#acl MarioAlviano:read,write,delete,admin,revert EditorsGroup:read,write,delete,admin,revert All:read == Secure Software Design - Academic year 2020/2021 == <> === Course information === '''Lecturer''': [[http://www.alviano.net|Mario Alviano]] '''Office hours''': consult my [[http://www.alviano.net|homepage]] === Notice board === ## '''27/05/2020 11:00''': Exams and next edition on Microsoft Teams: [[https://teams.microsoft.com/l/team/19%3a701a358ed3bc4b968dc53ed7fea125a4%40thread.tacv2/conversations?groupId=7bb937db-5b8d-43fc-8a3a-68dd99dd5130&tenantId=7519d0cd-2106-47d9-adcb-320023abff57|follow this link]] ## '''17/12/2020 16:55''': Points assigned to student projects (to be defended during the discussion at the exam): [[http://archives.alviano.net/teaching/ssd-2020-2021/Student_Projects.pdf|download]] ## '''17/12/2020 16:40''': Students who have attended at least 70% of the course: [[http://archives.alviano.net/teaching/ssd-2020-2021/FirmeFrequenza_2020-2021.pdf|download]] === Schedule === '''Lecture Hall''': MT10 ==== Lectures ==== ## 32 ore di lezione ## 24 ore di laboratorio ## 56 ore totali * 01/10/2020 14:30-16:30 - Introduction + Why design matters for security (part 1) * 02/10/2020 11:30-14:30 - Why design matters for security (part 2) * 08/10/2020 14:30-16:30 - Deep modeling * 09/10/2020 11:30-14:30 - Core concepts of Domain-Driven Design * 15/10/2020 14:30-16:30 - Code constructs promoting security * 16/10/2020 11:30-14:30 - Domain primitives - Part 1 * 22/10/2020 14:30-16:30 - Domain primitives - Part 2 * 23/10/2020 11:30-14:30 - Ensuring integrity of state * 29/10/2020 14:30-16:30 - Reducing complexity of state * 30/10/2020 11:30-14:30 - Handling failures securely * 05/11/2020 14:30-16:30 - OWASP Top 10 - Part 1 * 06/11/2020 11:30-14:30 - OWASP Top 10 - Part 2 * 12/11/2020 14:30-16:30 - OWASP ZAP * 13/11/2020 11:30-14:30 - Introduction to Test-Driven Design * 19/11/2020 14:30-16:30 - Django REST Framework - Part 1 * 20/11/2020 11:30-14:30 - Django REST Framework - Part 2 * 26/11/2020 14:30-16:30 - Advanced tests for Python * 27/11/2020 11:30-14:30 - Student Project * 03/12/2020 14:30-16:30 - Student Project * 04/12/2020 11:30-14:30 - Student Project * 10/12/2020 14:30-16:30 - Student Project * 11/12/2020 11:30-13:30 - Exam Simulation * 17/12/2020 14:30-16:30 - Student Project Showcase === Course material === ==== Slides ==== 1. Introduction: [[http://archives.alviano.net/teaching/ssd-2020-2021/presentation01.pdf|presentation]] 1. Why design matters for security: [[http://archives.alviano.net/teaching/ssd-2020-2021/presentation02.pdf|presentation]] 1. Deep modeling: [[http://archives.alviano.net/teaching/ssd-2020-2021/presentation03.pdf|presentation]] 1. Core concepts of Domain-Driven Design: [[http://archives.alviano.net/teaching/ssd-2020-2021/presentation04.pdf|presentation]] 1. Code constructs promoting security: [[http://archives.alviano.net/teaching/ssd-2020-2021/presentation05.pdf|presentation]] 1. Domain primitives: [[http://archives.alviano.net/teaching/ssd-2020-2021/presentation06.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2020-2021/examples06.zip|examples]] 1. Ensuring integrity of state: [[http://archives.alviano.net/teaching/ssd-2020-2021/presentation07.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2020-2021/examples07.zip|examples]] 1. Reducing complexity of state: [[http://archives.alviano.net/teaching/ssd-2020-2021/presentation08.pdf|presentation]] 1. Handling failures securely: [[http://archives.alviano.net/teaching/ssd-2020-2021/presentation09.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2020-2021/exercises09.zip|exercises]] 1. OWASP Top 10: [[http://archives.alviano.net/teaching/ssd-2020-2021/presentation10.pdf|presentation]] 1. OWASP ZAP: [[http://archives.alviano.net/teaching/ssd-2020-2021/presentation11.pdf|presentation]] 1. Introduction to Test-Driven Design: [[http://archives.alviano.net/teaching/ssd-2020-2021/presentation12.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2020-2021/examples12.zip|examples]] 1. Django REST Framework - Part 1: [[http://archives.alviano.net/teaching/ssd-2020-2021/presentation13.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2020-2021/examples13.zip|examples]] 1. Django REST Framework - Part 2: [[http://archives.alviano.net/teaching/ssd-2020-2021/presentation14.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2020-2021/examples14.zip|examples]] 1. Advanced tests for Python: [[http://archives.alviano.net/teaching/ssd-2020-2021/presentation15.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2020-2021/examples15.zip|examples]] 1. Student Projects: [[http://archives.alviano.net/teaching/ssd-2020-2021/presentation16.pdf|presentation]] 1. Student Projects - Lessons Learned: [[http://archives.alviano.net/teaching/ssd-2020-2021/presentation17.pdf|presentation]] ==== Exercises to Solve at Home ==== * Have a look at the end of the slides; some solutions written in the class can be found [[http://archives.alviano.net/teaching/ssd-2019-2020/SHARED.zip|here]] * Web Goat * [[https://github.com/WebGoat/WebGoat/releases|WebGoat and WebWolf]] * [[http://archives.alviano.net/teaching/ssd-2019-2020/WebGoat-writeups.zip|Write-ups of suggested exercises]] * SQL Injection on [[https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project|OWASP Mutillidae II]] up to Client-side Security 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Extract Data | User Info (SQL) 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Bypass Authentication | Login 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Add to your blog 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Register * HTML Injection & XSS on [[https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project|OWASP Mutillidae II]] up to Client-side Security 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | View Captured Data 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Add to your blog 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Register ==== Books ==== * Secure by Design - Dan Bergh Johnsson, Daniel Deogun, Daniel Sawano - Manning [[https://www.manning.com/books/secure-by-design|web page of the book]] ==== Web Pages ==== * [[https://www.securecoding.cert.org/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java|SEI CERT Oracle Coding Standard for Java]] * [[https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=637|SEI CERT C++ Coding Standard]] * [[https://www.owasp.org/index.php/Main_Page|OWASP]] * [[https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project|WebGoat Project]] * [[https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project|ZAP]] * [[https://xss-game.appspot.com/|XSS exercises]] === Exams === ## * 08/07/2020 09:00 - Teams - [[http://archives.alviano.net/teaching/ssd-2019-2020/ExamFormat_SSD.pdf|exam format]] * 02/02/2021 09:00 * 23/02/2021 09:00 * 07/07/2021 09:00 * 28/07/2021 09:00 * 25/09/2021 14:00 - MT6 === Previous editions === * [[SecureSoftwareDesign/2019-2020|Academic year 2019/2020]] * [[SecureSoftwareDesign/2018-2019|Academic year 2018/2019]] * [[SecureSoftwareDesign/2017-2018|Academic year 2017/2018]] * [[SecureSoftwareDesign/2016-2017|Academic year 2016/2017]]