Building security in is about building software right the first time, and this course teaches students to do just that. Organized around a few major themes (e.g., data at rest, data in motion, input validation, output encoding), this course teaches some common use cases we want to support, and how to design and implement them securely. This course is not tied to any particular language or domain. Different use cases come from different contexts (e.g., web, embedded, thick client, mobile). Each is presented with its standard attacks and the standard solutions that defend against those attacks. Rather than follow industry-standard security taxonomies that categorize mistakes, this course is organized around common software user stories, and how to do them securely. Topics include proper use of encryption, and handling of data across module boundaries, validation and encoding, and authentication and authorization issues.
At the end of this course, students will have the foundational knowledge to expand their software security and learn specific engineering techniques such as defensive programming, threat modeling, and penetration testing.