IT & Mobile Security

Software Security

Integrated course, 3.00 ECTS


Course content

Introduction to software security (software engineering practices, secure software development life cycle, knowledge for software security);

Reverse engineering (C environment, Java environment, code obfuscation);

Secure coding (taxonomy of coding errors, encapsulation, data validation, buffer overflow, error handling & logging, security features)

Learning outcomes

The students know the most important activities in the secure software development life cycle.
Students are able to apply reverse engineering methods for C and Java binaries, as well as code obfuscation techniques.
Students can apply the principles of Secure Coding in practice and identify and eliminate security-relevant weaknesses in the implementation of software systems.

Recommended or required reading and other learning resources / tools

Gary R. McGraw, Software Security: Building Security In, Addison Wesley, 2006;
Laura Bell & Michael Brunton-Spall, Agile Application Security, O'Reilly, 2017;
Jon Erickson, Hacking: The Art of Exploitation, No Starch Press, 2008;
Bruce Dang, Practical Reverse Engineering, Wiley, 2014;
Ginger Myles, Surreptitious Software, Pearson Education, 2009;
Robert C. Seacord, CERT® C Coding Standard, Addison-Wesley, Second Edition 2014;
Fred Long et al., The CERT Oracle Secure Coding Standard for Java, Addison-Wesley, 2011;
Jeffrey E.F. Friedl, Mastering Regular Expressions, O'Reilly, 2006;
David Hook, Beginning Cryptography with Java, 2005;
Joshua Bloch, Effective Java, Addison-Wesley, 2017

Mode of delivery

Inverted classroom model:
Lectures (almost exclusively online);
Examples and model solutions for self-directed learning;
Problem-Based Learning in the lab.

Prerequisites and co-requisites

Basic C und Java knowledge.

Assessment methods and criteria

Practical laboratory tests (40% of the evaluation);
Final exam at the end of the semester (60% of the evaluation)