Pasquale FOGGIA | SECURE PROGRAMMING
Pasquale FOGGIA SECURE PROGRAMMING
cod. 0622700096
SECURE PROGRAMMING
0622700096 | |
DEPARTMENT OF INFORMATION AND ELECTRICAL ENGINEERING AND APPLIED MATHEMATICS | |
EQF7 | |
COMPUTER ENGINEERING | |
2024/2025 |
YEAR OF COURSE 2 | |
YEAR OF DIDACTIC SYSTEM 2022 | |
AUTUMN SEMESTER |
SSD | CFU | HOURS | ACTIVITY | |
---|---|---|---|---|
ING-INF/05 | 6 | 48 | LESSONS | |
ING-INF/05 | 2 | 16 | LAB | |
ING-INF/05 | 1 | 8 | EXERCISES |
Exam | Date | Session | |
---|---|---|---|
SECURE PROGRAMMING | 21/01/2025 - 09:00 | SESSIONE ORDINARIA | |
SECURE PROGRAMMING | 21/01/2025 - 09:00 | SESSIONE DI RECUPERO | |
SECURE PROGRAMMING | 14/02/2025 - 09:00 | SESSIONE ORDINARIA | |
SECURE PROGRAMMING | 14/02/2025 - 09:00 | SESSIONE DI RECUPERO |
Objectives | |
---|---|
THE COURSE PRESENTS THE PRINCIPAL SOURCES OF VULNERABILITY IN PROGRAMMING AND THE METHODOLOGIES AND TOOLS NECESSARY TO MITIGATE AND TO REMOVE SUCH VULNERABILITIES. KNOWLEDGE AND UNDERSTANDING PRINCIPLES AND PRACTICES OF SECURE PROGRAMMING. PRINCIPAL SOURCES OF VULNERABILITIES IN PROGRAMMING AND DEVELOPMENT METHODOLOGIES TO MITIGATE AND REMOVE SUCH VULNERABILITIES. NEW AND EMERGING LANGUAGE-BASED SECURITY MECHANISMS, INCLUDING THOSE FOR SPECIFYING AND APPLYING SECURITY POLICIES STATICALLY AND DYNAMICALLY. APPLIED KNOWLEDGE AND UNDERSTANDING DESIGNING AND REALIZING AN APPLICATION ADOPTING THE PRINCIPAL TECHNIQUES OF SECURE PROGRAMMING. USING APPROPRIATELY AND EFFECTIVELY SECURITY FUNCTIONS, SUCH AS AUTHENTICATION AND CRYPTOGRAPHY, PROVIDED BY THE LIBRARIES IN COMMON PROGRAMMING LANGUAGES. IDENTIFYING COMMON SECURITY-RELATED PROGRAMMING ERRORS DURING CODE REVIEWS. DEFINING SECURITY TESTS AND USING APPROPRIATE TOOLS FOR THEIR IMPLEMENTATION. APPLYING NEW MODELS AND TOOLS FOR SECURITY-ENHANCED PROGRAMMING, TO HELP MEETING THE SECURITY REQUIREMENTS. |
Prerequisites | |
---|---|
IT IS HIGHLY RECOMMENDED THAT THE STUDENT HAS PREVIOUS KNOWLEDGE OF COMPUTER PROGRAMMING IN THE LANGUAGES C AND JAVA, AND KNOWLEDGE OF RELATIONAL DBMS AND OF THE SQL LANGUAGE. IT IS RECOMMENDED THAT THE STUDENT HAS PREVIOUS KNOWLEDGE ABOUT THE MAIN SERVICES OF AN OPERATING SYSTEM, WITH SPECIFIC REFERENCE TO THE UNIX FAMILY. IT IS ALSO RECOMMENDED A PREVIOUS KNOWLEGE ABOUT COMPUTER NETWORK ARCHITECTURES AND PROTOCOLS. IT IS ALSO RECOMMENDED PREVIOUS KNOWLEDGE ABOUT PRIVATE AND PUBLIC KEY CRYPTOGRAPHIC TECHNOLOGIES. |
