41184 Secure Programming and Penetration Testing
Warning: The information on this page is indicative. The subject outline for a
particular session, location and mode of offering is the authoritative source
of all information about the subject for that offering. Required texts, recommended texts and references in particular are likely to change. Students will be provided with a subject outline once they enrol in the subject.
Subject handbook information prior to 2024 is available in the Archives.
Credit points: 6 cp
Subject level:
Undergraduate
Result type: Grade and marksRequisite(s): 31251 Data Structures and Algorithms OR 41012 Programming for Mechatronic Systems
Recommended studies:
C/C++, Code Analysis, Compilers
Description
This subject provides the foundation and theoretical underpinning which aims to understand, detect and defend software vulnerabilities, which can cause unexpected behaviours or exploited by attackers. The source code analysis technique taught in this subject forms an important basis of the penetration testing (ethical hacking). Knowing how to approach and develop automatic auditing systems, identifying vulnerabilities and developing security analysis and testing methods to protect systems against cyber attacks underpin this subject’s conceptual outcomes.
Students in this subject have the opportunity to participate in security challenges and competitions at the national and international levels. The students are assessed based on their technical capabilities in secure programming, software analysis and their communication skills in speaking and writing.
Subject learning objectives (SLOs)
Upon successful completion of this subject students should be able to:
| 1. | Classify software security vulnerabilities in the source code of systems, applications, and services. (D.1) |
|---|---|
| 2. | Automate the analysis of a software project using source code analysis on top of compilers to defend against real‐world attacks from malicious entities. (D.1) |
| 3. | Communicate effectively individually and as a team to describe plans for countering changing security threats. (E.1) |
Course intended learning outcomes (CILOs)
This subject also contributes specifically to the development of the following Course Intended Learning Outcomes (CILOs):
- Technically Proficient: FEIT graduates apply abstraction, mathematics and discipline fundamentals, software, tools and techniques to evaluate, implement and operate systems. (D.1)
- Collaborative and Communicative: FEIT graduates work as an effective member or leader of diverse teams, communicating effectively and operating within cross-disciplinary and cross-cultural contexts in the workplace. (E.1)
Contribution to the development of graduate attributes
Engineers Australia Stage 1 Competencies
This subject contributes to the development of the following Engineers Australia Stage 1 Competencies:
- 1.2. Conceptual understanding of the mathematics, numerical analysis, statistics, and computer and information sciences which underpin the engineering discipline.
- 1.3. In-depth understanding of specialist bodies of knowledge within the engineering discipline.
- 2.2. Fluent application of engineering techniques, tools and resources.
- 3.2. Effective oral and written communication in professional and lay domains.
Teaching and learning strategies
This subject uses active learning strategies, which involves a series of on-campus workshops and tutorials to support a hands-on and lab-focused collaborative learning activities. Students will build up their professional experience in secure programming and penetration testing throughout each workshop accomplishment.
Outside class, students will be required to review online materials, pre-readings and open education resources before taking the on-campus workshops. Students will also conduct an authentic ethical hacking project in small teams through multi-staged assessments, which mainly composed of information gathering and enumeration plan report, and performance and analysis report in real testing. Students will have experiences in reflecting on and identifying how they may improve both group and individual activities through Canvas discussions boards as required to communicate ideas and questions with peers when studying the subject.
Feedback for assessment tasks will be given to students two weeks after submission. Students will also receive in-class feedback for their workshops and tutorial exercises on weekly basis.
Content (topics)
- Introduction to Secure programming
- Introduction to Penetration Testing
- Applied ethical hacking skills
- Advanced ethical hacking skills
- Security Analytics
- Showcase Revision
Assessment
Assessment task 1: Secure Programming and Vulnerability Assessment
| Intent: | To practice secure programming skills (e.g., C/C++) and investigate and understand real-world security vulnerabilities. |
|---|---|
| Objective(s): | This assessment task addresses the following subject learning objectives (SLOs): 1, 2 and 3 This assessment task contributes to the development of the following Course Intended Learning Outcomes (CILOs): D.1 and E.1 |
| Type: | Quiz/test |
| Groupwork: | Individual |
| Weight: | 20% |
Assessment task 2: Source Code Representation for Software Analysis
| Intent: | To demonstrate how compilers represent various real-world source code fragments as an appropriate representation for software security analysis as a foundation for building software security tools. |
|---|---|
| Objective(s): | This assessment task addresses the following subject learning objectives (SLOs): 1, 2 and 3 This assessment task contributes to the development of the following Course Intended Learning Outcomes (CILOs): D.1 and E.1 |
| Type: | Project |
| Groupwork: | Individual |
| Weight: | 20% |
Assessment task 3: Software Verification and Testing
| Intent: | To practice and apply software security analysis techniques and start building automated source code analysis tools based on the code representation (in Task 2) to automatically reason about a program’s properties (e.g., control- and data-flows) or program execution states. |
|---|---|
| Objective(s): | This assessment task addresses the following subject learning objectives (SLOs): 1 and 2 This assessment task contributes to the development of the following Course Intended Learning Outcomes (CILOs): D.1 |
| Type: | Portfolio |
| Groupwork: | Individual |
| Weight: | 15% |
Assessment task 4: Automatic Detection of Security Vulnerabilities
| Intent: | To deliver and evaluate the effectiveness of the developed security analysis and testing tool (Task 3) in detecting and defending a range of vulnerabilities. |
|---|---|
| Objective(s): | This assessment task addresses the following subject learning objectives (SLOs): 1 and 2 This assessment task contributes to the development of the following Course Intended Learning Outcomes (CILOs): D.1 |
| Type: | Project |
| Groupwork: | Individual |
| Weight: | 15% |
Assessment task 5: Vulnerabilities scanning, exploiting and penetration testing report.
| Intent: | To implement common computer security attacks, complete short exercises with common penetration testing software, and investigate common vulnerabilities and report on the results. |
|---|---|
| Objective(s): | This assessment task addresses the following subject learning objectives (SLOs): 1 and 3 This assessment task contributes to the development of the following Course Intended Learning Outcomes (CILOs): D.1 and E.1 |
| Type: | Portfolio |
| Groupwork: | Individual |
| Weight: | 30% |
Minimum requirements
In order to pass the subject, a student must achieve an overall mark of 50% or more.
Required texts
There is no prescribed text for this subject.
Recommended texts
Weidman, 2014, Penetration Testing, 1st Ed Random House, San Francisco, USA.
National Vulnerability Database: https://nvd.nist.gov/
Common Vulnerabilities and Exposures. https://cve.mitre.org/
Static Value-Flow Analysis Framework for Source Code, https://github.com/SVF-tools/SVF
Compilers: Principles, Techniques, and Tools Hardcover, https://www.amazon.com.au/Compilers-Alfred-V-Aho/dp/0321486811
LLVM Compiler, https://llvm.org/
Other resources
FEIT student resources: https://www.uts.edu.au/current-students/current-students-information-faculty-engineering-and-it/manage-your-course