COMP47910 Secure Software Engineering

Academic Year 2022/2023

This module aims to provide knowledge and to develop skills necessary to undertake a career as a Security Engineer, Architect or Analyst.
Students will be encouraged to be active, motivated learners who can promote security practices and work in groups towards breaking, fixing, and building software systems. The module will provide a learning environment that will encourage students to construct their knowledge through problem solving as part of a team, and to critically reflect on recent security breaches and vulnerabilities so they can develop their own and others leadership and advocacy skills.

Show/hide contentOpenClose All

Curricular information is subject to change

Learning Outcomes:

- Identify key security concepts (assets, requirements, vulnerabilities), threats and attacks to software systems;
- Distinguish the most common classes of vulnerabilities, including architectural flaws and security bugs, in software projects;
- Select countermeasures that could be applied to mitigate vulnerabilities;
- Identify and exploit security vulnerabilities in software projects using security testing;
- Design secure software and develop patches to remove vulnerabilities from existing software projects;
- Specific security and privacy requirements, including compliance with necessary standards and regulations;
- Work in teams, share work fairly and meet the obligations set by the group;
- Be curious about latest security vulnerabilities and patches;
- Actively promote security practices.

Indicative Module Content:

Web application development using SpringBoot

Security design flaws

OWASP Top 10 Vulnerabilities;

Security testing: penetration testing, dynamic application security testing, static application security testing, and interactive application security testing;

OWASP Application Security Verification Standard (ASVS);

Secure Development Lifecycle such as the Microsoft Secure Development Lifecycle (SDLC);

SDLC assessment via the Building Security In Maturity Model and the OWASP Software Assurance Maturity Model;

Security requirements specification using adversarial thinking, threat modelling, attack trees and abuse cases.

Student Effort Hours: 
Student Effort Type Hours
Practical

14

Specified Learning Activities

80

Autonomous Student Learning

120

Online Learning

20

Total

234

Approaches to Teaching and Learning:
Pre-recorded lectures will be complemented with live activities, such as tutorials, discussion forums hands-on exercises using vulnerable software applications. The assessment approach will be based on in-class activities and project work. 
Requirements, Exclusions and Recommendations
Learning Recommendations:

Knowledge of distributed systems


Module Requisites and Incompatibles
Not applicable to this module.
 
Assessment Strategy  
Description Timing Open Book Exam Component Scale Must Pass Component % of Final Grade
Continuous Assessment: Journalling activities describing how vulnerabilities can be exploited and prevented. Throughout the Trimester n/a Graded No

20

Assignment: Implementation of a web application using SpringBoot
Throughout the Trimester n/a Graded Yes

20

Assignment: A report that identifies and describes the vulnerabilities that are present in the web application developed by another team and showcases how these vulnerabilities can be exploited. Throughout the Trimester n/a Graded Yes

30

Assignment: Implementation of an improved version of the web application developed in Assignment 1, with the objective to remove the vulnerabilities identified by another team in Assignment 2. Coursework (End of Trimester) n/a Graded Yes

30


Carry forward of passed components
Yes
 
Remediation Type Remediation Timing
In-Module Resit Prior to relevant Programme Exam Board
Please see Student Jargon Buster for more information about remediation types and timing. 
Feedback Strategy/Strategies

• Feedback individually to students, on an activity or draft prior to summative assessment
• Feedback individually to students, post-assessment
• Group/class feedback, post-assessment
• Peer review activities

How will my Feedback be Delivered?

The lecturer will provide a variety of feedback strategies. The lecturer will provide students examples of security testing techniques and strategies to prevent vulnerabilities that the students should apply in their group projects. At the end of each group project, the lecturer will provide written feedback to each group using an instructional rubric. The second group project will be peer-reviewed by a different group of students who will provide written feedback following a given set of assessment criteria.

OWASP Top 10 - https://owasp.org/Top10/
Gary McGraw, "Software Security: Building Security In"
NIST Risk Management Framework - https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/
OWASP Application Security and Verification Standard - https://owasp.org/www-project-application-security-verification-standard/
Name Role
Kushal Ramkumar Tutor