Information on individual educational components (ECTS-Course descriptions) per semester

  
Degree programme:Bachelor Computer Science - Software and Information Engineering
Type of degree:FH Bachelor´s Degree Programme
 Full-time
 Summer Semester 2026
  

Course unit titleSecure Software Development
Course unit code024717040501
Language of instructionGerman
Type of course unit (compulsory, optional)Compulsory
Semester when the course unit is deliveredSummer Semester 2026
Teaching hours per week3
Year of study2026
Level of course unit (e.g. first, second or third cycle)First Cycle (Bachelor)
Number of ECTS credits allocated4
Name of lecturer(s)Armin SIMMA


Prerequisites and co-requisites

Basic knowledge of handling the Unix / or Linux command line; Knowledge of the most important commands for navigation in the tree; Copying, deleting, etc. of files; User management; Basic knowledge of networking: Configuring the network interface; Basic knowledge about the configuration of network devices (routers, switches) using the console (e.g. CLI). The students understand the concepts of structured as well as object-oriented programming. They master an object-oriented programming language. They know how to design software and can apply a software process. They know basic design patterns. Students already know concepts and models related to computer networks (e.g., layer model); They know the most important network protocols (e.g., HTTP, TCP, IP, DNS, etc.). They can log and analyze network traffic (e.g., using wireshark) network traffic.

Course content

Introduction:

  • Motivation
  • Concrete examples of security problems caused by software vulnerabilities
  • Emphasize the importance of early stages
  • Security goals (CIA and others)
  • Security principles (e.g. Saltzer and Schroeder but also updated ones)


Security requirements

  • Typical security requirements
  • Compliance requirements
  • Techniques for finding security requirements
  • Checklists
  • Difference functional / non-functional requirements and connection with security
  • Misuse cases
  • Threat modeling
  • Risk analysis and assessment (OWASP risk rating)
  • Security Development Lifecycle (incl. Agile): How can security be "built in" in the SDL?
  • Touchpoints
  • MS SDL Secure Development Lifecycle
  • OWASP SAMM and BSIMM


Security tests:

  • Static, dynamic test procedures and tools (SAST, DAST)
  • Code review, penetration tests
  • Secure coding
  • Standards and norms as well as important organizations in the area of ​​software security:
  • OWASP Open Web Application Security Project
  • MITRE (CVE, CWE, CVSS)
  • National Vulnerability Database NVD (NIST)
  • SEI CERT (Secure Coding Standards): e.g. for C, C ++, Java, Android
  • BSI Baseline Protection
  • Classes of frequently occurring software errors / weaknesses (injection, overflow, format string, race conditions)


Web application security / web security

OWASP Top 10: Web Application Risks

  • Injection: SQLi, OS Command Injecton
  •  Broken Authentication / Access Control
  • Session problems (session fixation etc.)
  • Sensitive data exposure
  • Cross-site scripting (XSS)


Countermeasures:

  • Data handling / input validation
  • (Output) encoding
  • Secure authentication
  • Current authentication methods in the web environment
  • Access control
  • Role-based access control
  • Session management
  • Logging
  • Error handling


Exercises with vulnerable web apps (e.g. Security Dojo / DVWA and OWASP juice shop)

Learning outcomes

Students know and understand models, concepts and tools to:

  • Install security in all phases of the software development process (including requirements analysis, architecture/design and implementation) and
  • Understand the security challenges associated with agile software development.


The students know and understand approaches, processes, methods and technologies for risk management. They can use the OWASP risk rating method.

The students know typical areas in software development, in which mistakes are often made in connection with security; they are familiar with possible solutions ("best practices"). These areas are: authentication, authorization, data validation (input validation and output encoding), session management, error handling, logging and monitoring as well as applied cryptology.

For common software development processes, the students are familiar with the challenges and solutions of enriching them with best practices and methods for secure software development. There is an overview of security aspects in the most common process models (waterfall to agile); however, the focus will be on agile processes (Scrum).

Students learn how threat modeling can be used to identify and classify threats.
Threat modeling is a central method in the area of ​​secure software development, so it is discussed in detail. The participants learn which steps are to be carried out for threat modeling (values; actors identified; architecture; identifying and documenting threats; assessing threats; planning countermeasures). Recognized best practices are used for this: DFD, trust limits, STRIDE, threat trees.

The participants learn how OWASP Risk Rating can be used. The individual categories of OWASP Risk Rating are discussed and applied on the basis of the case study.

