SECURE SOFTWARE DESIGN

Course Information

Lecturer: Mario Alviano

Office hours: consult my homepage

Microsoft Teams: for code and link search on this page

Notice Board

22/09/2021 11:00: New year, new site! I reset the team by removing all previous members. This year students are kindly asked to join the team.

26/10/2021 12:00: Thursday lectures will be in room MT10, second floor of Cube 30B.

Lectures

Thursday in room MT10, Friday in room Stor 7_DSU

• 30/09/2021 14:30-16:30 - Introduction + Why design matters for security (part 1)

• 01/10/2021 10:30-13:30 - Why design matters for security (part 2)

• 07/10/2021 14:30-16:30 - Deep modeling

• 08/10/2021 10:30-13:30 - Core concepts of Domain-Driven Design

• 14/10/2021 14:30-16:30 - Code constructs promoting security

• 15/10/2021 10:30-13:30 - Domain primitives - Part 1

• 21/10/2021 14:30-16:30 - Domain primitives - Part 2

• 22/10/2021 10:30-13:30 - Ensuring integrity of state

• 28/10/2021 14:30-16:30 - Reducing complexity of state

• 29/10/2021 10:30-13:30 - Handling failures securely

• 04/11/2021 14:30-16:30 - Introduction to Test-Driven Development

• 05/11/2021 10:30-13:30 - Advanced tests for Python

• 11/11/2021 14:30-16:30 - Django REST Framework - Part 1

• 12/11/2021 10:30-13:30 - Django REST Framework - Part 2

• 18/11/2021 14:30-16:30 - OWASP Top 10 - Part 1

• 19/11/2021 10:30-13:30 - OWASP Top 10 - Part 2

• 25/11/2021 14:30-16:30 - OWASP ZAP

• 26/11/2021 10:30-13:30 - Student Project

• 02/12/2021 14:30-16:30 - Student Project

• 03/12/2021 10:30-13:30 - Student Project

• 09/12/2021 14:30-16:30 - Student Project

• 10/12/2021 11:30-13:30 - Exam Simulation

• 16/12/2021 14:30-16:30 - Student Project Showcase

Course Material

Slides

• Introduction: presentation

• Why design matters for security: presentation

• Deep modeling: presentation

• Core concepts of Domain-Driven Design: presentation

• Code constructs promoting security: presentation

• Domain primitives: presentation

• Ensuring integrity of state: presentation

• Reducing complexity of state: presentation

• Handling failures securely: presentation

• OWASP Top 10: presentation

• OWASP ZAP: presentation

• Introduction to Test-Driven Design: presentation

• Django REST Framework - Part 1: presentation

• Django REST Framework - Part 2: presentation

• Advanced tests for Python: presentation

Exercises to Solve at Home

• Have a look at the end of the slides; some solutions written in the class can be found here

• Web Goat

  • WebGoat and WebWolf

  • Write-ups of suggested exercises

• SQL Injection on OWASP Mutillidae II up to Client-side Security

  • OWASP 2013 | A1 Injection (SQL) | SQLi – Extract Data | User Info (SQL)

  • OWASP 2013 | A1 Injection (SQL) | SQLi – Bypass Authentication | Login

  • OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Add to your blog

  • OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Register

• HTML Injection & XSS on OWASP Mutillidae II up to Client-side Security

  • OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | View Captured Data

  • OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Add to your blog

  • OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Register

Books

• Secure by Design - Dan Bergh Johnsson, Daniel Deogun, Daniel Sawano - Manning
  web page of the book

Web Pages

• SEI CERT Oracle Coding Standard for Java

• SEI CERT C++ Coding Standard

• OWASP

• WebGoat Project

• ZAP

• XSS exercises

Exams

• 19/01/2022 09:00

• 09/02/2022 09:00

• 22/06/2022 09:00

• 16/07/2022 09:00

• 17/09/2022 09:00

Previous Editions

• Academic year 2020/2021

• Academic year 2019/2020

• Academic year 2018/2019

• Academic year 2017/2018

• Academic year 2016/2017