SECURE PROGRAMMING

Pasquale FOGGIA SECURE PROGRAMMING

0622700096
DEPARTMENT OF INFORMATION AND ELECTRICAL ENGINEERING AND APPLIED MATHEMATICS
EQF7
COMPUTER ENGINEERING
2024/2025

YEAR OF COURSE 2
YEAR OF DIDACTIC SYSTEM 2022
AUTUMN SEMESTER
CFUHOURSACTIVITY
648LESSONS
216LAB
18EXERCISES
ExamDate
SECURE PROGRAMMING21/01/2025 - 09:00
SECURE PROGRAMMING21/01/2025 - 09:00
SECURE PROGRAMMING14/02/2025 - 09:00
SECURE PROGRAMMING14/02/2025 - 09:00
Objectives
THE COURSE PRESENTS THE PRINCIPAL SOURCES OF VULNERABILITY IN PROGRAMMING AND THE METHODOLOGIES AND TOOLS NECESSARY TO MITIGATE AND TO REMOVE SUCH VULNERABILITIES.

KNOWLEDGE AND UNDERSTANDING
PRINCIPLES AND PRACTICES OF SECURE PROGRAMMING. PRINCIPAL SOURCES OF VULNERABILITIES IN PROGRAMMING AND DEVELOPMENT METHODOLOGIES TO MITIGATE AND REMOVE SUCH VULNERABILITIES. NEW AND EMERGING LANGUAGE-BASED SECURITY MECHANISMS, INCLUDING THOSE FOR SPECIFYING AND APPLYING SECURITY POLICIES STATICALLY AND DYNAMICALLY.

APPLIED KNOWLEDGE AND UNDERSTANDING
DESIGNING AND REALIZING AN APPLICATION ADOPTING THE PRINCIPAL TECHNIQUES OF SECURE PROGRAMMING. USING APPROPRIATELY AND EFFECTIVELY SECURITY FUNCTIONS, SUCH AS AUTHENTICATION AND CRYPTOGRAPHY, PROVIDED BY THE LIBRARIES IN COMMON PROGRAMMING LANGUAGES. IDENTIFYING COMMON SECURITY-RELATED PROGRAMMING ERRORS DURING CODE REVIEWS. DEFINING SECURITY TESTS AND USING APPROPRIATE TOOLS FOR THEIR IMPLEMENTATION. APPLYING NEW MODELS AND TOOLS FOR SECURITY-ENHANCED PROGRAMMING, TO HELP MEETING THE SECURITY REQUIREMENTS.
Prerequisites
IT IS HIGHLY RECOMMENDED THAT THE STUDENT HAS PREVIOUS KNOWLEDGE OF COMPUTER PROGRAMMING IN THE LANGUAGES C AND JAVA, AND KNOWLEDGE OF RELATIONAL DBMS AND OF THE SQL LANGUAGE.
IT IS RECOMMENDED THAT THE STUDENT HAS PREVIOUS KNOWLEDGE ABOUT THE MAIN SERVICES OF AN OPERATING SYSTEM, WITH SPECIFIC REFERENCE TO THE UNIX FAMILY.
IT IS ALSO RECOMMENDED A PREVIOUS KNOWLEGE ABOUT COMPUTER NETWORK ARCHITECTURES AND PROTOCOLS.
IT IS ALSO RECOMMENDED PREVIOUS KNOWLEDGE ABOUT PRIVATE AND PUBLIC KEY CRYPTOGRAPHIC TECHNOLOGIES.
Contents
INTRODUCTION TO SECURE PROGRAMMING. WEAKNESS, VULNERABILITY, EXPLOIT. VULNERABILITY REPOSITORIES. SCORING SYSTEMS. (LEZ:2/ESE:0/LAB:0)

BUFFER OVERRUN. (LEZ:2/ESE:0/LAB:0)

INTEGER OVERFLOW. (LEZ:2/ESE:0/LAB:0)

