[an error occurred while processing this directive] [an error occurred while processing this directive]
[an error occurred while processing this directive]
[an error occurred while processing this directive]

FIT5003 Software security - Semester 2, 2015

This unit aims to introduce the secure software development issues including secure software development life cycle, secure software design principles, secure coding practices, threat evaluation models, secure software testing, deployment and maintenance, software development and security policy integration. Students are provided with a range of practical exercises and tasks to reinforce their skills including: identification of security bugs in programs written in different programming languages, design, implementation, and testing of secure concurrent and networked applications, identification of vulnerabilities in networked and mobile/wireless applications. In addition, students will learn input validation techniques to minimise security risks, man-in-the-middle attack techniques to be able to build more secure networked applications, practical secure software testing techniques to be able to test applications for security bugs.

Mode of Delivery

Caulfield (Day)

Workload Requirements

Minimum total expected workload equals 12 hours per week comprising:

(a.) Contact hours for on-campus students:

  • Two hours of lectures
  • One 2-hour tutorial

(b.) Additional requirements (all students):

  • A minimum of 8 hours independent study per week for completing lab and project work, private study and revision.

See also Unit timetable information

Unit Relationships

Co-requisites

FIT5163

Prerequisites

(FIT9131 or FIT5131 or FIT9017) or equivalent
Prerequisite knowledge: Programming experience, preferably in C or C++

Chief Examiner

Campus Lecturer

Caulfield

Dr Ron Steinfeld

Tutors

Caulfield

Guy Kijthaweesinpoon

Your feedback to Us

Monash is committed to excellence in education and regularly seeks feedback from students, employers and staff. One of the key formal ways students have to provide feedback is through the Student Evaluation of Teaching and Units (SETU) survey. The University’s student evaluation policy requires that every unit is evaluated each year. Students are strongly encouraged to complete the surveys. The feedback is anonymous and provides the Faculty with evidence of aspects that students are satisfied and areas for improvement.

For more information on Monash’s educational strategy, see:

www.monash.edu.au/about/monash-directions/ and on student evaluations, see: www.policy.monash.edu/policy-bank/academic/education/quality/student-evaluation-policy.html

Previous Student Evaluations of this Unit

More practical demonstrations and explanations of software hacking have been added in response to student iSETU feedback requests.

Student feedback has highlighted the usefulness of learning resources in this unit.

If you wish to view how previous students rated this unit, please go to
https://emuapps.monash.edu.au/unitevaluations/index.jsp

Academic Overview

Learning Outcomes

On successful completion of this unit, students should be able to:
  1. investigate methods that are appropriate for the realisation software security;
  2. investigate and model the possible vulnerabilities and threats for a given application system;
  3. design, implement and produce test procedures and perform evaluation of software security features of concurrent and networked applications.

Unit Schedule

Week Activities Assessment
0   No formal assessment or activities are undertaken in week 0
1 Introduction to Software Security  
2 Secure Software Development Principles and Approaches  
3 Threat Modeling and Mitigation Techniques  
4 Secure (and Insecure) Coding Techniques I  
5 Secure (and Insecure) Coding Techniques II Part I of Assessment task 1 due
6 Security Testing  
7 More on Security Testing Part II of Assessment task 1 due
8 Web Application Security I  
9 Web Application Security II Assessment task 2 due
10 Web Application Security III and Language-Based Security I  
11 Language-Based Security II  
12 Software Security in a Nutshell Assessment task 3 due
  SWOT VAC No formal assessment is undertaken in SWOT VAC
  Examination period LINK to Assessment Policy: http://policy.monash.edu.au/policy-bank/
academic/education/assessment/
assessment-in-coursework-policy.html

*Unit Schedule details will be maintained and communicated to you via your learning system.

Teaching Approach

Lecture and tutorials or problem classes
This teaching and learning approach helps students to initially encounter information at lectures, discuss and explore the information during tutorials, and practice in a hands-on approach both in a lab environment as well as using their own machines (if available).

Assessment Summary

Examination (2 hours): 50%; In-semester assessment: 50%

Assessment Task Value Due Date
Use of a Software Security Tool for Code Review 20% Week 5 and 7 (two part submission)
SQL Injection Vulnerability 20% Week 9
Penetration Testing of Software 10% Week 12
Examination 1 50% To be advised

Assessment Requirements

Assessment Policy

Assessment Tasks

Participation

  • Assessment task 1
    Title:
    Use of a Software Security Tool for Code Review
    Description:
    Develop a concurrent program using threads for an application in C or C++ and identify its vulnerabilties using a source code review tool.

