教學大綱表
請遵守智慧財產權,勿使用非法影印教科書,避免觸法。
課程名稱 (中文) 安全軟體開發與檢測
(英文)
開課單位 資訊工程研究所
課程代碼 I6100
授課教師 包蒼龍
學分數 3.0 必/選修 選修 開課年級 研究所
先修科目或先備能力:無
課程概述與目標: 本課程的目的是深入瞭解安全軟體開發與檢測,包括其規劃、設計,實作、測試和維護。在課程中,學生將學習如何進行安全軟體開發生命週期(SSDLC):需求、設計、開發、測試與佈署維運,以及以下主題:威脅建模、身份驗證和授權問題、輸入清理、源碼檢測、修復漏洞和派送修補。為了確認系統的安全性,在軟體系統上線前,如何對源碼進行檢測以及依檢測結果修補程式等相關知識,引導學生依據OWASP Top 10的清單,檢測程式中潛在的如SQL Injection、XSS等弱點,據以確保軟體系統的安全。
教科書 自編教材
參考教材 1. 打造安全無虞的Web Applications:從策略制定、程式開發,到防止惡意攻擊之必備對策白皮書,德丸浩,博碩文化
2. 無瑕的程式碼-整潔的軟體設計與架構篇 (Clean Architecture: A Craftsman's Guide to Software Structure and Design),Robert C. Martin 著、戴于晉 譯,博碩文化
3. 網站資料
課程大綱 學生學習目標 單元學習活動 學習成效評量 備註
單元主題 內容綱要
1 Introduction to Secure Software Development 1. What is SSDLC
2. Software vulnerability analysis
1. Learn what is SSDLC
2. Learn why software vulnerability exist
  • 討論
  • 講授
  • 報告
  •  
    2 Introduction to Secure Software Development 1. Common mistake and rules for secure software 1. Learn common programming mistakes
    2. Learn how to write secure codes
  • 討論
  • 講授
  • 作業
  •  
    3 Requirements of security and privacy, risk assessment, and lower the attack surface 1. Requirement of security and privacy
    2. Risk assessment
    3. Attack surface and method to lower the risk
    1. Learn what is the security and privacy requirements of a software
    2. Learn what is risk assessment and how to avoid the risk
    3. Learn what is the attack surface and how to lower the risk of being attacck
  • 實作
  • 講授
  •  
    4 Source code review for potential software vulnerability 1. String and buffer overflow
    2. Shell code
    1. Learn what is buffer overflow and how to correctly handle the string operation
    2. Learn how to avoid the shell code vulnerability
  • 講授
  • 上機實習
  •  
    5 Secure software development life cycle (SSDLC) 1. Requirement and specification
    2. Design
    1. Learn how to setup the software requirement
    2. Learn the methodology of software design
  • 討論
  • 實作
  • 講授
  • 作業
  •  
    6 Secure software development life cycle (SSDLC) 1. Development 1. Learn the development phase of the software system design
  • 講授
  • 報告
  •  
    7 Secure software development life cycle (SSDLC) 1. Testing
    2. Deployment and maintenance
    1. Learn the testing phase of the SSDLC
    2. Learn how to setup the testing and production environment
  • 討論
  • 實作
  • 講授
  • 報告
  •  
    8 Principle of secure software development 1. Security of formatted output
    2. Validation check of input data
    1. Learn about the output data security
    2. Learn how to validate the input data
  • 討論
  • 實作
  • 講授
  •  
    9 Midterm examination Midterm examination Outcome assessment
  • 期中考
  •  
    10 Software vulnerability analysis 1. Privilege elevation problem
    2. Error handling process
    3. Dynamic memory management
    1. Learn the problem of privilege elevation
    2. Learn the correct way to handling errors
    3. How to avoid memory overflow
  • 實作
  • 講授
  •  
    11 OWASP Injection flaw and cross site scripting attack 1. Web programming design examples
    2. Injection attack vulnerability and testing
    3. Cross site scripting and testing
    1. Learn how to design programs for web
    2. Learn the injection flaw problem
    3. Learn what is cross site scripting and how to reduce the risk
  • 實作
  • 講授
  • 報告
  •  

    教學要點概述:
    教材編選: ■ 自編教材 ■ 教科書作者提供
    評量方法: 期末考:30%   期中考:30%   報告:15%   :5%   平時考:10%   作業:10%  
    教學資源: □ 教材電子檔 □ 課程網站
    扣考規定:http://eboard.ttu.edu.tw/ttuwebpost/showcontent-news.php?id=504