International Teaching | SECURE PROGRAMMING

cod. 0622700096

SECURE PROGRAMMING

	0622700096
	DEPARTMENT OF INFORMATION AND ELECTRICAL ENGINEERING AND APPLIED MATHEMATICS
	EQF7
	COMPUTER ENGINEERING
	2025/2026

CURRICULUM CYBERSECURITY Cohort 2024/2025

	OBBLIGATORIO
	YEAR OF COURSE 2
	YEAR OF DIDACTIC SYSTEM 2022
	AUTUMN SEMESTER

TEACHING UNITS

SSD	CFU	HOURS	ACTIVITY	TYPE OF ACTIVITY
ING-INF/05	4	32	LESSONS	COMPULSORY SUBJECTS, CHARACTERISTIC OF THE CLASS
ING-INF/05	2	16	LAB	COMPULSORY SUBJECTS, CHARACTERISTIC OF THE CLASS

	Objectives
	THE COURSE PRESENTS THE PRINCIPAL SOURCES OF VULNERABILITY IN PROGRAMMING AND THE METHODOLOGIES AND TOOLS NECESSARY TO MITIGATE AND TO REMOVE SUCH VULNERABILITIES. KNOWLEDGE AND UNDERSTANDING PRINCIPLES AND PRACTICES OF SECURE PROGRAMMING. PRINCIPAL SOURCES OF VULNERABILITIES IN PROGRAMMING AND DEVELOPMENT METHODOLOGIES TO MITIGATE AND REMOVE SUCH VULNERABILITIES. NEW AND EMERGING LANGUAGE-BASED SECURITY MECHANISMS, INCLUDING THOSE FOR SPECIFYING AND APPLYING SECURITY POLICIES STATICALLY AND DYNAMICALLY. APPLIED KNOWLEDGE AND UNDERSTANDING DESIGNING AND REALIZING AN APPLICATION ADOPTING THE PRINCIPAL TECHNIQUES OF SECURE PROGRAMMING. USING APPROPRIATELY AND EFFECTIVELY SECURITY FUNCTIONS, SUCH AS AUTHENTICATION AND CRYPTOGRAPHY, PROVIDED BY THE LIBRARIES IN COMMON PROGRAMMING LANGUAGES. IDENTIFYING COMMON SECURITY-RELATED PROGRAMMING ERRORS DURING CODE REVIEWS. DEFINING SECURITY TESTS AND USING APPROPRIATE TOOLS FOR THEIR IMPLEMENTATION. APPLYING NEW MODELS AND TOOLS FOR SECURITY-ENHANCED PROGRAMMING, TO HELP MEETING THE SECURITY REQUIREMENTS.

THE COURSE PRESENTS THE PRINCIPAL SOURCES OF VULNERABILITY IN PROGRAMMING AND THE METHODOLOGIES AND TOOLS NECESSARY TO MITIGATE AND TO REMOVE SUCH VULNERABILITIES.

KNOWLEDGE AND UNDERSTANDING
PRINCIPLES AND PRACTICES OF SECURE PROGRAMMING. PRINCIPAL SOURCES OF VULNERABILITIES IN PROGRAMMING AND DEVELOPMENT METHODOLOGIES TO MITIGATE AND REMOVE SUCH VULNERABILITIES. NEW AND EMERGING LANGUAGE-BASED SECURITY MECHANISMS, INCLUDING THOSE FOR SPECIFYING AND APPLYING SECURITY POLICIES STATICALLY AND DYNAMICALLY.

APPLIED KNOWLEDGE AND UNDERSTANDING
DESIGNING AND REALIZING AN APPLICATION ADOPTING THE PRINCIPAL TECHNIQUES OF SECURE PROGRAMMING. USING APPROPRIATELY AND EFFECTIVELY SECURITY FUNCTIONS, SUCH AS AUTHENTICATION AND CRYPTOGRAPHY, PROVIDED BY THE LIBRARIES IN COMMON PROGRAMMING LANGUAGES. IDENTIFYING COMMON SECURITY-RELATED PROGRAMMING ERRORS DURING CODE REVIEWS. DEFINING SECURITY TESTS AND USING APPROPRIATE TOOLS FOR THEIR IMPLEMENTATION. APPLYING NEW MODELS AND TOOLS FOR SECURITY-ENHANCED PROGRAMMING, TO HELP MEETING THE SECURITY REQUIREMENTS.

