Secure Programming Practices (2020)

From CyberEdWiki
Jump to: navigation, search

The intent of the Secure Programming Practices Knowledge Unit is to provide students with an understanding of the characteristics of secure programs and the ability to implement programs that are free from vulnerabilities.

Outcomes[edit]

To complete this KU, students should be able to:

  1. Produce software components that satisfy their functional requirements without introducing vulnerabilities
  2. Describe the characteristics of secure programming.
  3. Understand the vulnerabilities inherent in different programming languages.
  4. Examine vulnerabilities introduced through the use of libraries and how to mitigate those vulnerabilities.

Topics[edit]

  1. Interpretation and realization of Security Requirements
  2. Principles of Secure Programming
  3. Robust Programming
  4. Defensive Programming
    1. Input Validation, Type checking
    2. Cover all cases - use defaults to handle cases not explicitly covered.
    3. Catch and handle exceptions at the lowest level possible.
    4. Avoidance of risky coding constructs.
    5. Avoid information leakage through error messages.
    6. Apply security practices to classes.
      1. Do not allow data changes by reference in external interfaces.
      2. Use the context to determine data access.
      3. Support verification in data updates.
      4. Authenticate when possible.
  5. Programming Flaws
    1. Buffer Overflows, Integer Errors
  6. Static Analysis
  7. Data Obfuscation
  8. Data Protection
  9. Secure Programming paradigms
    1. Pair programming
    2. Code reviews
    3. Test-driven development

Skills[edit]

NICE Framework Categories[edit]

CSEC 2017 Categories[edit]

Specialization Areas[edit]

See also[edit]

Related Knowledge Units

Original Knowledge Unit

Further reading[edit]

Suggested textbooks[edit]

Suggested academic readings[edit]

Sample knowledge test[edit]

Sample skills test[edit]

Sample abilities test[edit]

Additional notes or materials[edit]

Contacts[edit]

Reference ID[edit]

SPP