Students understand the security issues associated with web application development and the most common and risky threats to web applications. They know a wide variety of countermeasures and can also implement some of them.

Planned learning activities and teaching methods
  • Integrated course, lecture and accompanying exercises
  • A simple threat modeling is carried out using a sample project.
  • In this case study (example project), the previously learned and discussed activities (best practices, methods) are applied in practice. A fictitious example software is being developed for this. (For example, an online banking system, as this is known to the students and contains security-critical components.
  • The well-known security principles (Saltzer and Schroeder 1975, but also updated ones) are presented and discussed with the students, i.e. it is discussed where which principle is / can be used in their practice and in the case study.
  • Online lab exercises vulnerable web apps (e.g. OWASP Juice Shop)
  • Attendance is mandatory in the exercises / laboratory work
Assessment methods and criteria

Seminar 40%
Written examination 60%

For a positive grade, a minimum of 50% of the possible points must be achieved in each part of the examination.
mandatory attendance for project/ labs

Comment

Not applicable

Recommended or required reading

Allen, Julia H. (2008): Software Security Engineering: A Guide for Project Managers: A Guide for Project Managers. 1. Aufl. Upper Saddle River, NJ: Addison-Wesley Professional.

Anderson, Ross J. (2008): Security Engineering: A Guide to Building Dependable Distributed Systems. 2. Tokyo, New York: Wiley.

Bell, Laura u.a. (2017): Agile Application Security: Enabling Security in a Continuous Delivery Pipeline. Sebastopol, CA: O'Reilly UK Ltd.

Deogun, Daniel; Johnsson, Dan Bergh; Sawano, Daniel (2019): Secure By Design. 1st Aufl. Shelter Island: Manning Publications.

Fernandez-Buglioni, Eduardo (2013): Security Patterns in Practice: Designing Secure Architectures Using Software Patterns. 1. Chichester, West Sussex: Wiley.

Howard, Michael (2009): 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. 1. Aufl. New York: McGraw-Hill Education.

Kriha, Walter; Schmitz, Roland (2008): Internet-Security aus Software-Sicht: Grundlagen der Software-Erstellung für sicherheitskritische Bereiche. 2008. Aufl. Berlin: Springer.

Kriha, Walter; Schmitz, Roland (2009): Sichere Systeme. Konzepte, Architekturen und Frameworks. 2009. Aufl. Berlin: Springer.

LeBlanc, Jonathan; Messerschmidt, Tim (2016): Identity and Data Security for Web Development: Best Practices. 1. Aufl. Beijing ; Boston: O'Reilly UK Ltd.

McGraw, Gary R. (2006): Software Security: Building Security In. Annotated ed. Upper Saddle River, NJ: Addison Wesley.

Najera-Gutierrez, Gilberto (2018): Kali Linux Web Penetration Testing Cookbook: Identify, exploit, and prevent web application vulnerabilities with Kali Linux 2018.x, 2nd Edition. 2nd Revised edition. Birmingham, UK: Packt Publishing.

Paulus, Sachar (2011): Basiswissen Sichere Software: Aus- und Weiterbildung zum ISSECO Certified Professional for Secure Software Engineering. 1. Aufl. Heidelberg: Dpunkt Verlag.

Richer, Justin; Sanso, Antonio (2017): OAuth 2 in Action. 1st Aufl. Shelter Island, NY: Manning Publications.

Schäfers, Tim Philipp (2018): Hacking im Web: Denken Sie wie ein Hacker und schließen Sie die Lücken in Ihren Webapplikationen | Völlig überarbeitete & aktualisierte 2. Auflage. 2., überarbeitete & aktualisierte Aufl. Haar bei München: FRANZIS Verlag GmbH.

Schumacher, Markus u.a. (2005): Security Patterns: Integrating Security and Systems Engineering. 1. Chichester, England ; Hoboken, NJ: Wiley.

Seacord, Robert C. Seacord (2013): Secure Coding in C and C++. 2nd edition. Upper Saddle River, NJ: Addison-Wesley Professional.

Shostack, Adam (2014): Threat Modeling: Designing for Security. 1. Indianapolis, IN: Wiley.

Stuttard, Dafydd; Pinto, Marcus (2011): The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws. 2. Indianapolis, IN : Chichester: Wiley.

Mode of delivery (face-to-face, distance learning)

Classroom teaching and labs with mandatory attendance

Summer Semester 2026go Top