	Prerequisites
	IT IS HIGHLY RECOMMENDED THAT THE STUDENT HAS PREVIOUS KNOWLEDGE OF COMPUTER PROGRAMMING IN THE LANGUAGES C AND JAVA, AND KNOWLEDGE OF RELATIONAL DBMS AND OF THE SQL LANGUAGE. IT IS RECOMMENDED THAT THE STUDENT HAS PREVIOUS KNOWLEDGE ABOUT THE MAIN SERVICES OF AN OPERATING SYSTEM, WITH SPECIFIC REFERENCE TO THE UNIX FAMILY. IT IS ALSO RECOMMENDED A PREVIOUS KNOWLEGE ABOUT COMPUTER NETWORK ARCHITECTURES AND PROTOCOLS. IT IS ALSO RECOMMENDED PREVIOUS KNOWLEDGE ABOUT PRIVATE AND PUBLIC KEY CRYPTOGRAPHIC TECHNOLOGIES.

Prerequisites

IT IS HIGHLY RECOMMENDED THAT THE STUDENT HAS PREVIOUS KNOWLEDGE OF COMPUTER PROGRAMMING IN THE LANGUAGES C AND JAVA, AND KNOWLEDGE OF RELATIONAL DBMS AND OF THE SQL LANGUAGE.
IT IS RECOMMENDED THAT THE STUDENT HAS PREVIOUS KNOWLEDGE ABOUT THE MAIN SERVICES OF AN OPERATING SYSTEM, WITH SPECIFIC REFERENCE TO THE UNIX FAMILY.
IT IS ALSO RECOMMENDED A PREVIOUS KNOWLEGE ABOUT COMPUTER NETWORK ARCHITECTURES AND PROTOCOLS.
IT IS ALSO RECOMMENDED PREVIOUS KNOWLEDGE ABOUT PRIVATE AND PUBLIC KEY CRYPTOGRAPHIC TECHNOLOGIES.

