SOFTWARE ENGINEERING FOR SECURE CLOUD SYSTEMS

Carmine GRAVINO SOFTWARE ENGINEERING FOR SECURE CLOUD SYSTEMS

0522700004
COMPUTER SCIENCE
EQF7
CYBERSECURITY AND CLOUD TECHNOLOGIES
2024/2025

OBBLIGATORIO
YEAR OF COURSE 1
YEAR OF DIDACTIC SYSTEM 2023
AUTUMN SEMESTER
CFUHOURSACTIVITY
648LESSONS
324LAB
Objectives
THE COURSE AIMS TO PROVIDE METHODS AND TECHNIQUES FOR DESIGNING AND IMPLEMENTING A SECURE DEVELOPMENT PIPELINE, FROM A SECURITY-AWARE REQUIREMENTS ANALYSIS PHASE TO SECURE DEVELOPMENT AND SECURITY TESTING. IT COVERS THE ENTIRE SOFTWARE LIFE CYCLE OF SECURE APPLICATIONS IN CLOUD COMPUTING ENVIRONMENTS.

KNOWLEDGE AND UNDERSTANDING
AFTER SUCCESSFULLY COMPLETING THE COURSE, THE STUDENT WILL HAVE KNOWLEDGE AND UNDERSTANDING ABOUT
SOFTWARE ENGINEERING METHODS AND TECHNIQUES FOR THE CREATION OF RELIABLE AND SECURE SOFTWARE (SECURE-AWARE DEVELOPMENT PIPELINE MANAGEMENT, REQUIREMENTS EXTRACTION, SECURITY BY DESIGN, TESTING, IDENTIFICATION, AND REMOVAL OF SOFTWARE VULNERABILITIES;
SOFTWARE ANALYSIS AND VERIFICATION TECHNIQUES;
SECURE PROGRAMMING PRINCIPLES AND PRACTICES;
METHODS AND TECHNIQUES FOR SECURITY IN DATABASES AND MICROSERVICES ARCHITECTURES;
FUNDAMENTAL CONCEPTS OF PENETRATION TESTING AND ETHICAL HACKING, METHODOLOGIES, TECHNIQUES, AND TOOLS FOR MANAGING PENETRATION TESTING PROCESSES;
ARCHITECTURES OF DISTRIBUTED SYSTEMS FOR THE CLOUD, CLOUD REFERENCE ARCHITECTURES, DELIVERY MODELS, AND DEPLOYMENT MODELS;
SHARED RESPONSIBILITY IN EACH OF THE DELIVERY (IAAS, PAAS, SAAS, FAAS) AND DEPLOYMENT (PUBLIC, PRIVATE, HYBRID) MODELS.


ABILITY TO APPLY KNOWLEDGE AND UNDERSTANDING
AFTER SUCCESSFULLY COMPLETING THE COURSE, THE STUDENT WILL BE ABLE TO:
USE SOFTWARE ENGINEERING METHODS AND TECHNIQUES FOR THE CREATION, MONITORING AND TESTING OF RELIABLE AND SECURE SOFTWARE (SECURITY BY DESIGN, DECSECOPS, TESTING,…);
CREATE SYSTEMS WITH MICROSERVICE ARCHITECTURES THAT COMPLY WITH SECURITY STANDARDS;
USE SOFTWARE ANALYSIS AND VERIFICATION TECHNIQUES MOST APPROPRIATE TO THE SOFTWARE TO BE ANALYZED;
CREATE SECURE SOFTWARE AVOIDING VULNERABILITIES AND EXPLOITING THE SECURITY FEATURES PROVIDED BY THE LIBRARIES; SPECIFY AND ENFORCE SECURITY POLICIES STATICALLY AND DYNAMICALLY;
IDENTIFY THE MAIN VULNERABILITIES OF NETWORKED SYSTEMS, RECOGNIZE THE ATTACK AND DEFENSE MECHANISMS AND THE APPROPRIATE PROTECTION STRATEGIES, APPLYING THEM TO DESIGN AND EVALUATE COUNTERMEASURES AND SECURE ARCHITECTURES; EVALUATE THE SECURITY OF COMPLEX NETWORKED SYSTEMS;
PERFORM PENETRATION TESTS COMPLIANT WITH INTERNATIONAL STANDARDS;
DESIGN DISTRIBUTED SYSTEMS ON THE CLOUD, EVALUATING THEIR PERFORMANCE, CONFIGURING SPECIFICATIONS, AND DEVELOPING APPLICATIONS IN CONCURRENT AND PARALLEL ENVIRONMENTS;
KNOW HOW TO IDENTIFY THE APPROPRIATE ARCHITECTURE OF DISTRIBUTED SYSTEMS FOR THE CLOUD.


