This lecture focuses on the importance of secure coding – designing and writing programs that avoid common errors that can interfere with the intended functions of the software with possible harm to users and legal consequences for the software producers. Ensuring sound, secure programming requires both human factors and technical issues, with necessary coordination of systems analysts, designers, coders, and testers.
This course provides information for compliance with the CISSP criteria for Domain 4 of the Common Body of Knowledge, Application Development Security.
After completing this course, you should be better able to
- Explain clearly to managers why secure programming is essential to the organization’s needs;
- Argue rationally for Total Quality Management (TQM) as a necessary element of your organization’s software development strategy;
- Explain in simple terms how the legal environment in your country requires attention to secure, reliable programs that you produce;
- Use the Staircase Principle to explain why developers must avoid delays in correcting errors in requirements acquisition, analysis, definition, design, coding and implementation;
- Take advantage of your operating system’s security provisions to support secure coding;
- Apply well-established best practices in your programs;
- Avoid specific categories of programming errors including
- Logic Flow
- Boundary Condition Violations
- Parameter Passing
- Race Condition
- Load Condition
- Resource Exhaustion
- Inter-application Conflicts;
- Integrate sound principles of user-interface design for the control/command structure to ensure full functionality and to minimize user errors;
- Keep track of Quality of Service (QoS) criteria in the Service-Level Agreements (SLAs) to avoid legal liability for unacceptably slow response times;
- Ensure user control of output formats;
- Articulate the pros and cons of white/black/gray-box code-testing.
Recommended pre-requisites: Must have experience in systems analysis or in programming.
Recommended materials: No required text. Recommended text: Bosworth, S., M. E. Kabay, & E. Whyne (2014), eds. Computer Security Handbook, 6th Edition. Wiley (ISBN 978-0471716525). 2 volumes, 2240 pp. AMAZON
Supplemental materials provided: PDF of class slides; all quiz questions that can appear on quizzes; several dozen references to online resources such as technical papers, government standards, and useful databases.