    This assessment relates to Learning Outcomes 1, 2 and 3.

    More details will be provided on the assignment specification.
    Weighting:
    20%
    Criteria for assessment:
    • Code develpment (40%)
    • Installation of code review tool and the analysis of supplied source code for vulnerabilities (40%)
    • Defend or refute the identified vulnerabilities (20%)
    Due date:
    Week 5 and 7 (two part submission)
  • Assessment task 2
    Title:
    SQL Injection Vulnerability
    Description:
    This assignment will develop code to demonstrate the SQL injection vulnerabilty. You will extend the program that is being discussed in the lab session so as to exploit the SQL injection while accessing a database, and then implement sound countermeasures.

    This assessment relates to Learning Outcomes 1, 2 and 3.
    Weighting:
    20%
    Criteria for assessment:
    • Code development (30%)
    • Successful exploitation and penetration of the code (40%)
    • Countermeasures to fix the vulnerabilities (30%)
    Due date:
    Week 9
  • Assessment task 3
    Title:
    Penetration Testing of Software
    Description:
    Students will be given access to a software component and challenged to breach its security using techniques covered in the unit.

    This assessment relates to Learning Outcomes 1, 2 and 3.
    Weighting:
    10%
    Criteria for assessment:

    Report contents will be marked on the following attributes:

    • Identification of vulnerabilities in the supplied software (40%);
    • Implementation of exploits for and countermeasures to vulnerabilities (40%); and
    • Quality of the submitted report (20%).
    Due date:
    Week 12

Examinations

  • Examination 1
    Weighting:
    50%
    Length:
    2 hours
    Type (open/closed book):
    Closed book
    Electronic devices allowed in the exam:
    None

Learning resources

Reading list

Textbooks that we will refer to include:

1. G McGraw, Software Security, Addison-Wesley Software Security Series, 2006 (referred to as "McGraw" in reading lists on Moodle). Copy available at the Monash library.

2. M Howard and D LeBlanc, Writing Secure Code, Microsoft Press, 2nd Edition, 2003. (referred to as "HowLe" in reading lists on Moodle). Available online via Monash library.

3. J Erickson, Hacking: The Art of Exploitation, No Starch Press, 2008. Available online via Monash library. (referred to as "Erick" in reading lists on Moodle).

4. D Stuttard and M Pinto, The Web Application Hacker’s Handbook, Wiley, 2nd Edition, 2011. Available at Monash library. (referred to as "StuPint" in reading lists on Moodle).

Monash Library Unit Reading List (if applicable to the unit)
http://readinglists.lib.monash.edu/index.html

Feedback to you

Types of feedback you can expect to receive in this unit are:

  • Informal feedback on progress in labs/tutes
  • Graded assignments without comments
  • Interviews

Extensions and penalties

Returning assignments

Assignment submission

It is a University requirement (http://www.policy.monash.edu/policy-bank/academic/education/conduct/student-academic-integrity-managing-plagiarism-collusion-procedures.html) for students to submit an assignment coversheet for each assessment item. Faculty Assignment coversheets can be found at http://www.infotech.monash.edu.au/resources/student/forms/. Please check with your Lecturer on the submission method for your assignment coversheet (e.g. attach a file to the online assignment submission, hand-in a hard copy, or use an electronic submission). Please note that it is your responsibility to retain copies of your assessments.

Online submission

If Electronic Submission has been approved for your unit, please submit your work via the learning system for this unit, which you can access via links in the my.monash portal.

Other Information

Policies

Monash has educational policies, procedures and guidelines, which are designed to ensure that staff and students are aware of the University’s academic standards, and to provide advice on how they might uphold them. You can find Monash’s Education Policies at: www.policy.monash.edu.au/policy-bank/academic/education/index.html

Faculty resources and policies

Important student resources including Faculty policies are located at http://intranet.monash.edu.au/infotech/resources/students/

Graduate Attributes Policy

Student Charter

Student services

Monash University Library

Disability Liaison Unit

Students who have a disability or medical condition are welcome to contact the Disability Liaison Unit to discuss academic support services. Disability Liaison Officers (DLOs) visit all Victorian campuses on a regular basis.

[an error occurred while processing this directive]