Contents | |
---|---|
INTRODUCTION TO SECURE PROGRAMMING. WEAKNESS, VULNERABILITY, EXPLOIT. VULNERABILITY REPOSITORIES. SCORING SYSTEMS. (LEZ:2/ESE:0/LAB:0) BUFFER OVERRUN. (LEZ:2/ESE:0/LAB:0) INTEGER OVERFLOW. (LEZ:2/ESE:0/LAB:0) COMMAND INJECTION. (LEZ:2/ESE:0/LAB:0) INFORMATION LEAKAGE. (LEZ:2/ESE:0/LAB:0) FUZZY TESTING WITH AFL. (LEZ:0/ESE:0/LAB:2) RACE CONDITIONS. (LEZ:2/ESE:0/LAB:0) SQL INJECTION. (LEZ:2/ESE:0/LAB:0) MEMORY MANAGEMENT ERRORS. (LEZ:2/ESE:0/LAB:0) DESERIALIZATION OF UNTRUSTED DATA. (LEZ:2/ESE:0/LAB:0) FAILURE TO HANDLE ERRORS CORRECTLY. (LEZ:2/ESE:0/LAB:0) FORMAT STRING PROBLEMS. (LEZ:2/ESE:0/LAB:0) WEB APPLICATION FUNDAMENTALS. (LEZ:4/ESE:0/LAB:0) STATIC FILES PROBLEMS. (LEZ:2/ESE:0/LAB:0) SERVER-SIDE XSS. (LEZ:2/ESE:0/LAB:0) CLIENT-SIDE XSS. (LEZ:2/ESE:0/LAB:0) CSRF. (LEZ:2/ESE:0/LAB:0) MAGIC URLS PREDICTABLE COOKIES AND HIDDEN FORM FIELDS. (LEZ:2/ESE:0/LAB:0) SECURITY TESTING WITH ZAP. (LEZ:0/ESE:2/LAB:2) CLICKJACKING AND CONTENT SNIFFING. (LEZ:2/ESE:0/LAB:0) SECURITY TESTING WITH SONARQUBE. (LEZ:0/ESE:0/LAB:2) POOR USABILITY PROBLEMS. (LEZ:2/ESE:0/LAB:0) UNCONTROLLED RESOURCE CONSUMPTION. (LEZ:2/ESE:0/LAB:0) SECURITY TESTING WITH FLAWFINDER. (LEZ:0/ESE:0/LAB:2) PROBLEMS WITH SOFTWARE UPDATES. (LEZ:2/ESE:0/LAB:0) SECURITY TESTING WITH BANDIT. (LEZ:0/ESE:0/LAB:2) THREAT MODELING AND THE STRIDE METHODOLOGY. (LEZ:2/ESE:0/LAB:0) THREAT MODELING WITH OWASP THREAT DRAGON. (LEZ:0/ESE:4/LAB:2) WEAK RANDOM NUMBERS. (LEZ:2/ESE:0/LAB:0) USING THE WRONG CRYPTOGRAPHY. (LEZ:2/ESE:0/LAB:0) SECURITY TESTING WITH SPOTBUGS AND FINDSECBUGS. (LEZ:0/ESE:0/LAB:2) TOTALE: LEZ:52/ESE:6/LAB:14 |
Teaching Methods | |
---|---|
THE COURSE CONTAINS THEORETICAL LECTURES, IN-CLASS EXERCITATIONS AND PRACTICAL LABORATORY EXERCITATIONS. |
Verification of learning | |
---|---|
THE EXAM IS PERFORMED AS AN ORAL INTERVIEW. THE INTERVIEW EVALUATES THE KNOWLEDGE AND UNDERSTANDING OF THE TOPICS TREATED IN THE COURSE, TOGETHER WITH THE EXPOSITION ABILITY OF THE CANDIDATE. |
Texts | |
---|---|
MICHAEL HOWARD, DAVID LEBLANC, JOHN VIEGA. "24 DEADLY SINS OF SOFTWARE SECURITY: PROGRAMMING FLAWS AND HOW TO FIX THEM" MCGRAW HILL |
More Information | |
---|---|
THE COURSE IS HELD IN ENGLISH. |
BETA VERSION Data source ESSE3 [Ultima Sincronizzazione: 2024-12-13]