TDDC90 Software Security (6 ECTS)
Literature - Mandatory
The literature for this course is a collection of papers. Some papers may be accessible only via the university library's website. All papers listed below and the lecture notes are manadory reading for the exam. There is also a separate list of additional material to give you a deeper understanding of the topics (not required for the exam).
Lecture 1: Introduction
|D. Wheeler. Secure Programmer: Developing Secure Programs|
Lecture 2: Secure software development and secure design
Lectures 3 and 4: Vulnerabilities, exploits and prevention
We are mainly concerned with the principles. Note that some of the required papers may cover attacks on protection mechanisms. You will be expected to understand both the principles of the protection mechanisms and the principles of the attack.
For the following CWE definitions of vulnerabilities, read and understand the Description, code examples, and Potential Mitigations for the Implementation phase. (Note that “mitigations” is used here with a different, broader meaning than in the lectures.)
Lecture 5: Web security
|OWASP Top 10 2017 Summary Only sections A1-A10 (pages 7-16) is mandatory reading.|
|Password Crackers - Ensuring the security of your password|
|Testing for brute force (OWASP-AT-004) (Exluding parts about the HTTP protocol)|
|OWASP - Command injection|
|OWASP - Cross-Site Request Forgery (CSRF)|
|OWASP - Cross-Site Request Forgery - Prevention Cheat Sheet|
|WikiPedia - File Inclusion Vulnerability|
|OWASP - Cross-Site Scripting (XSS)|
|OWASP - XSS Prevention Cheat Sheet|
|OWASP - SQL Injection|
|OWASP - XXE|
Lecture 6: Software engineering reviews
There is no mandatory reading for this lecture, except for the slides, but we recommend that you read the additional material on code inspections before this lecture.
Lecture 7 and 8: Static analysis
There is no mandatory reading for these lectures, except for the slides.
Lecture 9: Security testing
|P. Oehlert. Violating assumptions with fuzz testing. IEEE Security & Privacy, 2005.|
|P. Godefroid, M. Y. Levin, and D. Molnar. SAGE: Whitebox Fuzzing for Security Testing. ACM. Queue 10, 1. 2012.|
Page responsible: Ulf Kargén
Last updated: 2019-11-01