1st year     2nd year     3rd year     4th year    



B.Tech. IV (CO) Semester - 8 (ELECTIVE - I)

L

T

P

C

CO412 : SECURE SOFTWARE ENGINEERING (ELECTIVE - I)

3

0

0

3
COURSE CONTENT
  • Introduction to the course

    • (04 Hours)

    Software Security. Security in SDLC. Review of Software Engineering Concepts. SDLC. Software Qualities. Interdependence of Software Qualities. Security as a Software Quality. Review of Information Security concepts. Software Security vs. Information Security vs. Application Security, Terminologies. The trinity of trouble viz. Connectivity, Extensibility and Complexity. Studies of various catastrophes due to Insecure software. Model Based Security Engineering, Three Pillars of Software Security. Security in Software Lifecycle.
  • Attacks and Types of Attackers

    • (06 Hours)

    Attacks-Types, Methods. Attacks in each phase of software life cycle. Motivation for attackers, Methods for attacks: Malicious code, Hidden software mechanisms, Social Engineering attacks, Physical attacks. Non-malicious dangers to software. Attacks in each phase of software life cycle. Security Vulnerabilities and Attack Taxonomy in Internet of Things and Cyber Physical Systems. Attack Trees. Attack Trees for BGP, PGP. PGP Probable Vulnerabilities
  • Security Vulnerabilities-I

    • (06 Hours)

    Introduction to Stack Analysis. Hands on on Stack Analysis using gcc compilerand sdb debugger tool. Methods of attack. Taxonomy of security vulnerabilities. Introduction to Code reviews and Static Informal reviews, Formal inspections. Code Coverage and Code Coverage Criteria viz. Statement coverage, Branch coverage, Condition coverage, Path coverage. Illustrations.
  • Security Vulnerabilities-II

    • (04 Hours)

    Format String Vulnerabilities. Race Conditions vulnerability. Examples of TOCTOU race conditions in Linux environment. Code injection and its types, SQL injection, Interpreter injection; Weak session cookies. Buffer over flows, Hidden form fields, Fail open authentication. Cross-site scripting.

  • Introduction to Petrinets as a modelling tool to model concurrent systems. Modelling deadlocks and starvation.

    • (04 Hours)
  • Integrating Security into SDLC. Risk management and Threat Modeling Methodologies. Software Risk Assessment and Threat Modelling Methodologies. Secure development cycle activities and practices.

    • (02 Hours)
  • Review of UML, USecase modelling - Usecases, Sequence Diagram, Collaboration Diagram. Illustrations of Kerberos and SET through Sequence Diagram.

    • (04 Hours)
  • The Attack Patterns, Illustrations, Review of Design Patterns in SE and Multi-tier architecture. Attack Proles. Attack Proles from Attack Patterns. Usage of Attack Proles. Using Attack Patterns in Attack Proles. Generating Attack Patterns. Case Studies. Abuse Cases. Misuse Cases. Using Attack Patterns to generate an Abuse Case Model and Anti-requirements. Finite State Machines for Security Requirements. Case Studies. Security Patterns.

    • (04 Hours)
  • Architectural Risk Analysis Using UMLSec and SecureUML. Using Z for Secure Specifications. Introduction to Penetration Testing.

    • (04 Hours)
  • Secure Programming. Common software security bugs and coding errors.

    • (04 Hours)

    (Total Contact Time: 42 Hours)
    BOOKS RECOMMENDED

    1. Research/Survey Papers prescribed in Class.
    2. Gary McGraw. Software Security : Building Security In. Addison Wesley Software Security Series.2006 edition.
    3. Theodor Richardson, Charles Thies. Secure Software Design. Jones and Bartlet Learning, 2013
    4. Ghezzi, Jazayeri, Mandrioli: Fundamentals of Software Engg, 2003 ed, Pearson EDU