Software attacks are the most prevalent and most expensive form of electronic attack today. In 2004 in Australia, 45% of financial losses from electronic attacks were due to viruses and related malicious software. Losses due to malicious software in the USA exceeded 55 million in that same year. The primary cause of commonly exploited software vulnerabilities is software defects that could have been avoided. Through our analysis of thousands of vulnerability reports, the CERT/CC has observed that most of them stemmed from a relatively small number of root causes. If we can identify the root causes of vulnerabilities and develop secure coding practices for illustration, software producers may be able to take practical steps to prevent introduction of vulnerabilities into deployed software systems. This unit will follow a systematic approach to identifying program errors most likely to cause security breaches. Good practices to avoiding certain categories of vulnerabilities will also be explored.

This is a unit that is a part of the Security specialization for the Master of Information Technology (MIT )

No direct relationship

This unit forms a core part of the Security specialisation offered as part of the MIT degree. As such the Faculty is moving into a more contemporary and leadership role with common and new Internet Technology subject matters. Therefore, this unit is a key part in the faculty?s new vision. Furthermore, this unit is critical to the Faculty?s research-teaching nexus; the Faculty has significant research activity in secure/ trusted software development.

At the completion of this unit students will have

• O1. A detailed knowledge of the importance of secure software systems
• O2. Understanding of various ways software can be compromised
• O3. Understanding of the techniques and tools used to discover compromised systems
• O4. Practical experience with building secure applications

After completing this unit, students should have developed attitudes of:

• A1. Security is of foremost importance to software design and should not be considered after the fact.
• A2. Confidence in being able to identify software security development pitfalls
• A3. Being able to take a systematic approach to secure software development

After completing this unit, students should have the skills to:

• P1: Develop secure software
• P2: Identify common software security hazards
• P3: Be able to integrate a secure software system as part of a larger networked environment

As software security should not be considered in isolation, assignments will be based upon group work.

Rootkits, Least privileges users, buffer overflows/overruns, Costs of fixing security vulnerabilities, securing applications, security and the web, Web Browser vulnerabilities, proactive security development processes, software threat modelling, security principles, access control, secure data, secure user input, Denial of Service, security testing, code reviews, secure software installation, malware, spyware

Writing Secure Code, Second Edition, Michael Howard and David LeBlanc ISBN 0-7356-1722-8

The unit will be offered in an on-campus enrolment mode at Caulfield campus.

Lectures: The lectures will provide the theoretical and technical basis for this unit. The process of secure software development will address first two objectives. Examination of different security compromises and the tools used to identify these compromises will address the third and fourth objectives.

Tutorials: Tutorials in computer laboratories will give students the opportunity to gain hands-on experience with secure software development. Each student will have access to a PC with administrator rights so that software compromises can be examined.

• Lectures: O1, O2, O3, A1, P2
• Tutorials: O4, A1, A2, A3

Examination: An examination (3 hours) worth 60% of the final mark. The examination will test student's understanding of the principles and techniques underlying the topic areas covered by the unit. It will examine knowledge of secure software development and compromised systems. Assignments Three assignments (worth 40%) will be used to gain practical experience in employing some of security techniques discussed in the lectures. They will involve writing secure software to administer both the local and networked hosts and to be able to defend against DOS (Denial of Service) attacks. The second assignment will be the deployment of a rootkit detector and reporter.

• Assignments: A3, P1, P3

Students are expected to spend an average of 12 hours per week on this unit. The breakdown of time is

• 2 hours per week: Lecture attendance
• 2 hours per week: Scheduled tutorials
• 8 hours per week: Private study to review lecture materials and to complete practical work and assignments

• Windows XP based machine with Administrator access.

• Vendor: Microsoft
• Name : Visual Studio 2005
• Version: 2005
• OS: MS Windows XP
• License Details : MSDNAA

none

Sound knowledge in an object oriented programming language (e.g. Java or C#)