Revised 5/2024

ITP 195 - Introduction to Secure Software Design (4 CR.)

Course Description

Introduces concepts, requirements, architecture and design, and implementation of secure software, Topics related to secure software design are examined including core concepts, security design principles, requirements and compliance, architecture and design, and implementation. Lecture 4 hours per week.

General Course Purpose

This course provides a foundation sufficient for a student to instill the basics of secure software design and implement secure coding practices that meet secure coding requirements. This course also assists the student with preparing for the first 4 domains in the Certified Secure Software Lifecycle Professional (CSSLP) Certification.

Course Prerequisites/Corequisites

Prerequisites: ITE 150.

Course Objectives

Upon completion of this course, the student will be able to:

• Recognize secure coding standards and practices.

• Recognize threats, flaws, and vulnerabilities common to insecure code and techniques for mitigating them.

• Apply secure coding principles in the design of programs.

Major Topics to Be Included

Secure Software
Secure Software
Secure Software Architecture and
Secure Software
Continued coding and advanced used of various foundational constructs including
- Importing modules
- Variables and data types including data collections
- Control structures
- Functions and methods
- File Processing
- Use of appropriate data structures
Continued coding using Object Oriented Design including Classes, Attributes, Methods, Inheritance, and Polymorphism.
Demonstrate common coding exploitations and vulnerabilities and mitigation techniques

within case studies.

Student Learning Outcomes

Secure Software
- Define and explain the concepts of confidentiality, integrity, and availability
- Describe authentication and technologies and systems used to assure authentication
- Describe authorization and technologies and systems used to manage authorization
- Describe accountability and technologies and systems used to manage accountability
- Describe nonrepudiation and technologies and systems used in nonrepudiation
Security Design Principles
- Define software security requirements
- Identify and analyze compliance requirements
- Identify and analyze data classification
- Identify and analyze privacy
- Develop misuse and abuse
- Develop security requirements traceability matrix (STRM)
- Develop methodologies to ensure security requirements flow down to suppliers/providers
Secure Software Architecture and Design
- Perform threat modeling
- Define the security architecture
- Perform secure interface design
- Perform architectural risk assessment
- Model (Non-Functional) security properties and constraints
- Model and classify data
- Evaluate and select a reusable secure design
- Perform security architecture and design review
- Define secure operational architecture
- Use secure architecture and design principles, patterns, and tools
Secure Software Implementation
- Adhere to relevant secure coding practices (e.g., standards, guidelines, and regulations)
- Analyze code for security risks
- Implement security controls
- Address security risks
- Securely reuse third-party code or libraries
- Securely integrate components
- Apply security during the build process
Continued coding and advanced used of various foundational constructs

Use an Integrated Development Environment (IDE) to write, update, and test Python code
Use a debugger program to walk-through the Python code
Write Python code that calls built-in functions, user-defined functions, and methods
Write Python code that has/uses each of the foundation constructs:
- Data structures including lists, tuples, and dictionaries
- If statements
- While and for loops
- Imported and user defined functions including those with attributes, keyword arguments, default parameters.
- File input, processing, and output using different file types such as .txt, .csv, and .json
- Handle errors using Python-defined and user-defined exceptions.
Continued coding using Object Oriented Design including Classes, Attributes, Methods, Inheritance, and Polymorphism
- Write code that uses constructors, set and get methods, mutators and accessors
- Write code that demonstrates private access and the use of name mangling
- Write code that demonstrates the use of class and instance attributes and methods
- Write code that uses Python methods and dunder methods to discover the object attributes and properties, and class structure.
- Write code that builds a class hierarchy demonstrating an understanding of inheritance, multiple inheritance, polymorphism

Demonstrate common coding exploitations and vulnerabilities and mitigation techniques within case studies

Required Time Allocation

To standardize the core topics of ITP 195 so that a course is equivalent in content across campuses and formats, the following student contact hours per topic are required. Each syllabus should be created to adhere as closely as possible to these allocations. Of course, the topics cannot be followed sequentially. Many topics are taught best as an integrated whole, often revisiting the topic several times, each time at a higher level. The topics listed should comprise 60 contact hours of instruction for a 4-credit class excluding the final exam regardless of the format of instruction. The final exam time is not included in the timetable.

Topic	Hours	Percent
Secure software concepts	4	6.67%
Security design principles	4	6.67%
Secure Software Architecture and Design	4	6.67%
Secure Software Implementation	4	6.67%
Common software vulnerabilities, threats, flaws	4	6.67%
Continued coding and advanced used of various foundational constructs	12	20.0%
Continued coding using Object Oriented Design including Classes, Attributes, Methods, Inheritance, and Polymorphism.	12	20.0%
Demonstrate common coding exploitations and vulnerabilities and mitigation techniques within case studies.	12	20.0%
Optional Additional Content	4	6.67%
Total	60	100.0%