INFSCI 2935 Developing Secure Systems (Spring-06)

Special Topic: System & Technology-System Design

(soon to be a regular IS course)

Mondays; 6:00 - 8:50PM

Room IS 502

Development of this course is supported by a grant from the National Science Foundation



James Joshi

Contact Info
706A, IS Building,



Course Handout



As discussed in class exam is scheduled for

April 10




(Due: Feb 6)




Holiday on Jan 16




Course Description

Development of high-assurance software systems is a growing challenge in emerging complex systems. Secure by design is emerging as a basic principle for trustworthy computing and as a preferred way to ensure the security of networked information systems and infrastructures. This course will focus on this issue and fosters the design and implementation of secure software systems and architectures. A key coverage will include principles and practices of secure and high assurance software development process, including security development lifecycle models, and secure design using Unified Modeling Language, etc. Secure design of operating systems and network services, databases and application environments will be studied, including security in web services, COTS-based and service oriented systems. Tools and techniques for code analysis and testing, and evaluation and certification of software will be emphasized. The course will also cover secure programming principles using different languages, with particular focus in secure software development using Java and .NET platforms. This is one of the SAIS elective courses.


  • IS 2150/TEL 2810 Introduction to Computer Security
  • Following courses are preferred but not required:
    • IS 2170/TEL 2820 Cryptography; TEL 2821 Network Security
    • IS 2511 or 25 40
    • Talk to the instructor if you are not sure of the background

Course Material


There is no one book that covers all the topics considered in this course. All the relevant books are still being checked to see if one can be used as the main text book. Here are some reference books that will be recommended for the course.

  • Building Secure Software: How to avoid the Security Problems the Right Way, John Viega, Gary McGraw, Addison-Wesley, 2002
  • Enterprise Java Security: Building Secure J2EE Applications Marco Pistoia, Nataraj Nagaratnam, Larry Koved, Anthony Nadalin, Addition-Wesley, 2004
  • Secure Systems Development with UML Jan Jurjens, Springer-Verlag, 2005.
  • Securing Web Services with WS-Security: Demystifying WS-Security, WS-Policy, SAML, XML Signature, and XML Encryption Jothy Rosenberg, David Remy, 2004, Sams Publishing, 2004.
  • High Assurance Design: Architecting Secure and Reliable Enterprise Applications Clifford J. Berg, Addison-Wesley, 2006.
  • Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management; Christopher Steel, Ramesh Nagappan, Ray Lai; Prentice-Hall
  • How to Break Software Security - James Whittaker, Herbert Thompson, Addition Wesley, 2003.
  • Secure Coding in C and C++, Robert C. Seacord, Addition-wesley, 2006
  • Computer Security: Art and Science by Matt Bishop (ISBN: 0-201-44099-7), Addison-wesley 2003.
  • Papers; MSDN, US-CERT etc.


Grading (Tentative)

  • Homework/Quiz: 40%
  • Presentation/Review: 10%
  • Exams: 20%
  • Project : 30%

Extra credits may be obtained through other means. E.g. LERSAIS Seminar

If you are having a disability for which you are or may be requesting an accommodation, you are encouraged to contact both your instructor and the Office of Disability Resources and Services (DRS), 216 William Pitt Union (412-648-7890/412-383-7355) as early as possible in the term. DRS will verify your disability and determine reasonable accommodations for this course.