I6100 教學大綱表

教學大綱表 (113學年度第1學期)

請遵守智慧財產權，勿使用非法影印教科書，避免觸法。

課程名稱 Course Title	(中文) 安全軟體開發與檢測 (英文) Secure Software Development And Testing			開課單位 Departments	資訊工程研究所
				課程代碼 Course No.	I6100
授課教師 Instructor	包蒼龍
學分數 Credit	3.0	必/選修 core required/optional	選修	開課年級 Level	研究所
先修科目或先備能力(Course Pre-requisites)：無
課程概述與目標(Course Overview and Goals)：本課程的目的是深入瞭解安全軟體開發與檢測，包括其規劃、設計，實作、測試和維護。在課程中，學生將學習如何進行安全軟體開發生命週期(SSDLC)：需求、設計、開發、測試與佈署維運，以及以下主題：威脅建模、身份驗證和授權問題、輸入清理、源碼檢測、修復漏洞和派送修補。為了確認系統的安全性，在軟體系統上線前，如何對源碼進行檢測以及依檢測結果修補程式等相關知識，引導學生依據OWASP Top 10的清單，檢測程式中潛在的如SQL Injection、XSS等弱點，據以確保軟體系統的安全。
教科書(Textbook)	自編教材
參考教材(Reference)	1. 打造安全無虞的Web Applications：從策略制定、程式開發，到防止惡意攻擊之必備對策白皮書，德丸浩，博碩文化 2. 無瑕的程式碼－整潔的軟體設計與架構篇 (Clean Architecture: A Craftsman's Guide to Software Structure and Design)，Robert C. Martin 著、戴于晉譯，博碩文化 3. 網站資料

課程大綱 Syllabus			學生學習目標 Learning Objectives	單元學習活動 Learning Activities	學習成效評量 Evaluation	備註 Notes
序 No.	單元主題 Unit topic	內容綱要 Content summary	學生學習目標 Learning Objectives	單元學習活動 Learning Activities	學習成效評量 Evaluation	備註 Notes
1	Introduction to Secure Software Development	1. What is SSDLC 2. Software vulnerability analysis	1. Learn what is SSDLC 2. Learn why software vulnerability exist
2	Introduction to Secure Software Development	1. Common mistake and rules for secure software	1. Learn common programming mistakes 2. Learn how to write secure codes
3	Requirements of security and privacy, risk assessment, and lower the attack surface	1. Requirement of security and privacy 2. Risk assessment 3. Attack surface and method to lower the risk	1. Learn what is the security and privacy requirements of a software 2. Learn what is risk assessment and how to avoid the risk 3. Learn what is the attack surface and how to lower the risk of being attacck
4	Source code review for potential software vulnerability	1. String and buffer overflow 2. Shell code	1. Learn what is buffer overflow and how to correctly handle the string operation 2. Learn how to avoid the shell code vulnerability
5	Secure software development life cycle (SSDLC)	1. Requirement and specification 2. Design	1. Learn how to setup the software requirement 2. Learn the methodology of software design
6	Secure software development life cycle (SSDLC)	1. Development	1. Learn the development phase of the software system design
7	Secure software development life cycle (SSDLC)	1. Testing 2. Deployment and maintenance	1. Learn the testing phase of the SSDLC 2. Learn how to setup the testing and production environment
8	Principle of secure software development	1. Security of formatted output 2. Validation check of input data	1. Learn about the output data security 2. Learn how to validate the input data
9	Midterm examination	Midterm examination	Outcome assessment
10	Software vulnerability analysis	1. Privilege elevation problem 2. Error handling process 3. Dynamic memory management	1. Learn the problem of privilege elevation 2. Learn the correct way to handling errors 3. How to avoid memory overflow
11	OWASP Injection flaw and cross site scripting attack	1. Web programming design examples 2. Injection attack vulnerability and testing 3. Cross site scripting and testing	1. Learn how to design programs for web 2. Learn the injection flaw problem 3. Learn what is cross site scripting and how to reduce the risk

彈性教學週活動規劃

序 No.	實施期間 Period	實施方式 Content	教學說明 Teaching instructions	彈性教學評量方式 Evaluation	備註 Notes
1	起:2024-12-30 迄:2025-01-11	3.實作 Practical class	使用程式源碼檢測工具檢測原始碼並分析程式弱點與改善做法	學生簡報並展示成果

教學要點概述：
1.自編教材 Handout by Instructor：
■ 1-1.簡報 Slids
■ 1-2.影音教材 Videos
■ 1-3.教具 Teaching Aids
□ 1-4.教科書 Textbook
□ 1-5.其他 Other
■ 2.自編評量工具/量表 Educational Assessment
□ 3.教科書作者提供 Textbook

成績考核 Performance Evaluation：期末考：20% 期中考：20% 彈性教學：10% 上機測驗：20% 平時考：20% 作業：10%

教學資源(Teaching Resources)：
■ 教材電子檔(Soft Copy of the Handout or the Textbook)
□ 課程網站(Website)
扣考規定：https://curri.ttu.edu.tw/p/412-1033-1254.php