COMMAND INJECTION. (LEZ:2/ESE:0/LAB:0)

INFORMATION LEAKAGE. (LEZ:2/ESE:0/LAB:0)

FUZZY TESTING WITH AFL. (LEZ:0/ESE:0/LAB:2)

RACE CONDITIONS. (LEZ:2/ESE:0/LAB:0)

SQL INJECTION. (LEZ:2/ESE:0/LAB:0)

MEMORY MANAGEMENT ERRORS. (LEZ:2/ESE:0/LAB:0)

DESERIALIZATION OF UNTRUSTED DATA. (LEZ:2/ESE:0/LAB:0)

FAILURE TO HANDLE ERRORS CORRECTLY. (LEZ:2/ESE:0/LAB:0)

FORMAT STRING PROBLEMS. (LEZ:2/ESE:0/LAB:0)

WEB APPLICATION FUNDAMENTALS. (LEZ:4/ESE:0/LAB:0)

STATIC FILES PROBLEMS. (LEZ:2/ESE:0/LAB:0)

SERVER-SIDE XSS. (LEZ:2/ESE:0/LAB:0)

CLIENT-SIDE XSS. (LEZ:2/ESE:0/LAB:0)

CSRF. (LEZ:2/ESE:0/LAB:0)

MAGIC URLS PREDICTABLE COOKIES AND HIDDEN FORM FIELDS. (LEZ:2/ESE:0/LAB:0)

SECURITY TESTING WITH ZAP. (LEZ:0/ESE:2/LAB:2)

CLICKJACKING AND CONTENT SNIFFING. (LEZ:2/ESE:0/LAB:0)

SECURITY TESTING WITH SONARQUBE. (LEZ:0/ESE:0/LAB:2)

POOR USABILITY PROBLEMS. (LEZ:2/ESE:0/LAB:0)

UNCONTROLLED RESOURCE CONSUMPTION. (LEZ:2/ESE:0/LAB:0)

SECURITY TESTING WITH FLAWFINDER. (LEZ:0/ESE:0/LAB:2)

PROBLEMS WITH SOFTWARE UPDATES. (LEZ:2/ESE:0/LAB:0)

SECURITY TESTING WITH BANDIT. (LEZ:0/ESE:0/LAB:2)

THREAT MODELING AND THE STRIDE METHODOLOGY. (LEZ:2/ESE:0/LAB:0)

THREAT MODELING WITH OWASP THREAT DRAGON. (LEZ:0/ESE:4/LAB:2)

WEAK RANDOM NUMBERS. (LEZ:2/ESE:0/LAB:0)

USING THE WRONG CRYPTOGRAPHY. (LEZ:2/ESE:0/LAB:0)

SECURITY TESTING WITH SPOTBUGS AND FINDSECBUGS. (LEZ:0/ESE:0/LAB:2)

TOTALE: LEZ:52/ESE:6/LAB:14
Teaching Methods
THE COURSE CONTAINS THEORETICAL LECTURES, IN-CLASS EXERCITATIONS AND PRACTICAL LABORATORY EXERCITATIONS.
Verification of learning
THE EXAM IS PERFORMED AS AN ORAL INTERVIEW.
THE INTERVIEW EVALUATES THE KNOWLEDGE AND UNDERSTANDING OF THE TOPICS TREATED IN THE COURSE, TOGETHER WITH THE EXPOSITION ABILITY OF THE CANDIDATE.
Texts
MICHAEL HOWARD, DAVID LEBLANC, JOHN VIEGA.
"24 DEADLY SINS OF SOFTWARE SECURITY: PROGRAMMING FLAWS AND HOW TO FIX THEM"
MCGRAW HILL
More Information
THE COURSE IS HELD IN ENGLISH.
Lessons Timetable

  BETA VERSION Data source ESSE3 [Ultima Sincronizzazione: 2024-12-13]