8 years 7 years


Dowd, M., McDonald, J., and Schuh, J. (2006). The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. (469,- in Mjøsbok)

Individual topics counting 100% of the grade was selected during the first lecture. We are going to present our topics in weeks 14-19 depending on the topic. Final deadline is the 21th of May (2013). Every student must peer review two other topics in order to give feedback.


Paper, presentation and code

size 339.0 KiB
sha256: 26eaa4da11...25047dc73c

size 206.6 KiB
sha256: 41a7b5527b...dad420d67a

size 152.2 KiB
sha256: 492c5f9ed1...6516aed4e9

Other sources
See WebGoat project and WebScrab projects of OWASP.

Capture the flag contest during spring

Software Security (Assurance) State of the Art:

Some thoughts... I read most of this paper, and although it was quite boring at times, I found some pages quite interesting:
5.2.2 talks about how "negative" requirements like "the software must not be susceptible to buffer overflows" must be analyzed and converted to actionable requirements like "input validation" and "exception handling". Issues with modeling, Microsoft threat modeling, Misuse vs abuse cases,
5.3.1 Design principles (as seen in Applied Information Security), White box techniques, Compiler optimizers can introduce new vulnerabilities,
Table 5-14 Software and application security checklists, and Websites and portals to follow,
8.5 Developer liability in 8.5.