COURSE UNIT TITLE

: ADVANCED SOFTWARE AND APPLICATIONS SECURITY

Description of Individual Course Units

Course Unit Code Course Unit Title Type Of Course D U L ECTS
CSC 5018 ADVANCED SOFTWARE AND APPLICATIONS SECURITY ELECTIVE 3 0 0 8

Offered By

Graduate School of Natural and Applied Sciences

Level of Course Unit

Second Cycle Programmes (Master's Degree)

Course Coordinator

ASSISTANT PROFESSOR ERDEM ALKIM

Offered to

Ph.D. in Computer Science (English)
Computer Science

Course Objective

To provide the students with a comprehensive theoretical and applied study of; software security, software security exploits as well as the tools and techniques used in audit, analysis and solutions of security vulnerabilities and problems faced in web, mobile and cloud applications. To establish in-depth knowledge of vendor-independent web application hacking techniques and necessary defensive programming approaches to mitigate such attacks.

Learning Outcomes of the Course Unit

1   Implement and develop solutions for security problems within different software development phases in companies or institutions.
2   Plan and conduct security audit and penetration tests for corporate software projects, database systems and applications.
3   Gain knowledge to effectively deal with attacks and attackers against real-time applications by means of technical, legal and organizational countermeasures.
4   Plan, manage and use different security testing methodologies, procedures and techniques in software source code analysis.
5   Develop basic skills to design and develop tools and frameworks for software risk analysis and vulnerability assessment.

Mode of Delivery

Face -to- Face

Prerequisites and Co-requisites

None

Recomended Optional Programme Components

None

Course Contents

Week Subject Description
1 Basic concepts in information security; threats, vulnerabilities, risks. Preventative, detective and corrective controls.
2 Introduction to security concepts in applications and software security. Some of the well-known attack methodologies and their countermeasures with examples in the last decades including buffer overflows, viruses, denial of service attacks.
3 Secure software development life cycle models and frameworks. Security testing methodologies, tools and techniques in software development Part 1: Static code analysis methods and techniques. Backdoor detection and covert channel analysis techniques in source codes.
4 Security testing methodologies, tools and techniques in software development Part 2: Dynamic code analysis methods and techniques. Other test methods for applications, executable codes and potential malware. Threats and countermeasures for software development components with vulnerabilities.
5 Penetration tests, security audits and vulnerability analysis: Planning, conducting, executing and reporting. Common tools and their use with applied examples.
6 Cryptography: Short review of terminology. Cryptographic algorithms and technologies implemented in software and applications.
7 Reverse engineering attacks. Copy protection and software licensing schemes and methodologies with several tools and examples.
8 Recap
9 Cryptographic attacks, vulnerabilities and their solutions in software and web applications.
10 Security misconfiguration in database systems, operating systems and web applications. Preventative, detective and corrective controls and solutions for these problems.
11 SQL injection, html / URL injection, AJAX Injection and other types of injection attacks. Solutions for these attacks and relevant problems.
12 Persistent, non-persistent and DOM-based cross-site scripting attacks. Cross-site request forgery and other advanced script-based / client-based attack methods. Solutions for these attacks and problems.
13 Path / directory traversal and URL parameter tampering attacks. Broken authentication and session management vulnerabilities. Solutions for these attacks and problems. Assignment discussion.
14 Exploit tool design and writing exploit toolkits. Advanced techniques and methodologies to detect unknown exploit tools.

Recomended or Required Reading

Textbook(s)/References/Materials:
Textbook(s): Dafydd Stuttard and Marcus Pinto. The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, 2nd ed., Wiley Pub., 2011.
Mark Dowd, John McDonald, Justin Schuh. The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities, Pearson Education Inc., 2007.
Supplementary Book(s): James C. Foster, Vincent T. Liu, Writing Security Tools and Exploits, Syngress Pub., 2006.

Planned Learning Activities and Teaching Methods

The course is taught in a lecture, class presentation and discussion format. Besides the taught lecture, group presentations are to be prepared by the groups assigned and presented in a discussion session. In some weeks of the course, results of the homework given previously are discussed.

Assessment Methods

SORTING NUMBER SHORT CODE LONG CODE FORMULA
1 MTE MIDTERM EXAM
2 ASG ASSIGNMENT
3 PRS PRESENTATION
4 FIN FINAL EXAM
5 FCG FINAL COURSE GRADE MTE* 0.30 + ASG * 0.20 + PRS * 0.10 + FIN * 0.40
6 RST RESIT
7 FCGR FINAL COURSE GRADE (RESIT) MTE* 0.30 + ASG * 0.20 + PRS * 0.10 + RST * 0.40


*** Resit Exam is Not Administered in Institutions Where Resit is not Applicable.

Further Notes About Assessment Methods

None

Assessment Criteria

To be announced.

Language of Instruction

English

Course Policies and Rules

To be announced.

Contact Details for the Lecturer(s)

To be announced.

Office Hours

To be announced.

Work Placement(s)

None

Workload Calculation

Activities Number Time (hours) Total Work Load (hours)
Lectures 13 3 39
Preparations before/after weekly lectures 13 4 52
Preparation for midterm exam 1 20 20
Preparation for final exam 1 20 20
Preparing assignments 2 15 30
Preparing presentations 2 20 40
Final 1 2 2
Midterm 1 2 2
TOTAL WORKLOAD (hours) 205

Contribution of Learning Outcomes to Programme Outcomes

PO/LOPO.1PO.2PO.3PO.4PO.5PO.6PO.7PO.8PO.9PO.10
LO.1555
LO.2555
LO.3555
LO.4555
LO.5555