Secure Coding in Software Engineering

Welcome to Secure Coding in Software Engineering, a comprehensive course designed to equip you with essential knowledge and skills in securing software systems. In today's interconnected world, where software vulnerabilities pose significant risks to organizations and individuals, understanding software security principles is paramount. This course is crafted to provide you with a solid foundation in software security concepts, methodologies, and best practices.

Acknowledgement

I would like to thank Prof. Gananand Kini for his efforts and contributions in creating the original course from which this course is derived from. List of sources from where the course derived from:

• Prof. Gananand Kini's coursework.
• Title: Secure Software Design and Programming: Class Materials
  • Author: Prof. David A. Wheeler
  • Source: https://dwheeler.com/secure-class/index.html
  • License: CC BY-SA 3.0
• Title: Introduction to Secure Coding
  • Author: Andrew Buttner and Larry Shields
  • Source: https://opensecuritytraining.info/IntroSecureCoding.html
  • License: CC BY-SA 3.0

Learning Objectives

Throughout this course, you will achieve the following learning objectives:

1. Understanding the Secure Development Lifecycle (SDLC)

• Define and apply the principles of the Secure Development Lifecycle (SDLC).
• Learn how to effectively communicate and mitigate software security weaknesses within the SDLC framework.

2. Penetration Testing and Security Analysis

• Apply penetration testing techniques to evaluate software security.
• Utilize security analysis techniques and tools to assess software security posture.

3. Identification and Remediation of Software Weaknesses

• Develop the ability to explain weaknesses in software systems.
• Apply defenses to remediate software exploits and vulnerabilities.

Note
This course will not cover topics such as anti-virus technology, hacking, or advanced exploitations. While relevant aspects of software design and architecture may be highlighted, they are not the primary focus.

What You Will Gain

By completing this course, you will acquire practical skills and knowledge to:

• Audit software systems and identify security weaknesses effectively.
• Describe identified weaknesses using MITRE's CWE^TM.
• Master methodologies, techniques, and tools used in secure code review processes.
• Identify and address security weaknesses efficiently.
• Conduct secure code reviews for various purposes, including enhancing code quality, improving communication, and educating others.

Why Take This Course?

Many security education programs predominantly focus on exploiting vulnerabilities to showcase weaknesses. In contrast, this course emphasizes proactive measures to secure software systems through best practices. It fills the gap in traditional software engineering classes, which often overlook security aspects. While there's a gradual shift in academic curriculums, this course provides you with practical knowledge and skills essential for securing software systems in today's digital landscape.

INFO
The course will use the CWE-699 as base view which is focused on the security of a software. There are other views, which can be explored here but are not within the scope of this course.

Course Structure

This course is structured into multiple chapters, each covering different areas and topics within software development and security. Throughout the course, relevant code references will be provided in various programming languages such as C#, Python, etc., although the concepts discussed are applicable to any modern-day programming language. There will be references to relevant excerpts and images and reading material will be provided as references as and when required.

Understanding Vulnerabilities

To comprehend vulnerabilities within software systems, the course will employ a root cause analysis (RCA) approach, aided by Common Weakness Enumerations (CWE).

Core Concepts

The course will begin by exploring fundamental concepts essential for secure software development, including:

• Tenets of Software System Design.
• Security Principles and the Secure Software Development Cycle.

In-Depth Exploration

In addition to the core concepts, the course will delve into the following areas in-depth:

• Input Security
• Cryptography
• Authentication & Authorization
• Session Management
• Error Handling
• Logging
• Debug Code
• Performing Secure Code Reviews.

Table of Contents

1. About the Course
2. Introduction
3. Software Engineering Design & Security Principles

License

The course is licensed under Creative Commons "Share Alike" license. https://creativecommons.org/licenses/by-sa/3.0/

The course is derived from Introduction to Secure Software Engineering class by Gananand Kini et al.

Check the LICENSE for more details.

Contribute

Use the github issues section to know more.