Course - Software Security and Data Privacy - TDT4237
TDT4237 - Software Security and Data Privacy
About
Examination arrangement
Examination arrangement: Portfolio assessment
Grade: Letters
| Evaluation | Weighting | Duration | Grade deviation | Examination aids |
|---|---|---|---|---|
| Arbeider | 70/100 | |||
| Hjemmeeksamen | 30/100 | 2 hours |
Course content
The course will go through all the phases in the secure software development lifecycle (requirements, design, implementation, and testing) focusing on how to incorporate security in each phase and what techniques to use. The main focus is on web-based applications, mobile apps, and cloud security. The course will also cover basic knowledge related to data privacy, such as GDPR, anonymization, and pseudonymization.
Learning outcome
After having taken this course, students should be able to:
1) Identify typical security vulnerabilities of web applications listed in OWASP top 10, such as SQL injection, XSS, and XSRF, by reviewing the source code and by penetration testing. Students should also be able to fix the identified vulnerabilities; 2) Explain typical cryptography concepts and algorithms that are related to web application, including e.g. block cipher, stream cipher, digital signature, and SSL/TSL handshaking procedure; 3) Apply the threat modeling methods to create threat models of a medium-sized web application by using misuse cases and attack trees; 4) Describe and compare software engineering practices and standards related to software security, such as software touchpoints, common criteria, BASIMM, and OpenSAMM; 5) Create software security test cases and prioritizing the test cases by applying the risk-based testing framework; 6) Explain key authentication and authorization concepts and methods, such as different authentication methods, multilevel and multilateral security control, and role-based access control; 7) Explain, identify, and apply security mechanisms implemented in iOS and Android mobile application platforms; 8) Explain typical security issues of cloud platforms and services; 9) Explain principles of GDPR and typical anonymization and pseudonymization approaches.
Learning methods and activities
Lectures, exercise lectures and mandatory exercises.
The exercises are obligatory. To pass the class, the students have to pass both the exercises and the final exam. The exercise grade in one semester will be valid for later exams.
Compulsory assignments
- Exercises
Further on evaluation
The portfolio includes a final written exam (30%) and exercises (70%). The results for the parts are given in %-scores, while the entire portfolio is assigned a letter grade. The text for the written final exam will be in English. The candidates may choose to write their answers in either English or Norwegian.
If there is a re-sit examination, the examination form may change from written to oral.
In the case that the student receives an F/Fail as a final grade after both ordinary and re-sit exam, then the student must retake the course in its entirety. Submitted work that counts towards the final grade will also have to be retaken.
Recommended previous knowledge
The students should be familiar with programming, software development, and software engineering, web development (e.g. through TDT4100 Object-Oriented Programming, TDT4140 Software Engineering and IT2810 Web Development). For the exercises we will use the Java and/or Python as programming language.
Knowledge about information security (equal to the topic TTM4135 Information Security) is an advantage but not required.
Course materials
To be announced at the beginning of the semester.
Credit reductions
| Course code | Reduction | From | To |
|---|---|---|---|
| IIKG3000 | 2.5 |
Version: 1
Credits:
7.5 SP
Study level: Second degree level
Term no.: 1
Teaching semester: SPRING 2021
Language of instruction: English
Location: Trondheim
- Computer and Information Science
- Communication and Information Science
Department with academic responsibility
Department of Computer Science
Examination
Examination arrangement: Portfolio assessment
- Term Status code Evaluation Weighting Examination aids Date Time Examination system Room *
- Spring ORD Arbeider 70/100 INSPERA
-
Room Building Number of candidates -
Spring
ORD
Hjemme-eksamen
30/100
Release
2021-05-12Submission
2021-05-12
09:00
INSPERA
11:00 -
Room Building Number of candidates - Summer UTS Arbeider 70/100
-
Room Building Number of candidates - Summer UTS Hjemme-eksamen 30/100 INSPERA
-
Room Building Number of candidates
- * The location (room) for a written examination is published 3 days before examination date. If more than one room is listed, you will find your room at Studentweb.
For more information regarding registration for examination and examination procedures, see "Innsida - Exams"