	Contents
	TEACHING UNIT 1: VULNERABILITIES DUE TO PROGRAMMING ERRORS (LECTURE/EXERCISE/LAB HOURS: 18/0/0) - 1 (2 LECTURE HOURS) INTRODUCTION TO SECURE PROGRAMMING. WEAKNESS, VULNERABILITY, EXPLOIT. VULNERABILITY REPOSITORIES. SCORING SYSTEMS. - 2 (2 LECTURE HOURS) BUFFER OVERRUN. - 3 (2 LECTURE HOURS) INTEGER OVERFLOW. - 4 (2 LECTURE HOURS) COMMAND INJECTION AND SQL INJECTION. - 5 (2 LECTURE HOURS) INFORMATION LEAKAGE. FAILURE TO HANDLE ERRORS CORRECTLY. - 6 (2 LECTURE HOURS) RACE CONDITIONS. - 7 (2 LECTURE HOURS) MEMORY MANAGEMENT ERRORS. - 8 (2 LECTURE HOURS) DESERIALIZATION OF UNTRUSTED DATA. - 9 (2 LECTURE HOURS) FORMAT STRING PROBLEMS. KNOWLEDGE AND UNDERSTANDING: FUNDAMENTAL CONCEPTS OF SECURE PROGRAMMING. MAIN VULNERABILITIES RELATED TO PROGRAMMING ERRORS. APPLIED KNOWLEDGE AND UNDERSTANDING: IDENTIFY AND MITIGATE MAIN VULNERABILITIES DUE TO PROGRAMMING ERRORS. TEACHING UNIT 2: WEB APPLICATION VULNERABILITIES (LECTURE/EXERCISE/LAB HOURS: 10/0/0) - 10 (2 LECTURE HOURS) FUNDAMENTALS OF WEB APPLICATIONS. - 11 (2 LECTURE HOURS) STATIC FILES PROBLEMS, MAGIC URLS AND HIDDEN FORM FIELDS. - 12 (2 LECTURE HOURS) CROSS-SITE SCRIPTING (XSS) - 13 (2 LECTURE HOURS) CROSS-SITE REQUEST FORGERY (CSRF). - 14 (2 LECTURE HOURS) CLICKJACKING AND CONTENT SNIFFING. KNOWLEDGE AND UNDERSTANDING: MAIN VULNERABILITIES SPECIFIC TO WEB APPLICATIONS. APPLIED KNOWLEDGE AND UNDERSTANDING: IDENTIFY AND MITIGATE MAIN WEB APPLICATION VULNERABILITIES. TEACHING UNIT 3: VULNERABILITIES DUE TO DESIGN ERRORS (LECTURE/EXERCISE/LAB HOURS: 8/0/0) - 15 (2 LECTURE HOURS) POOR USABILITY PROBLEMS. - 16 (2 LECTURE HOURS) UNCONTROLLED RESOURCE CONSUMPTION. - 17 (2 LECTURE HOURS) PROBLEMS WITH SOFTWARE UPDATES. - 18 (2 LECTURE HOURS) WEAK RANDOM NUMBERS AND INCORRECT USE OF CRYPTOGRAPHY. KNOWLEDGE AND UNDERSTANDING: MAIN VULNERABILITIES DUE TO DESIGN ERRORS, INCLUDING MISUSE OF CRYPTOGRAPHIC TECHNOLOGIES. APPLIED KNOWLEDGE AND UNDERSTANDING: IDENTIFY AND MITIGATE MAIN DESIGN-RELATED VULNERABILITIES. TEACHING UNIT 4: METHODOLOGIES AND TOOLS FOR VULNERABILITY ANALYSIS (LECTURE/EXERCISE/LAB HOURS: 2/0/10) - 19 (2 LECTURE HOURS) THREAT MODELING AND THE STRIDE METHODOLOGY. - 20 (2 LAB HOURS) THREAT MODELING WITH OWASP THREAT DRAGON. - 21 (2 LAB HOURS) FUZZY TESTING WITH AFL. - 22 (2 LAB HOURS) SECURITY TESTING WITH ZAP. - 23 (2 LAB HOURS) STATIC ANALYSIS WITH SONARQUBE, FLAWFINDER, CODEQL - 24 (2 LAB HOURS) STATIC ANALYSIS WITH BANDIT, FINDSECBUGS, OWASP DEPENDENCY CHECK KNOWLEDGE AND UNDERSTANDING: THREAT MODELING AND THE STRIDE METHODOLOGY FOR VULNERABILITY ANALYSIS. APPLIED KNOWLEDGE AND UNDERSTANDING: USE SOFTWARE TOOLS FOR STATIC AND DYNAMIC CODE ANALYSIS TO IDENTIFY SECURITY ISSUES. TOTAL LECTURE/EXERCISE/LAB HOURS: 38/0/10

Contents

TEACHING UNIT 1: VULNERABILITIES DUE TO PROGRAMMING ERRORS
(LECTURE/EXERCISE/LAB HOURS: 18/0/0)
- 1 (2 LECTURE HOURS) INTRODUCTION TO SECURE PROGRAMMING. WEAKNESS, VULNERABILITY, EXPLOIT. VULNERABILITY REPOSITORIES. SCORING SYSTEMS.
- 2 (2 LECTURE HOURS) BUFFER OVERRUN.
- 3 (2 LECTURE HOURS) INTEGER OVERFLOW.
- 4 (2 LECTURE HOURS) COMMAND INJECTION AND SQL INJECTION.
- 5 (2 LECTURE HOURS) INFORMATION LEAKAGE. FAILURE TO HANDLE ERRORS CORRECTLY.
- 6 (2 LECTURE HOURS) RACE CONDITIONS.
- 7 (2 LECTURE HOURS) MEMORY MANAGEMENT ERRORS.
- 8 (2 LECTURE HOURS) DESERIALIZATION OF UNTRUSTED DATA.
- 9 (2 LECTURE HOURS) FORMAT STRING PROBLEMS.

KNOWLEDGE AND UNDERSTANDING: FUNDAMENTAL CONCEPTS OF SECURE PROGRAMMING. MAIN VULNERABILITIES RELATED TO PROGRAMMING ERRORS.
APPLIED KNOWLEDGE AND UNDERSTANDING: IDENTIFY AND MITIGATE MAIN VULNERABILITIES DUE TO PROGRAMMING ERRORS.

