With the inevitable move towards an interconnected electronic society, the security of electronic interactions and data, and the software that handles them, is emerging as an important enabling criterion. The ability to write secure and trustworthy code - and not just code that complies with the system specifications - has become a very important skill that modern software developers must have.

We currently teach our students systems analysis and design skills, programming principles, database design, communications and network concepts. Unfortunately, this set of skills is no longer sufficient in an Internet-centric world. The ability to develop secure code, designed to withstand malicious attacks, has become an essential skill, which needs to be taught along with all the other software development skills. Our "Bachelor of Computing" degree does not currently have a strong focus on software security issues. The security-related units that we currently offer focus on general security concepts or on network security issues. There are no specific units dealing with the principles and practices of developing secure and trusted code (even though some lecturers do cover aspects of security pertinent to their unit).

In order to address this gap in our degrees we need to introduce a new unit that will highlight the most common software vulnerabilities, threats and countermeasures, as well as the best practices for developing secure and trusted software. This would be a 3-rd year unit, as it has to be based on prior programming experience, database design skills and understanding of networks.

CSE3207 would be offered in the Bachelor of Computing degree. One of the main objectives of the Bachelor of Computing is to produce software developers, who satisfy the computing needs of industry, government and commerce. The emergent electronic society and the widespread use of inter-networked resources demand that electronic transactions and communications are kept secure. That, in turn, requires that software developers know how to design secure and trusted application code that can withstand malicious or inadvertent attacks, and what best development practices to apply. The role of this unit is to bridge the current gap in the skills of our graduates on how to build secure and trusted software systems and applications. This unit will provide students with the necessary appreciation of security issues and teach them skills in writing secure code.

CSE3207 relates to

• CSE2500 where systems security and privacy are introduced
• CSE2318 and CSE3002 where networks and distributed computing systems are covered
• CSE2132 which deals with the design and use of databases } }

CSE3207 is an extension of the programming principles and concepts that are taught in CSE1202 and CSE1203, then reinforced in CSE2201 and CSE2203 with specific emphasis on developing secure and trusted software.

While producing software developers who can build secure software and systems is not an explicit objective of FIT or SCSSE, it should implicitly be a part of what it means to be a software developer.

Students will understand some of the main security concepts and issues involved in the development of software, including:

• Software security versus other aspects of computer security
• Goals of secure and trusted software
• Vulnerabilities versus threats
• Best software development principles and practices
• Buffer overflows
• Security of programming platforms
• Authentication and authorization
• What privileges software has
• Encryption techniques
• User input as a vulnerability
• Secure session data storage in web applications
• Secure database access
• Mobile and wireless applications' security
• Reliable software components
• Data privacy
• Legal issues such as software copyright and licences
• Security logging

Students will acquire an understanding and appreciation of the importance of developing secure software in today's electronic world. They will also learn that security features are not equal to secure features.

In developing secure and trusted software, students will be able to:

• Design applications with security in mind
• Validate user input
• Implement secure authentication mechanisms
• Authorise user's access to various protected resources
• Encrypt files and hash passwords
• Store session data securely in web applications
• Perform secure database access
• Set up secure transfer of data
• Create security logs
• Test software for security vulnerabilities

With the inevitable move towards an interconnected electronic society, the security of electronic interactions and data, and the software that handles them, is emerging as an important enabling criterion. The ability to develop secure and trusted code, designed to withstand malicious and inadvertent attacks, has become an essential skill for a software developer/engineer. This unit promotes understanding and appreciation of the importance of developing secure and trusted software in today's electronic world by demonstrating possible attacks and their consequences. Here students are introduced to some of the most common security issues involved in the development of software, including secure coding practices, secure database access, secure data communications, security of web applications, use of encryption techniques and security testing. Students are provided with a range of practical exercises to reinforce their skills, including authenticating and authorizing users programmatically, user input validation, developing secure web applications, developing secure mobile/wireless applications, developing secure database applications, encrypting and hashing data programmatically, generating digital signatures programmatically, security testing, designing logging and auditing mechanisms.

• Douglas P. Trocino (2004), "Developing Secure Applications: Best Practices for Writing Secure Code", CRC Press.
• Howard, M. & LeBlank, D. (2002), "Writing secure code", 2nd edn, Microsoft Press, Redmond.
• ACM and IEEE Digital Libraries
• Online documents and papers

On-campus

• Lectures, textbooks, online resources
• Tutorials, discussions, questions, quizzes
• Practicals, case studies, exercises

• Lectures: Cognitive and affective objectives,
• Tutorials: reinforcement of Cognitive objectives,
• Pracs: reinforcement of practical skills outlined under Psychomotor objectives

• Exam: 3 hours (60%)
• Assignment 1: Research essay and presentation (10%)
• Assignment 2: Scenario-based project - improving security of a given application (30%)

• Assignment 1: Cognitive and affective objectives
• Assignment 2: Cognitive and psychomotor objectives
• Exam: Cognitive and psychomotor objectives

Weekly workload is 12 hours:

• Lectures: 2 hours
• Tutes: 1 hour
• Pracs: 2 hour
• Assignments: 3 hours
• Private study time: 4 hours

2-hour lecture in a hi-tech lecture room

1-hour tute (followed by the prac) in a computer lab

2-hour prac (where 2nd hour is unsupervised) in a computer lab with computers powerful enough to run MS .NET Framework, SQL Server and IIS (see software requirements).

1 EAS

• Software Title:
• Vendor:
• Version:
• OS: MS Windows XP ( ) and/or LINUX ( )
• License Details: (A valid software license certificate/s or Vendor permission must be available upon request if the software is to be installed for teaching)
• Are we currently licensed: Yes ( ) or No ( ) (If unsure, please check with your local IT support )
• If (Yes), who is the contact person for this software?:
• If (No), will the software license be arranged by: Staff member requesting the software ( ) or Technical Services* ( ) ? *If the latter is selected, please discuss your requirement/s with myself ASAP, prior to finalising your request, as there could be financial or resourcing implications.
• Is the software to be installed and accessed from a: Client/Workstation ( ), or Server ( ) ?
• Type of license: Site License ( ), Freeware ( ), FOSS (Free and Open Source Software) ( ), Shareware ( ), Lab based ( ) # of Licenses needed ____
• In what week will you commence using the software in class? Semester 1 (Week ___ ) and/or Semester 2 (Week ___ ):
• Nominated Staff For Acceptance Testing Software: (Name) (Phone) (Email)
• Additional Information: Special Requirements, Software Configuration/Installation Requirements, etc:

Note that many underlying concepts and principles of developing secure code are common to all platforms and programming languages. However, in order to demonstrate security concepts and examples it must use some computer platform. Therefore, Microsoft .NET Framework and C# language is selected, both by choice and to capitalise on existing Java and .NET CSE units.

Required software:

• Microsoft .NET Framework (including ASP.NET)
• SQL Server
• Web Server (IIS)

• Douglas P. Trocino (2004), Developing Secure Applications: Best Practices for Writing Secure Code, CRC Press.
• Howard, M. & LeBlank, D. (2002), Writing secure code, 2nd edn, Microsoft Press, Redmond.

100% SCSSE

none

none

• CSE1203 Programming 2 with Java or CSE2305 Object-oriented software engineering
• CSE2132 Database systems, CSE2316/CSE3316 Database management systems (or equivalent study)
• CSE2318 Data Communications (or equivalent study)

• CSE2030 Web interface technology (or equivalent) }