Secure Software Engineering SS2023

Course Abstract

What does it take to engineer software systems securely? This is the key question we wish to address in this course. Answering it requires to develop an understanding of the following key areas of secure software engineering: threat modeling, secure design, secure coding, security validation, secure deployment and maintenance. In this course we will be covering those areas in an example-driven style, discussing current techniques applicable to those areas and lessons learned from concrete real-world security breaches.


Participants are expected to have completed or nearly completed the first section of the Bachelor degree, in particular the Softwaretechnikpraktikum or Softwarepraktikum. On top of that there are no special prerequisites for this course. However, for the BiBiFi contest, Learning Java before the course is highly recommended.

Course Material

The slides and exercise sheets will be uploaded after each lecture on the course's PANDA page (TBA)


The teaching language will be English. Questions in German will be permitted.
The programming language for the BiBiFi contest will be Java. Learning Java before the course is highly recommended.


The following course schedule is non-binding and may change at any time and without prior announcement.


Date Lecture Topic OWASP Top-10 Lecturer


04.04.23 Introduction OWASP Introduction Bodden


11.04.23 What Security Is! A1: Broken Access Control Bodden


18.04.23 External Talk: Pursuing a Career in Cyber Security - Prashasth Baliga  


25.04.23 Misuse & Abuse Cases A3: Injection Bodden
5 02.05.23 Threat Modeling A4: Insecure Design Klauke
6 9.05.23 Risk Assessment and Test Planning A5: Security Misconfiguration Bodden
7 16.05.23 Defensive Coding and Security Mechanisms 1 A9: Security Logging and Monitoring Failures Ashwin
8 23.05.23 Defensive Coding and Security Mechanisms 2 A7: Identification and Authentication Failures Ashwin
9 30.05.23 Applied Cryptography A2: Cryptographic Failures Bodden
---- ---- End of 4CP-Course ---- ----
10 06.06.23 Applied Cryptography Continued & Code Inspection and Program Analysis A8: Software and Data Integrity Failures Bodden
11 13.06.23 External Talk: Program Analysis in the Industry - Stefan Krüger
12 20.06.23 Vulnerability Assessment A6: Vulnerable and Outdated Components Bodden
13 27.06.23 Deployment and Distribution A10: Server-Side Request Forgery Bodden
14 04.07.23 Insider Threats and Usability A11: Next steps Bodden
15 11.07.23 Recap - Bodden



There will be 6 assignments published in PANDA. One is due every second week. You are asked to hand in your solutions through PANDA. More details can be found in the exercise slides. You can achieve an additional bonus point for the exam if you achieve at least 70% of all possible points. Assignments can be submitted by groups of 1-3 students.


Exercise sessions

There will be an exercise session every 2 weeks. Note that the schedule on PAUL has entries for each week, however, this is not the case. The exercise sessions will introduce each newly released assignment sheet and discuss the results of the previous assignment sheet. Additionally, each of the BiBiFi phases will be introduced.

Exercise session 1: 09:15 - 10:45 in  F 2 211

Exercise session 2: 11:15 - 12:45 in  F 1 110


Exercise schedule

Exercise Date BiBiFi Content
1 17.04.23 Introduction to Contest & Build It
2 08.05.23  
3 22.05.23 -
4 05.06.23 Introduction to Break-It
5 26.06.23 Introduction to Fix-It
6 10.07.23  

Registration & Questions

To attend the course, you have to register in the PAUL system as a participant.

Build It, Break It, Fix It: participation in the BiBiFi contest is optional but highly encouraged. There is also a possibility to gain one bonus point for successful participation.

Final Exam

There will be two written exam dates.

Date / Time / Room:

  • 1. TBA
  • 2. TBA

Further Information:

  • The exam will be given in English. Answers in German will be permitted.
  • The use of a English-Deutsch dictionary is permitted.

Learning Outcomes

After having attended this course, participants will have developed a solid understanding of the most important aspects of secure software engineering, both in theory and practice. This includes the ability to identify and model threats to software systems, to avoid the most common classes of vulnerabilities, and to identify and apply techniques and tools to avoid or identify the introduction of security vulnerabilities.


The course will be comprising different theoretical and practical parts:

  • The main lecture will cover background information about all relevant aspects of a secure software-engineering lifecycle. We will be motivating and explaining the core ideas with real-world examples. An integral part of every lecture will be the discussion of one of OWASP top-10 security risks. inspired by past real-world vulnerabilities and attacks, we will discuss each category of OWASP security risks and showcase common weaknesses and how to prevent them. Where possible, the discussion will directly relate to this day's remaining content of the lecture.
  • In addition, we will be conducting a practical contest called Build It, Break It, Fix It. The course is meant to help students experience a secure development lifecycle first hand. In the "Build It" phase, students will be asked to gather in teams and develop small software projects based on a formal specification, also including security requirements. In the "Break It" phase, the developed software will be exchanged between development teams to break the implementation, i.e., find and exploit security vulnerabilities in code of other teams. Lastly, in the "Fix It" phase, teams will get the chance to fix found vulnerabilities and, hence, render their software product more secure. This contest will be conducted using an automated online infrastructure.
  • The exercise classes are meant to reinforce the student's understanding of the main lecture's content. With practical, sometimes interactive exercises students will be able to learn important skills that can also support their work in the Build It, Break It, Fix It contest.

The main lecture will discuss crucial elements of a Secure Software Development Lifecycle, including:

  • Threat modeling
  • Risk analysis
  • Architectural security
  • Secure coding
  • Applied Cryptography
  • Secure configuration and deployment
  • Updates and maintenance

Recommended Reading Material

We will not be able to provide a script for this course.
However, a lot of the topics are also covered in the book:

Gary McGraw. Software Security: Building Security In

(online resource of the book)

Regarding the contest, we recommend this publication:

Andrew Ruef, Michael Hicks, James Parker, Dave Levin, Michelle L. Mazurek, and Piotr Mardziel. 2016. Build It, Break It, Fix It: Contesting Secure Development. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 690-703. DOI: