Secure Software Design - Academic year 2020/2021

Course information

Lecturer: Mario Alviano

Office hours: consult my homepage

Notice board

Schedule

Lecture Hall: MT10

Lectures

• 01/10/2020 14:30-16:30 - Introduction + Why design matters for security (part 1)
• 02/10/2020 11:30-14:30 - Why design matters for security (part 2)
• 08/10/2020 14:30-16:30 - Deep modeling
• 09/10/2020 11:30-14:30 - Core concepts of Domain-Driven Design
• 15/10/2020 14:30-16:30 - Code constructs promoting security
• 16/10/2020 11:30-14:30 - Domain primitives - Part 1
• 22/10/2020 14:30-16:30 - Domain primitives - Part 2
• 23/10/2020 11:30-14:30 - Ensuring integrity of state
• 29/10/2020 14:30-16:30 - Reducing complexity of state
• 30/10/2020 11:30-14:30 - Handling failures securely
• 05/11/2020 14:30-16:30 - OWASP Top 10 - Part 1
• 06/11/2020 11:30-14:30 - OWASP Top 10 - Part 2
• 12/11/2020 14:30-16:30 - OWASP ZAP
• 13/11/2020 11:30-14:30 - Introduction to Test-Driven Design
• 19/11/2020 14:30-16:30 - Django REST Framework - Part 1
• 20/11/2020 11:30-14:30 - Django REST Framework - Part 2
• 26/11/2020 14:30-16:30 - Advanced tests for Python
• 27/11/2020 11:30-14:30 - Student Project
• 03/12/2020 14:30-16:30 - Student Project
• 04/12/2020 11:30-14:30 - Student Project
• 10/12/2020 14:30-16:30 - Student Project
• 11/12/2020 11:30-13:30 - Exam Simulation
• 17/12/2020 14:30-16:30 - Student Project Showcase

Course material

Slides

1. Introduction: presentation

2. Why design matters for security: presentation

3. Deep modeling: presentation

4. Core concepts of Domain-Driven Design: presentation

5. Code constructs promoting security: presentation

6. Domain primitives: presentation, examples

7. Ensuring integrity of state: presentation, examples

8. Reducing complexity of state: presentation

9. Handling failures securely: presentation, exercises

10. OWASP Top 10: presentation

11. OWASP ZAP: presentation

12. Introduction to Test-Driven Design: presentation, examples

13. Django REST Framework - Part 1: presentation, examples

14. Django REST Framework - Part 2: presentation, examples

15. Advanced tests for Python: presentation, examples

16. Student Projects: presentation

17. Student Projects - Lessons Learned: presentation

Exercises to Solve at Home

• Have a look at the end of the slides; some solutions written in the class can be found here

• Web Goat

  • WebGoat and WebWolf

  • Write-ups of suggested exercises

• SQL Injection on OWASP Mutillidae II up to Client-side Security

  1. OWASP 2013 | A1 Injection (SQL) | SQLi – Extract Data | User Info (SQL)
  2. OWASP 2013 | A1 Injection (SQL) | SQLi – Bypass Authentication | Login
  3. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Add to your blog
  4. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Register

• HTML Injection & XSS on OWASP Mutillidae II up to Client-side Security

  1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | View Captured Data
  2. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Add to your blog
  3. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Register

Books

• Secure by Design - Dan Bergh Johnsson, Daniel Deogun, Daniel Sawano - Manning

  web page of the book

Web Pages

• SEI CERT Oracle Coding Standard for Java

• SEI CERT C++ Coding Standard

• OWASP

• WebGoat Project

• ZAP

• XSS exercises

Exams

• 02/02/2021 09:00
• 23/02/2021 09:00
• 07/07/2021 09:00
• 28/07/2021 09:00
• 25/09/2021 14:00 - MT6

Previous editions

• Academic year 2019/2020

• Academic year 2018/2019

• Academic year 2017/2018

• Academic year 2016/2017