COMMUNICATION SKILLS
AFTER SUCCESSFULLY COMPLETING THE COURSE, THE STUDENT WILL BE ABLE TO:
THINK CRITICALLY AND QUESTION DESIGN AND IMPLEMENTATION CHOICES;
DEVELOP AUTONOMOUS AND INDEPENDENT REASONING AND REFLECTIONS;
UNDERSTAND THE RELEVANCE OF A PLURALITY OF POINTS OF VIEW AND ALTERNATIVE APPROACHES;
CRITICALLY EVALUATE POSITIVE AND NEGATIVE ASPECTS OF ALTERNATIVE SOLUTIONS, TAKING INTO CONSIDERATION QUALITY AND COST/EFFECTIVENESS;
PRIORITIZE OFTEN CONFLICTING OBJECTIVES;
MAKE DECISIONS, INCLUDING REFLECTION ON THE SOCIAL AND ETHICAL RESPONSIBILITIES CONNECTED WITH THE OPERATION OF SUCH SOLUTIONS IN ORDER TO USE THE ATTACK TECHNIQUES LEARNED ONLY IN ORDER TO IMPROVE THE IT SECURITY LEVEL OF AN ORGANIZATION;
WORK WITH A HIGH DEGREE OF AUTONOMY;
PLAN THE APPROPRIATE DATA COLLECTION FOR THE PROPOSED OBJECTIVES AND CRITICALLY INTERPRET THE COLLECTED DATA TO DERIVE AUTONOMOUS JUDGMENTS SUPPORTED BY OBJECTIVE AND QUANTITATIVE ANALYSES.

JUDGMENT AUTONOMY
AFTER SUCCESSFULLY COMPLETING THE COURSE, THE STUDENT WILL BE ABLE TO:
COMMUNICATE CLEARLY AND EFFECTIVELY, IN WRITTEN AND ORAL FORM, TO CONVEY KNOWLEDGE, IDEAS, PROBLEMS, SOLUTIONS, AND THE UNDERLYING RATIONALE, ADAPTING THE METHODS OF EXPRESSION TO THE CULTURAL AND PROFESSIONAL CHARACTERISTICS OF THE RECIPIENTS OF THE COMMUNICATION;
EFFECTIVELY USE MULTIMEDIA COMMUNICATION TOOLS;
COMMUNICATE IN ITALIAN AND ENGLISH WITH TECHNICIANS AND EXPERTS WITH GOOD LANGUAGE SKILLS AND SHOW MASTERY OF TECHNICAL TERMINOLOGY;
UNDERSTAND AND PROCESS TECHNICAL TEXTS IN ENGLISH OF MEDIUM DIFFICULTY;
WORK IN A TEAM WITH ADEQUATE RELATIONAL AND DECISION-MAKING SKILLS;
REPORT ON ONE'S WORK.

LEARNING ABILITY
AFTER SUCCESSFULLY COMPLETING THE COURSE, THE STUDENT WILL BE ABLE TO:
ORGANIZE ONE'S IDEAS CRITICALLY AND SYSTEMATICALLY;
REFLECT ON ONE'S OWN LEARNING EXPERIENCE AND ADAPT IT IN RESPONSE TO EXTERNAL CUES AND STIMULI;
RECOGNIZE THE NEED FOR FURTHER STUDIES AND ADDITIONAL RESEARCH ACTIVITIES.
Prerequisites
STUDENTS SHOULD KNOW BASIC SOFTWARE ENGINEERING CONCEPTS, PARTICULARLY SOFTWARE DEVELOPMENT MODELS AND TESTING.
Contents
THE TEACHING CONTENTS ARE DIVIDED INTO THREE TRAINING MODULES.

