1. Home
  2. NOVA School of Science and Technology
  3. Master in Computer Science and Engineering
  4. Software Security

Software Security

Objectives

At the end of this course, students will have acquired the knowledge, skills and competences to enable them to:

  1. Know the main principles, methods and techniques of software development to guarantee the security of the software produced.

  2. Know the most common security flaws in software systems.

  3. Know the basic concepts of security: confidentiality, integrity and availability. 

  4. Know the basic mechanisms of authentication, authorisation, isolation and least privilege.

  5. Know how to build software following good architectural practices that guarantee data security. 

  6. Know how to implement authentication, authorisation (access control) and flow control mechanisms to guarantee data security (confidentiality and integrity). 

  7. Know how to analyse software in terms of the behaviour of programs in relation to access control techniques and information flow techniques. 

  8. Know the defence strategies based on software verification, based on programming languages, Testing and Fuzzing.

General characterization

Code

11553

Credits

6.0

Responsible teacher

Carla Maria Gonçalves Ferreira, João Ricardo Viegas da Costa Seco

Hours

Weekly - 4

Total - 56

Teaching language

Português

Prerequisites

Available soon

Bibliography

Secure Software Lifecycle, CyBok chapter by Laurie Williams, 2019

Software Security, CyBok chapter by Frank Piessens, 2018

Software Security. Principles, Policies, and Protection. Mathias Payer. July 2021

Avoiding the Top 10 Security Design Flaws, IEEE, 2014.

The Tangled Web: A Guide to Securing Modern Web Applications, Michał Zalewski, 2011

Teaching method

The teaching and learning methodologies of this course are based on a combination of theoretical classes, theoretical-practical sessions, and group practical work. During the theoretical classes, students are introduced to the fundamental concepts of software security, including principles and practices that ensure data confidentiality, integrity, and availability. These classes are complemented by practical sessions, where students apply the acquired knowledge to examples and exercises that simulate real-world scenarios in secure software development.

These methodologies are aligned with the pedagogical model, fostering the development of both technical skills and collaborative work, preparing students for the practical application of security concepts in software systems.

Evaluation method

The assessment of this course unit is twofold:

  • The written assessment (worth 60% of the final grade) consists of two tests with equal weight. These tests evaluate students’ understanding of fundamental security principles, secure development methodologies, and best practices taught in the theoretical classes. The theoretical-practical component can also be completed through an exam (during the resit period).

  • The practical component (worth 40% of the final grade) consists of a project with two submissions. The evaluation requires a discussion with the team, including a presentation of the work and a report.

  • There is no minimum grade required for any of the components, nor is there the notion of attendance (“frequência”).

Ban on the Use of Electronic Devices During Assessments

During an assessment, a student may not have any electronic devices capable of accessing the internet or with Bluetooth connectivity (e.g., smartphones, smartwatches, smartglasses, tablets, laptops) with them, even if they are turned off.
Violation of this rule results in immediate failure of the curricular unit by exclusion and will be reported to the Scientific Committee of the respective program.


Subject matter

A. Security Principles in Software Systems. Presentation of security principles in software (confidentiality, integrity, and availability) and implementation mechanisms (authentication, authorization, isolation, etc.). Principle of least privilege. Vulnerabilities.

B. Secure Software Lifecycle. Design, implementation, and testing of software. Secure software evolution. Architectural patterns for the implementation of secure applications.

C. Attack Vectors. Attacks on the execution stack. Memory security. Type safety. Types of attacks: denial of service, information leakage, etc.

D. Defense Strategies. Software verification, information-flow control. Programming languages and frameworks. Web application security. Third-party authentication mechanisms. Capabilities models.

Programs

Programs where the course is taught: