This page displays the selected Module Descriptor.
Printer friendly version
Session: 2022/23
Last modified: 21/07/2022 16:25:53
|
Title of Module: Secure Programming |
|---|
|
Code: COMP10068 |
SCQF Level: 10
(Scottish Credit and Qualifications Framework) |
Credit Points: 20 |
ECTS: 10
(European Credit Transfer Scheme) |
|---|
| School: | School of Computing, Engineering and Physical Sciences |
|---|
| Module Co-ordinator: | Paul
Keir |
|---|
| Summary of Module |
|---|
Security in software begins with an initial design and engineering effort, conscious of classic and contemporary security vulnerabilities; as well as corresponding remedial actions and protocols. In this hands-on module we will first explore the nature of secure programming before introducing a taxonomy of established coding errors, as well as information sources such as the MITRE reference system for Common Vulnerabilities and Exposures (CVE). Conventional programming languages including assembly language, C, C++ and Java, along with related compiler tools, form a foundation for the module, while the benefits of contemporary languages such as Mozilla's Rust and Apple's Swift are also thoroughly analysed. The relevance of strong, static typing; functional programming; advanced type systems; and theorem provers for secure software development will also be introduced.
This module will work to develop a number of the key 'I am UWS' Graduate Attributes to make those who complete this module: Universal (Analytical, Critical Thinker & Socially Responsible), Work Ready (Digitally Literate, Problem-Solver & Ambitious), and Successful (Incisive, Creative & Autonomous).
|
| Module Delivery Method |
|---|
| Face-To-Face | Blended | Fully Online | HybridC | HybridO | Work-based Learning |
| | |  | | |
Face-To-Face
Term used to describe the traditional classroom environment where the students and the lecturer meet synchronously in the same room for the whole provision.
Blended
A mode of delivery of a module or a programme that involves online and face-to-face delivery of learning, teaching and assessment activities, student support and feedback. A programme may be considered “blended” if it includes a combination of face-to-face, online and blended modules. If an online programme has any compulsory face-to-face and campus elements it must be described as blended with clearly articulated delivery information to manage student expectations
Fully Online
Instruction that is solely delivered by web-based or internet-based technologies. This term is used to describe the previously used terms distance learning and e learning.
HybridC
Online with mandatory face-to-face learning on Campus
HybridO
Online with optional face-to-face learning on Campus
Work-based Learning
Learning activities where the main location for the learning experience is in the workplace.
|
| Term(s) for Module Delivery |
|---|
|
(Provided viable student numbers permit).
|
| Term 1 | | Term 2 | | Term 3 | |
[Top of Page]
| Learning Outcomes: (maximum of 5 statements) |
|---|
On successful completion of this module the student will be able to:
L1.
Demonstrate knowledge that covers and integrates most of the principal areas, features, boundaries, terminology and conventions of cyber security and secure programming.
L2.
Critically identify, define, conceptualise and analyse both public and private programmatic security hazards.
L3.
Use a range of tools and formal methods to audit and support the development of secure software.
L4.
Apply knowledge, skills and understanding of the security features offered by a range of programming languages and libraries. |
| Employability Skills and Personal Development Planning (PDP) Skills |
|---|
| SCQF Headings |
During completion of this module, there will be an opportunity to achieve
core skills in:
|
|---|
| Knowledge and Understanding (K and U) |
SCQF Level 10.
Recognise CVE ID numbers, and prepare a response appropriate to the associated threat level.
Comprehend the relationship between a programming language and the underlying computer hardware; the abstract machine. |
| Practice: Applied Knowledge and Understanding |
SCQF Level 10.
Apply standard secure coding guidelines to avoid common security loopholes.
Demonstrate the utility of tools such as compilers; debuggers; profilers; model checkers; and virtual machines for secure programming. |
| Generic Cognitive skills |
SCQF Level 10.
Understand the advantages and limitations of programming within an advanced type system.
Appreciate the feature set of libraries for authentication and encryption. |
| Communication, ICT and Numeracy Skills |
SCQF Level 10.
Apply secure software development principles to a range of application domains. |
| Pre-requisites: |
Before undertaking this module the student should have
undertaken the following:
|
|---|
Module Code:
| Module Title:
|
| Other: | |
| Co-requisites | Module Code:
| Module Title:
|
|---|
* Indicates that module descriptor is not published.
