•    Employment
  •    Academia
  •    Research
    • NICE Framework
    • CAE Program

Secure Programming Practices

The intent of the Secure Programming Practices Knowledge Unit is to provide students with an understanding of the characteristics of secure programs and the ability to implement programs that are free from vulnerabilities.

Topics

  1. Programming Flaws
  2. Interpretation and realization of Security Requirements
  3. Principles of Secure Programming
  4. Defensive Programming
  5. Secure Programming paradigms
  6. Catch and handle exceptions at the lowest level possible
  7. Static Analysis
  8. Defensive Programming a. Input Validation, Type checking b. Cover all cases - use defaults to handle cases not explicitly covered c. Catch and handle exceptions at the lowest level possible d. Avoidance of risky coding constructs e. Avoid information leakage through error messages f. Apply security practices to classes i. Don’t allow external interfaces data changes by reference ii. Use context to determine data access iii. Support data updates verification iv. Authenticate

Outcomes

  1. Produce software components that satisfy their functional requirements without introducing vulnerabilities
  2. Describe the characteristics of secure programming.
  3. Understand the vulnerabilities inherent in different programming languages.
  4. Examine vulnerabilities introduced through the use of libraries and how to mitigate those vulnerabilities.
  5. Describe the characteristics of secure programming
  6. Examine vulnerabilities introduced through the use of libraries and how to mitigate those

KSA-T

Below are the Knowledge, Skills, Abilities and Tasks (KSA-T) identified as being required to perform this work role.
Learn More about the KAS-T's.

  • Knowledge
  • Skills
  • Abilities
  • Tasks
ID DESCRIPTION
K0140 Knowledge of secure coding techniques.
K0139 Knowledge of interpreted and compiled computer languages.
K0229 Knowledge of applications that can log errors, exceptions, and application faults and logging.
K0254 Knowledge of binary analysis.
K0028 Knowledge of organization's evaluation and validation requirements.
ID DESCRIPTION
S0148 Skill in designing the integration of technology processes and solutions, including legacy systems and modern programming languages.
S0172 Skill in applying secure coding techniques.
S0088 Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump).
S0019 Skill in creating programs that validate and process multiple inputs including command line arguments, environmental variables, and input streams.
S0149 Skill in developing applications that can log and handle errors, exceptions, and application faults and logging.
ID DESCRIPTION
A0036 Ability to identify basic common coding flaws at a high level.
ID DESCRIPTION