Computer Laboratory

Course pages 2016–17

Software and Security Engineering

Here are the slides; printed copies were distributed at the first lecture. There was no lecture on May 1st; instead there was a guest lecture by Robert Brady of Brady plc on May 15th at 3pm in LT2 at the Computer Lab (here are his slides and here is the video of the talk).

This is a new course. As software and communications become embedded invisibly everywhere, safety and security are becoming increasingly intertwined. The disciplines of software engineering and security engineering are converging. This course attempts a unified introduction. Its antecedents include previous courses on software engineering (see here) plus materials brought forward from previous courses on security (here and here). For further and bakground reading see the following.

  1. The lecture on security policy summarises material from chapters 8, 10 and 25 of my textbook on Security Engineering (all chapters are available free online).
  2. The lecture on predicting human behaviour is based on chapter 2; there's also an article on passwords as well as much more here..
  3. The lecture on protocols is based on chapter 3; for the No-PIN attack, see this video.
  4. For the lecture on software security the most appropriate chapter is 21, but I'll discuss more recent high-profile attacks such as heartbleed. The Whopper Burger ad is here and the background's here. Recent hacks of possible interest are here, here, here, here and here. Useful resources for following the fight against the bad guys are the comp.risks forum and the blogs by Bruce Schneier and Brian Krebs.
  5. Here's the report of the inquiry into the London Ambulance System disaster; while the case study of the NHS National Programme for IT is here.
  6. For the lecture on methodology and managing complexity, here's Fred Brooks' article No Silver Bullet and the paper by Curtis, Krasner and Iscoe. There is quite a lot of relevant material in Chapter 25 of my book; there's also a piece I recorded with Stephen Fry on Y2K.
  7. For safety engineering, here's a video by Harold Thimbleby on the poor safety usability of syringe pumps, while his paper on safety usability failures in medical devices is here. Nancy Leveson's book is here and an article from the New York Times documents the continuing fatalities caused by poor radiology systems and software. The report of the inquiry into the King's Cross fire is here. Finally, here is the report of the Quantas flight where the plane's three onboard computers started arguing with each other.
  8. My book chapter on evaluation and assurance is chapter 26.

The practical exercise in SQL injection can be found here.

Past exam questions from the software engineering component of the course are here and here. For supervisions in the security component of the course, you might try previous exam questions in car locks, phone scratchcards, exam security, prospect theory, secret key protocols, public key protocols and banking authentication. For fun (although we didn't teach it) you might have a go at the two-time pad.