Course detail

Secure Coding

FIT-SCOAcad. year: 2024/2025

This course introduces the principles and practices of secure coding. Secure coding means writing programs in a secure manner to avoid vulnerabilities that can be exploited by attackers. It also means making appropriate and effective use of security features provided by libraries, such as authentication and encryption. A range of programming platforms will be considered, from low-level programming (e.g. Android OS), to web programming (e.g. JavaScript and Python), to large-scale high-level languages (e.g. Java). New and emerging language security mechanisms will be explored, including methods for static and dynamic analysis.

Why is the course taught

Today, it is a growing problem that, thanks to imperfections in application code, an attacker can gain access to valuable data stored on a computer, or gain control of the computer altogether. The goal of this course is to both show how such a situation can occur completely unintentionally and to demonstrate how code can be written to prevent such attacks.

Exam prerequisites

Earning at least one point from each project and earning at least 10 points during the semester. Any form of plagiarism or non-independent work will result in no credit being awarded. Credit is awarded by the instructor.

Language of instruction

Czech

Number of ECTS credits

5

Mode of study

Not applicable.

Guarantor

doc. Dr. Ing. Petr Hanáček

Department

Department of Intelligent Systems (UITS)

Entry knowledge

Not applicable.

Rules for evaluation and completion of the course

Scoring of the results of the developed projects.
Interim control and evaluation of projects, final exam. In order to obtain points from the exam, the exam must be prepared in such a way that it is evaluated with more than 20 points. Otherwise, the exam will be scored 0 points. 

Aims

The aim of the course is to introduce students to the basic principles of secure programming and to explain the general principles of vulnerabilities and defenses against them. To ensure that applications are correctly designed and implemented to meet security requirements, secure coding practices must be incorporated as a normal part of all phases of the software development process. A key step is to educate developers so that they know the essential basic principles of secure coding and can apply them, regardless of the environment in which they work.


Students will learn the general principles and practices of writing programs securely.

Study aids

Not applicable.

Prerequisites and corequisites

Not applicable.

Basic literature

Not applicable.

Recommended reading

Fred Long et al. The Oracle/CERT Secure Coding Standard for Java, Addison-Wesley, 2011. Available online at http://www.cert.org/secure-coding/
John Viega, Matt Messier: Secure Programming Cookbook for C and C++, 2003, O'Reilly Media, Inc., ISBN: 9780596003944
Michael Howard, David LeBlanc: Writing Secure Code, Microsoft Press, Second Edition, ISBN-13: 978-0735617223
Michael Howard, Steve Lipner: The Security Development Lifecycle, 2006, Microsoft Press, ISBN: 0735622140
Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04232020.pdf
Ross Anderson: Security Engineering: A Guide to Building Dependable Distributed Systems, 3rd Edition, ISBN: 978-1-119-64281-7
The OWASP web application security project: https://www.owasp.org/

Elearning

eLearning: currently opened course

Classification of course in study plans

  • Programme MITAI Master's

    specialization NGRI , 0 year of study, winter semester, elective
    specialization NADE , 0 year of study, winter semester, elective
    specialization NISD , 0 year of study, winter semester, elective
    specialization NMAT , 0 year of study, winter semester, elective
    specialization NSEC , 0 year of study, winter semester, elective
    specialization NISY up to 2020/21 , 0 year of study, winter semester, elective
    specialization NNET , 0 year of study, winter semester, elective
    specialization NMAL , 0 year of study, winter semester, elective
    specialization NCPS , 0 year of study, winter semester, elective
    specialization NHPC , 0 year of study, winter semester, elective
    specialization NVER , 0 year of study, winter semester, elective
    specialization NIDE , 0 year of study, winter semester, elective
    specialization NISY , 0 year of study, winter semester, elective
    specialization NEMB , 0 year of study, winter semester, elective
    specialization NSPE , 0 year of study, winter semester, elective
    specialization NEMB , 0 year of study, winter semester, elective
    specialization NBIO , 0 year of study, winter semester, elective
    specialization NSEN , 0 year of study, winter semester, elective
    specialization NVIZ , 0 year of study, winter semester, elective

Type of course unit

 

Lecture

26 hod., optionally

Teacher / Lecturer

Mgr. Kamil Malinka, Ph.D.
doc. Dr. Ing. Petr Hanáček
doc. Dr. Ing. Dušan Kolář

Syllabus

  1. Introduction, recapitulation of concepts (robust code, secure code, self-protecting code, reentrant code, intermediate code, binary code, binary code for VMs, OS role, VM role, ...).
  2. Attacker targets, sandbox escape, privilege elevation, path from vulnerability to exploit, CVE.
  3. Basic vulnerabilities of compiled languages - buffer overflow, strings, integer overflow.
  4. Memory protection mechanisms, stack protection, return oriented programming, ASLR. Basic vulnerabilities of interpreted languages - memory handling, use after free.
  5. Usable security and the impact of UX on system security. Protocol implementation security, IoT, API security.
  6. Input validation, testing, fuzzing.
  7. Static and dynamic analysis.
  8. Standards for secure coding, OWASP, SSDF.
  9. Secure random number generation.
  10. Seminar - Attack on javascript and how to defend against it.
  11. Seminar - Attack on Java and how to defend against it.
  12. Seminar - Attack on binary executable and how to defend against it.
  13. Seminar - Demonstration of interesting projects, solutions.

Project

26 hod., optionally

Teacher / Lecturer

Mgr. Kamil Malinka, Ph.D.
doc. Dr. Ing. Dušan Kolář

Syllabus

Individual projects solved independently by each student without any further collaboration.

Elearning

eLearning: currently opened course