Secure Programming Practices (2020)
The intent of the Secure Programming Practices Knowledge Unit is to provide students with an understanding of the characteristics of secure programs and the ability to implement programs that are free from vulnerabilities.
- 1 Outcomes
- 2 Topics
- 3 Skills
- 4 NICE Framework Categories
- 5 CSEC 2017 Categories
- 6 Specialization Areas
- 7 See also
- 8 Further reading
- 9 Sample knowledge test
- 10 Sample skills test
- 11 Sample abilities test
- 12 Additional notes or materials
- 13 Contacts
- 14 Reference ID
To complete this KU, students should be able to:
- Produce software components that satisfy their functional requirements without introducing vulnerabilities
- Describe the characteristics of secure programming.
- Understand the vulnerabilities inherent in different programming languages.
- Examine vulnerabilities introduced through the use of libraries and how to mitigate those vulnerabilities.
- Interpretation and realization of Security Requirements
- Principles of Secure Programming
- Robust Programming
- Defensive Programming
- Input Validation, Type checking
- Cover all cases - use defaults to handle cases not explicitly covered.
- Catch and handle exceptions at the lowest level possible.
- Avoidance of risky coding constructs.
- Avoid information leakage through error messages.
- Apply security practices to classes.
- Do not allow data changes by reference in external interfaces.
- Use the context to determine data access.
- Support verification in data updates.
- Authenticate when possible.
- Programming Flaws
- Buffer Overflows, Integer Errors
- Static Analysis
- Data Obfuscation
- Data Protection
- Secure Programming paradigms
- Pair programming
- Code reviews
- Test-driven development
NICE Framework Categories
CSEC 2017 Categories
Related Knowledge Units
- Life-Cycle Security
- Software Assurance
- Security Risk Analysis
- Software Security Analysis
- Vulnerability Analysis
- QA/Functional Testing
Original Knowledge Unit
Suggested academic readings
Sample knowledge test
Sample skills test
Sample abilities test
Additional notes or materials