[Top of Page]
| Learning and Teaching |
|---|
Students will attend weekly lectures and supervised laboratory sessions.
Lectures will introduce the core concepts of secure development, starting by recognising and repairing insecure systems; as well as developing secure
systems. After a thorough development of secure programming in low-level and conventional programming languages, lecture topics will also introduce formal methods and advanced type systems. Each session will aim to provide one guest lecture, to provide an expert or established professional's insight into a specialist secure development methodology or technology.
Techniques described by the lectures will then be explored more deeply within the laboratory sessions where the student will be provided with access to
virtual machines, tools, and appropriate development environments. These are often accompanied by initial code samples, or binary files, which should be analysed, repaired, or developed according to the assigned tasks. |
Learning Activities
During completion of this module, the learning activities undertaken to
achieve the module learning outcomes are stated below:
| Student Learning Hours
(Normally totalling 200 hours):
(Note: Learning hours include both contact hours and hours spent on other learning activities) |
| Lecture/Core Content Delivery | 24 |
| Tutorial/Synchronous Support Activity | 12 |
| Laboratory/Practical Demonstration/Workshop | 12 |
| Independent Study | 152 |
| 200
Hours Total
|
|
**Indicative Resources: (eg. Core text, journals, internet
access)
|
|---|
The following materials form essential underpinning for the module content
and ultimately for the learning outcomes:
Robert C. Seacord. Secure Coding in C and C++, Second Edition, Addison Wesley, 2013
The Rust Programming Language by Steve Klabnik and Carol Nichols
Jim Blandy and Jason Orendorff. Programming Rust: Fast, Safe Systems Development, O'Reilly Media, 2017
Secure Programming HOWTO - Creating Secure Software by David Wheeler
John Viega and Matt Messier. Secure Programming Cookbook for C and C++, O'Reilly Media, 2003
Brian Chess and Jacob West. Secure Programming with Static Analysis, Addison-Wesley Professional, 2007
SEI CERT C Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems (2016 Edition) available online at http://www.cert.org/secure-coding/products-services/secure-coding-download.cfm
The module coordinator will require virtual machine authoring tools, and ITDS assistance to access licensed operating systems materials.
|
|
(**N.B. Although reading lists should include current publications,
students are advised (particularly for material marked with an asterisk*) to
wait until the start of session for confirmation of the most up-to-date
material)
|
| Engagement Requirements |
|---|
In line with the Academic Engagement Procedure, Students are defined as academically engaged if they are regularly engaged with timetabled teaching sessions, course-related learning resources including those in the Library and on the relevant learning platform, and complete assessments and submit these on time. Please refer to the Academic Engagement Procedure at the following link: Academic engagement procedure |
[Top of Page]
Supplemental Information
| Programme Board | Computing |
|---|
| Assessment Results (Pass/Fail) |
No
|
|---|
| Subject Panel | Business & Applied Computing |
|---|
| Moderator | Graham Parsonage |
|---|
| External Examiner | D Doolan |
|---|
| Accreditation Details | |
|---|
| Version Number | 1.08 |
|---|
[Top of Page]
| Assessment: (also refer to Assessment Outcomes Grids below) |
|---|
| One coursework assignment worth 30% of the overall mark. |
| One coursework assignment worth 40% of the overall mark. |
| One class test worth 30% of the overall mark. |
(N.B. (i) Assessment Outcomes Grids for the module
(one for each component) can be found below which clearly demonstrate how the learning outcomes of the module
will be assessed.
(ii) An indicative schedule listing approximate times
within the academic calendar when assessment is likely to feature will be
provided within the Student Handbook.)
|
Assessment Outcome Grids (Footnote A.)
Footnotes
A. Referred to within Assessment Section above
B. Identified in the Learning Outcome Section above
[Top of Page]
Note(s):
- More than one assessment method can be used to assess individual learning outcomes.
-
Schools are responsible for determining student contact hours. Please refer to University Policy on contact hours (extract contained within section 10 of the Module Descriptor guidance note).
This will normally be variable across Schools, dependent on Programmes &/or Professional requirements.
|
| Equality and Diversity |
|---|
UWS Equality and Diversity Policy |
|
(N.B. Every effort
will be made by the University to accommodate any equality and diversity issues
brought to the attention of the School)
|