M1: SECURE SOFTWARE ENGINEERING (14H OF FRONTAL LECTURES)
THE FIRST MODULE INTRODUCES THE STUDENT TO SOFTWARE DEVELOPMENT LIFE CYCLES THAT INCLUDE SECURITY PRACTICES.
- INTRODUCTION TO THE COURSE (2 HOURS LESSON)
- LIFECYCLE MODELS WITH SECURITY (4 HOURS LESSON)
- SECURE REQUIREMENT ENGINEERING (4 HOURS LESSON)
- THREAT MODELING (2 HOURS LESSON)
- RISK MANAGEMENT & TEST PLANNING (2 HOURS LESSON)

M2: DEVSECOPS (20H OF FRONTAL LECTURES AND 12H OF LAB SESSIONS)
THE SECOND MODULE INTRODUCES THE STUDENT TO DEVSECOPS-RELATED SOFTWARE DEVELOPMENT PRACTICES FOR DEVELOPING SECURE APPLICATIONS IN CLOUD COMPUTING ENVIRONMENTS.
- DEVOPS (6 HOURS LESSON)
- SOFTWARE TESTING AND TEST DRIVEN DEVELOPMENT (2 HOURS LESSON E 2 HOURS LABORATORY)
- TEST CASE DESIGN AND SELECTION (2 HOURS LESSON E 2 HOURS LABORATORY)
- STATIC AND DYNAMIC ANALYSIS TECHNIQUES FOR SECURING MICROSERVICE APPLICATIONS (4 HOURS LESSON E 4 HOURS LABORATORY)
- CONTINUOUS INTEGRATION & TESTING (2 HOURS LESSON E 2 HOURS LABORATORY)
- CONTINUOUS DELIVERY & DEPLOYMENT (2 HOURS LESSON E 2 HOURS LABORATORY)
- SECURE DEVOPS (2 HOURS LESSON)

M3: SECURE PROGRAMMING (14H OF FRONTAL LECTURES AND 12H OF LAB SESSIONS)
THE THIRD MODULE INTRODUCES THE STUDENT TO SECURE PROGRAMMING PRACTICES:
- SOFTWARE VULNERABILITIES & PENETRATION TESTING (2 HOURS LESSON)
- CODE INSPECTION & REVIEW (2 HOURS LESSON E 2 HOURS LABORATORY)
- LOCAL METHODS TO INJECT SOFTWARE VULNERABILITIES (4 HOURS LESSON E 4 HOURS LABORATORY)
- REMOTE METHODS TO INJECT SOFTWARE VULNERABILITIES (4 HOURS LESSON E 4 HOURS LABORATORY)
- REPORTING PENETRATION TESTING (2 HOURS LESSON E 2 HOURS LABORATORY)
Teaching Methods
THE THEORETICAL PART IS DEVELOPED WITH FRONTAL LECTURES (6 CFU, 48 HOURS) OF A THEORETICAL/METHODOLOGICAL NATURE TO TRANSFER THE REQUIRED KNOWLEDGE AND TOOLS FOR PROJECT ACTIVITIES.
THE PRACTICAL PART IS CARRIED OUT IN THE LABORATORY WITH EXPERIMENTATION OF THE TECHNIQUES AND CONCEPTS PRESENTED IN THE THEORETICAL PART (3 CFU, 24 HOURS).
Verification of learning
THE ACHIEVEMENT OF THE TEACHING OBJECTIVES IS CERTIFIED BY PASSING AN EXAM WITH AN EVALUATION OUT OF THIRTY. THE EXAM INCLUDES REALIZING AN INDIVIDUAL OR GROUP PROJECT AND DELIVERING THE RELATED DOCUMENTATION AND AN ORAL TEST.
THE DELIVERY OF THE INDIVIDUAL/GROUP PROJECT DOCUMENTATION IS MANDATORY TO BE ADMITTED TO THE ORAL TEST.
Texts
SECURING DEVOPS
BY JULIEN VEHENT
RELEASED AUGUST 2018
PUBLISHER(S): MANNING PUBLICATIONS
ISBN: 9781617294136

SOFTWARE SECURITY: BUILDING SECURITY IN
BY GARY MCGRAW
RELEASED JANUARY 2006
PUBLISHER(S): ADDISON-WESLEY PROFESSIONAL
ISBN: 9780321356703
More Information
ATTENDING THE COURSE IS NOT COMPULSORY BUT STRONGLY RECOMMENDED. STUDENTS MUST BE PREPARED TO BE ACTIVELY ENGAGED IN THE COURSE THROUGH INTERACTION WITH THE TEACHER IN THE CLASSROOM AND INDIVIDUAL TRAINING. THE COURSE EXPECTS A SOLID PREDISPOSITION TO LEARN SOFTWARE TOOLS REQUIRED TO DEVELOP RELIABILITY MODULES.
THE TEACHING MATERIAL WILL BE AVAILABLE ON THE DEPARTMENTAL E-LEARNING PLATFORM.

CONTACT INFORMATION:
GCATOLINO@UNISA.IT
DDINUCCI@UNISA.IT
  BETA VERSION Data source ESSE3 [Ultima Sincronizzazione: 2024-12-13]