Blekinge Institute of Technology

This course is targeting software professionals who aim to improve the security of the applications and services they develop through the use ofcryptographic algorithms . The main focusof the course will be on how to address the main goals of information security, confidentiality, integrity, availability, authenticity and accountability (CIA++) from a practical perspective. The course will introduce specific frameworks that can be used to implement these features using different programming languages, such as C/C++, Python and Java. In addition, the course will highlight typical pitfalls related to the implementation of these security functions.

This course explains how a secure development process is expected by industry regulators, and how to implement it in an agile and DevOps lifecycle. This course will cover secure agile and DevOps software development with a focus on the following components: People: Enablement of agile teams for security through awareness, training and coaching.Processes: Implementation of security activities into well-known agile development processes such as SCRUM or SAFe. Security activities are analyzed based on relevant industry security standards.Technology: Description of security tools and technologies that can automate security activities in the agile & DevOps way of working.

The course provides knowledge and skills needed for defending critical infrastructure against cyber attacks. The example if such attack is Blackenergy cyberattack on the Ukrainian electrical grid in 2015 by Sandworm group (Russian GRU). This course covers security in SCADA and cyberphysical systems (CPS) as well as the regulations and standards that are applicable that helps to ensure an audit trail.

The purpose of the course is to show how security practices can be integrated into different software development processes (traditional, agile, continuous) and how to assess the maturity of the integration. The student will learn about different models, with a focus on a specific one touching upon security practices during software design, implementation, verification, and operation. In order to take different backgrounds and previous knowledge of the students into account, the course also covers the necessary background information on classical and security-oriented software development process models. The course enables students to assess the maturity of secure software development processes based on a model.

Every sector of the global economy relies on software. This makes software one of the principal targets for state-sponsored groups, military, criminals and other type of adversaries. Such attacks try to exploit insecure code, that is seemingly innocent bugs, which allow the adversaries to obtain unauthorized access to information or to take full control of compromised systems. The purpose of this course is to train software professionals in understanding in depth how insecure code can be exploited. In addition, it will equip them with knowledge in how to defend against this type attacks. The course begins by analyzing technical, psychological, and real-world factors that lead to production of vulnerable code. This is important knowledge for both developers and managers as it allows them to take actions that mitigate the impact of these factors, both when programming is performed but also during project management. Software exploits use specially crafted input data to applications and services to leverage logic flaws in the code that processes the input. Typically, the exploits overwrite specific structures in the program memory space, which allows them to bypass access control mechanisms and/or execute code provided as part of the input data. Therefore, a large part of the course is dedicated to understanding how exploits are constructed, essentially learning attackers’ “modus operandi”.

The course addresses fundamental questions related to how to build trusted systems. The focus will be on specific characteristics and approaches that allow to build trust into systems. In addition, methods to ensure that computers and services behave faithfully to the implementation specifications will be presented as well as approaches for detecting malicious deviations from the specifications. This course also introduces Blockchain concepts, security perspective of blockchain, consensus in blockchain, the decentralized philosophy behind Blockchain, as well as the main discussions in Blockchain environment and its potential applications.

Web application security encompasses that the student should learn to understand and discover weaknesses and vulnerabilities in web applications both on the server side and on the client side as well as be able to develop solutions for protection and conduct tests.