERCITATIONS AND PRACTICAL LABORATORY EXERCITATIONS.

	Verification of learning
	THE EXAM IS PERFORMED AS AN ORAL INTERVIEW. THE INTERVIEW EVALUATES THE KNOWLEDGE AND UNDERSTANDING OF THE TOPICS TREATED IN THE COURSE, TOGETHER WITH THE EXPOSITION ABILITY OF THE CANDIDATE.

	Texts
	MICHAEL HOWARD, DAVID LEBLANC, JOHN VIEGA. "24 DEADLY SINS OF SOFTWARE SECURITY: PROGRAMMING FLAWS AND HOW TO FIX THEM" MCGRAW HILL

	More Information
	THE COURSE IS HELD IN ENGLISH.

Lessons Timetable

BETA VERSION Data source ESSE3

International Teaching | SECURE PROGRAMMING

SECURE PROGRAMMING

CURRICULUM CYBERSECURITY

TEACHING UNITS

PROFESSORS

SHEET

-

International Teaching | SECURE PROGRAMMING