TEACHING UNIT 2: WEB APPLICATION VULNERABILITIES
(LECTURE/EXERCISE/LAB HOURS: 10/0/0)
- 10 (2 LECTURE HOURS) FUNDAMENTALS OF WEB APPLICATIONS.
- 11 (2 LECTURE HOURS) STATIC FILES PROBLEMS, MAGIC URLS AND HIDDEN FORM FIELDS.
- 12 (2 LECTURE HOURS) CROSS-SITE SCRIPTING (XSS)
- 13 (2 LECTURE HOURS) CROSS-SITE REQUEST FORGERY (CSRF).
- 14 (2 LECTURE HOURS) CLICKJACKING AND CONTENT SNIFFING.

KNOWLEDGE AND UNDERSTANDING: MAIN VULNERABILITIES SPECIFIC TO WEB APPLICATIONS.
APPLIED KNOWLEDGE AND UNDERSTANDING: IDENTIFY AND MITIGATE MAIN WEB APPLICATION VULNERABILITIES.

TEACHING UNIT 3: VULNERABILITIES DUE TO DESIGN ERRORS
(LECTURE/EXERCISE/LAB HOURS: 8/0/0)
- 15 (2 LECTURE HOURS) POOR USABILITY PROBLEMS.
- 16 (2 LECTURE HOURS) UNCONTROLLED RESOURCE CONSUMPTION.
- 17 (2 LECTURE HOURS) PROBLEMS WITH SOFTWARE UPDATES.
- 18 (2 LECTURE HOURS) WEAK RANDOM NUMBERS AND INCORRECT USE OF CRYPTOGRAPHY.

KNOWLEDGE AND UNDERSTANDING: MAIN VULNERABILITIES DUE TO DESIGN ERRORS, INCLUDING MISUSE OF CRYPTOGRAPHIC TECHNOLOGIES.
APPLIED KNOWLEDGE AND UNDERSTANDING: IDENTIFY AND MITIGATE MAIN DESIGN-RELATED VULNERABILITIES.

TEACHING UNIT 4: METHODOLOGIES AND TOOLS FOR VULNERABILITY ANALYSIS
(LECTURE/EXERCISE/LAB HOURS: 2/0/10)
- 19 (2 LECTURE HOURS) THREAT MODELING AND THE STRIDE METHODOLOGY.
- 20 (2 LAB HOURS) THREAT MODELING WITH OWASP THREAT DRAGON.
- 21 (2 LAB HOURS) FUZZY TESTING WITH AFL.
- 22 (2 LAB HOURS) SECURITY TESTING WITH ZAP.
- 23 (2 LAB HOURS) STATIC ANALYSIS WITH SONARQUBE, FLAWFINDER, CODEQL
- 24 (2 LAB HOURS) STATIC ANALYSIS WITH BANDIT, FINDSECBUGS, OWASP DEPENDENCY CHECK

KNOWLEDGE AND UNDERSTANDING: THREAT MODELING AND THE STRIDE METHODOLOGY FOR VULNERABILITY ANALYSIS.
APPLIED KNOWLEDGE AND UNDERSTANDING: USE SOFTWARE TOOLS FOR STATIC AND DYNAMIC CODE ANALYSIS TO IDENTIFY SECURITY ISSUES.

TOTAL LECTURE/EXERCISE/LAB HOURS: 38/0/10

	Teaching Methods
	THE COURSE CONTAINS THEORETICAL LECTURES, IN-CLASS EXERCITATIONS AND PRACTICAL LABORATORY EXERCITATIONS.

	Verification of learning
	THE EXAM IS PERFORMED AS AN ORAL INTERVIEW. THE INTERVIEW EVALUATES THE KNOWLEDGE AND UNDERSTANDING OF THE TOPICS TREATED IN THE COURSE, TOGETHER WITH THE EXPOSITION ABILITY OF THE CANDIDATE.

	Texts
	MICHAEL HOWARD, DAVID LEBLANC, JOHN VIEGA. "24 DEADLY SINS OF SOFTWARE SECURITY: PROGRAMMING FLAWS AND HOW TO FIX THEM" MCGRAW HILL

	More Information
	THE COURSE IS HELD IN ENGLISH.

Lessons Timetable

BETA VERSION Data source ESSE3

International Teaching | SECURE PROGRAMMING

SECURE PROGRAMMING

CURRICULUM CYBERSECURITY Cohort 2024/2025

TEACHING UNITS

PROFESSORS

SHEET

-

International Teaching | SECURE PROGRAMMING