BAHIR DAR INSTITUTE OF TECHNOLOGY

COMPUTING FACULTY
SYSTEM DEVELOPMENT CHAIR
FUNDAMENTALS OF SOFTWARE SECURITY COURSE
GUIDE BOOK
ACADAMIC YEAR 2017 SEMESTER I
1. GENERAL INFORMATION

Course Fundamentals of Software Security

Title
Course SEng3073 Instructors
Code
Pre- None Name Kelemework Kindie
Requisite
Course Compulsory Office no Tana117
Type
CP/ Cr.hr 6 Email [email protected]
Contact Lecture Tutorial Lab H. Consultation By Appointment
Study Hrs.
Hours 3 0 3 - Lab Instructors /Assistants
Program/Department Year Section Name
Target
Software 3rd A Office No
Group
Engineering/Regular

2. COURSE DESCRIPTION

This course we will explore the foundations of software security. We will consider important
software vulnerabilities and attacks that exploit them -- such as buffer overflows, SQL
injection, and session hijacking -- and we will consider defenses that prevent or mitigate these
attacks, including advanced testing and program analysis techniques. Importantly, we take a
"build security in" mentality, considering techniques at each phase of the development cycle
that can be used to strengthen the security of software systems.
3. COURSE OUTCOMES
At the end of the course, the student should be able to :
 Understanding the role that software plays in providing security and as source of insecurity
 Understand Principles, methods & technologies to make software more secure
 Typical threats & vulnerabilities that make software less secure, and how to avoid them
 Know how to prevent them entirely, or mitigate their effects, by improving the software's
design and implementation.

1|Page
  Know state-of-the-art tools and techniques for testing and otherwise verifying that software
is secure.
 Know how to "build security in" rather than consider it as an afterthought, and will have a
plethora of skills, applicable at each phase of the development cycle, that can be used to
strengthen the security of software systems.

4. COURSE OUTLINE WITH TEACHING METHODOLOGY, WEEK AND

REFERENCE
Teaching
Week Lecture Topics Reference
Methodology
Chapter 1: Ref.1(pg.
59-98),
1.1 Security Goals
1-2 Lecture , Ref.4(pg.
1.2 Secure System Design
Group Discussion 3-77)
1.3 Secure Design Principles
1.4 Risk management frameworks and processes
Lecture, Group Ref.3(pg.
Chapter 2: Discussion & 101, Ref.
Laboratory 4(pg. 83-
3-6 2.1.Worms and other Malwares Demonstration 121)
2.2.Buffer Overflows
2.3.Client -State Manipulation

7 Mid Term Exam

Chapter 3: Lecture , Laboratory
Demonstration & Ref.1(pg.,
8-11 3.1.SQL Injection Reading Assignment Ref.4(pg.
3.2.Password Security 122-197)
3.3.Cross-Domain Security in web Applications
Lecture, Group
Chapter 4: Discussion, Ref.4(pg.
12-13 Laboratory
4.1.Crypto Concepts 203-251)
Demonstration&
Reading Assignment
Chapter 5: Lecture & Laboratory
Demonstration &
14-15 5.1.Code review using static analysis tools Reading Assignment Ref.1(pg.
5.2.Security and Penetration testing
119-226)
5.3.Abuse case development
16 Final Exam

2|Page
6. LABORATORY /WORK SHOP/ SESSION CONTENT AND REQUIRED MATERIAL
Time (in Laboratory Topic Material or tools
week)
Week 1-4  Worms and other Malwares Notepad++, CodeBlock,
o Creating computer virus Quincy, (or any other C, C++
programs, Anti-Virus
IDE editor),
 Setting Firewall security in windows and
Web browser security OWASP Broken Web Apps,
 Buffer Overflows Oracle VM Virtual Box,
 Client State Manipulation Ubuntu
 …
Week 5-7  SQL Injection SqlMap,
 Password Security Hashcat GUI
OWASP Broken Web Apps,
KaliLinux ,Oracle VM
VirtualBox
 …
Week 8-11  Cross-Domain Security in web Notepad++,
Applications Language editor,
o Cross-Site Scripting (XSS)
Attack OWASP Broken Web Apps,
o Cross-Site Request Forgery Oracle VM VirtualBox
(XSRF) Attack  NetBeans IDE
o Cross Site Script Inclusion
(XSSI) Attack  …
 Cryptography implementation
o Symmetric Key Cryptography
o Asymmetric Key Cryptography
Week 12-14  Code review using static analysis tools  VisualCode Grepper,
 Penetration testing  Nmap/Burp
Suite/Metasploit/Kali
Linux
 …

3|Page
7. ASSESSMENT METHODS

Assessment type Mark allotted Duration

Individual Assessment1 Before Mid

(Quiz,attendance,…)
Group Assessment 1(lab Before Mid
Assignment/project with
presentation)
Mid Term Exam
Individual Assessment2 (lab test, After Mid
report, presentation,)
Final Exam 50%
Total 100%

8. COURSE POLICY
All students are expected to abide by the code of conduct of students (article 166 and 166.1.1,
of the Senate Legislation of Bahir Dar University May 20, 2005) throughout this course.
Academic dishonesty, including cheating, fabrication, and plagiarism will not be tolerated and
will be reported to concerned bodies for action.
Class attendance and participation: You are expected to attend class regularly. I will take
attendance on regular days during the semester to ensure that students are coming to class, and
if you miss class repeatedly, your grade will be affected as it has value. If you miss more than
85% lecture and tutorial and 100% for laboratory class attendance you will not sit for final
exam.

9. TEXT BOOK AND REFERENCE MATERIALS

R1. Software Security: Building Security In (2006), by Gary McGraw, Addison-Wesley
Professional (Text Book)
R2. Secure Software Development: A Security Programmer's Guide(2008), by Jason
Grembi , Delmar Cengage Learning
R3. Exploiting Software: How to Break Code(2004), by Greg Hoglund & Gary McGraw,
Addison-Wesley Professional
R4. Foundations of Security: What Every Programmer Needs to Know(2007), by Neil
Daswani, Christoph Kern and Anita Kesavan (Text Book)

10. AUTHORIZATION
a. Prepared instructor’s/s’ Name: Kelemework K.
Signature: Date: _
b. Checked course chair’s Name: Kelemework K.
Signature: Date: _
c. Verified chair holder’s Name: Samuel A.
Signature: Date:

4|Page
5|Page