ACIT4014 Software Security Course description

Software security is a critical aspect of modern software development, ensuring that applications are resilient toc yber threats and vulnerabilities. This course provides an in-depth understanding of software security principles,focusing on the identification, mitigation, and prevention of security risks in software systems. Students will gain practical experience in analyzing and securing software through theoretical knowledge, practical lab sessions, and hands-on exercises.

The main purpose of the course is to understand and systematically manage various software security problemsin a safe and controlled environment. Risky programming patterns that can be exploited for nefarious purposes cancause significant financial losses and reputational damage to organizations that use or develop vulnerable products.The knowledge and skills imparted during the course are intended to limit the above-mentioned risks and are therefore important for companies and organizations where professional software is being developed.

Language of Instruction: English

It would be beneficial to have a completed course of at least 6 credits in programming.

No formal requirements over and above the admission requirements.

Knowledge

After completing the course, the student knows

• the causes of vulnerabilities in software
• how software vulnerability exploitation techniques work, e.g., buffer overflow.
• how protection against specific exploitation techniques in software works, e.g., memory safety.
• techniques and implementation choices that lead to safe handling of input data

Skills

On completion of the course, the student can:

• analyse the source code and binaries
• assess and mitigate security vulnerabilities in software applications
• handle vulnerabilities in memory management, in system calls and calls to library functions
• conduct basic threat modelling to assess security risks.

General competence

On successful completion of this course, the student can:

• identify the adversary’s "modus operandi" exploits and risky programming patterns to be avoidedu
• se tools for both code and binaries for the purpose of understanding exploitation techniques as well as to protect software
• apply methods and measures to counter unsafe handling of input data

The course will include a variety of learning activities, including:

• Lectures
• Guest lectures
• Assigned readings
• Case studies related to security breach incidents
• Writing assignments
• Group discussions and presentations
• Collaborative group work and peer feedback on classmates’ contributions
• Scenario-based challenges

The following required coursework must be approved before the student can take the exam:

Three assignments (quizzes and technical reports on vulnerabilities, exploits, and countermeasures) that can be performed individually, or in groups of max 2.

A 15-20 minute oral presentation and demonstration of successful exploits, completed individually or in a group of maximum two students.

The exam cannot be appealed.

New/postponed exam: In case of failed exam or legal absence, the student may apply for a new or postponed exam. New or postponed exams are offered within a reasonable time span following the regular exam. The student is responsible for registering for a new/postponed exam within the time limits set by OsloMet. The Regulations for new or postponed examinations are available in Regulations relating to studies and examinations at OsloMet.

All aids are permitted, provided the rules for plagiarism and source referencing are complied with.

Grade scale A-F.

Two internal examiners. External examiners are used periodically.

Nurul Momen