Study abroad in Edinburgh

Course finder

Semester 1

Secure Programming (INFR11098)

Course Website







Normal Year Taken


Delivery Session Year



Course Summary

*This course will not be taught in 2020-21. Students given permission last year to sit this year's exam may register exam-only.*This course studies the principles and practices of secure programming. Secure programming means writing programs in a safe fashion, to avoid vulnerabilities that can be exploited by attackers. It also means using security features provided by libraries, such as authentication and encryption, appropriately and effectively. A range of programming platforms will be considered, ranging from low-level (e.g. Android OS), through web programming (e.g., JavaScript and Python) to high-level large-scale languages (e.g., Java). New and emerging language-based security mechanisms will be examined, including ways of specifying and enforcing security policies statically and dynamically (e.g., to enforce access controls or information flow policies).

Course Description

- Security maintainance of deployed software systems, including "penetrate-and-patch", vulnerability enumeration (CVE IDs) and classification (CWE taxonomy).- Secure programming techniques and common pitfalls, covering input validation, output filtering, use of cryptography and authentication. Standards such as the OWASP guidelines and the CERT Secure Coding Standards.- Malware (including adware, spyware) and its use of software vulnerabilities as an attack vector. Programming resilience against malware.- Low-level programming platforms, VMs and their security provisions, for example including process isolation, capabilities and permissions. Mobile operating system platforms as examples.- Web programming platforms and security provisions. HTTP protocol, forms, clientside and server-side threats and their avoidance.- High-level and Enterprise security programming, including cryptography via cryptographic libraries, authentication via GSSAPI.- Security APIs and their distinction from cryptography APIs. Use and design of security APIs for key management, hashing and encryption. Implementation in hardware and software.- Language-based techniques for assisting security programming, using dynamic enforcement via runtime monitoring and static enforcement via program analysis. Example tools.- Methods and tools for taint checking and information flow tracking to manage programming with sensitive data. Privacy risks with lack of encapsulation.- Methods and tools for controlling resource usage with permissions and capabilities, and static analysis for guarantees in advance.

Assessment Information

Written Exam 70%, Coursework 30%, Practical Exam 0%

Additional Assessment Information

You should expect to spend approximately 20 hours on the coursework for this course.

view the timetable and further details for this course


All course information obtained from this visiting student course finder should be regarded as provisional. We cannot guarantee that places will be available for any particular course. For more information, please see the visiting student disclaimer:

Visiting student disclaimer