- Describe how encapsulation can improve software security
- Describe how avoiding duplicate code can improve software security
- Demonstrate how validating input can improve software security
- Demonstrate how creating copies of mutable output values can improve software security
- Explain how
public static final
fields that are not constants can create security vulnerabilities - Make use of
final
to guard against data corruption
Note taking requirement
Don't forget to submit your notes in Canvas by midnight Wednesday.
Reading
- Study Secure Software Development
- Reference slides
Introduction [6:17]
- What are Security Principles?
- What are Security Practices?
- What is meant by data integrity?
- How can you ensure data integrity?
- What is meant by confidentiality?
- How can you ensure confidentiality?
- How do data integrity and confidentiality differ?
- Watch the following video [link]
Security Principles [7:07]
- How is availabilty a security concern?
- What is the Principle of Least Privilege?
- What is the Economy of Mechanism Principle?
- How is the Economy of Mechanism Principle helpful for security?
- What is the security advantage of Open Design?
- How does one Fail Securely?
- What principle was discussed but not listed here?
- Watch the following video [link]
Security Principles Continued [2:46]
- What is meant by Planning for Failure?
- How does one manage the Weakest Link?
- Which principles are most important?
- Watch the following video [link]
Security Practices [4:43]
- How can you be defensive when designing and implementing software?
- What is a better alternative to "no obvious flaws?"
- How does avoiding duplicate code improve security?
- What is a trust boundary and how could it be exploited?
- How does encapsulation improve security?
- Watch the following video [link]
Security Practices Continued [12:29]
- How do potential performance issues affect security?
- Why is releasing resources an important security practice?
- Be aware of information conveyed in exceptions.
- What Facebook or Twitter bad practice was mentioned? Which practice did it violate?
- Be aware of the memory footprint you leave.
- Which best practice minimizes potential risks from attacks based on special characters?
- What security practice was covered in the video but not listed above?
- Watch the following video [link]
Security Practices Continued [7:59]
- Is there anything redeeming in my story about my Amazon.com exploit?
- What security practice(s) and principle(s) could have addressed my Amazon.com exploit?
- How can careless HTML/XML/SQL generation be a security risk?
- What does it mean to declare a class as
final
? - Why is input validation important?
- What security risk is exposed if your constructor calls a method that can be overridden?
- Why prefer immutabilty?
- Watch the following video [link]