TL-05 COURSE PLAN – THEORY

Faculty Name J. Rathnamala

Designation Assistant Professor
Programme B.E. Computer Science and Engineering
(Cyber Security)
Year/Class III Year / CSE (Cyber Security)
Course Code / Course Name U23CCT05 / Secure Software Engineering
and Risk Management
Semester V
Regulation R2023
Academic year 2025-26 (Odd)

Type of Course: Core

Credits & Hours: L-3, T-0, P-0, C-3, Total = 45 Hours

Pre-Requisite: Nil

Objectives
 • To introduce the fundamental principles of software engineering with an emphasis on
incorporating security throughout the Software Development Life Cycle (SDLC).
 • To enable students to design, develop, and test secure software by applying industry-
standard practices, secure coding guidelines, and architectural principles.
 • To equip learners with the knowledge and practical tools necessary for identifying,
analyzing, and managing software security risks, threats, and compliance requirements.

Course Outcomes (CO)

Upon completion of the course, students would be able to

Course Outcomes Description BT Level (Highest level)

CO1 Apply secure software K3
engineering principles and
integrate security
throughout the Software
Development Life Cycle
(SDLC).
CO2 Design secure software K6
systems by eliciting security
requirements using models
like SQUARE and secure
software architecture
patterns
CO3 Develop strategies for K6
evaluating and mitigating
software security risks
 using threat and
vulnerability management
techniques.
CO4 Analyze and perform K4
security testing using risk-
based approaches, threat
modeling, and penetration
testing tools.
CO5 Evaluate secure project K5
management practices by
aligning with enterprise
security frameworks and
maturity models.

SYLLABUS
Unit Topics
Unit I SOFTWARE ENGINEERING
FUNDAMENTALS AND NEED OF
SOFTWARE SECURITY – 9 Hours
Software Development Life Cycle Models –
Security Threats and Vulnerabilities –
Software Assurance – Secure Development
Principles – Properties of Secure Software –
Importance of Early Risk Detection.
Unit II SECURE SOFTWARE DESIGN – 9 Hours
Secure Software Requirement Engineering
– SQUARE Process – Security Requirements
Elicitation, Prioritization and Validation –
Secure Software Architecture – Design
Principles – Security Patterns.
Unit III SECURITY RISK MANAGEMENT – 9 Hours
Software Security Risk Life Cycle – Risk
Profiling – Risk Exposure and Mitigation –
Risk Evaluation Techniques – Vulnerability
Management – Threat Analysis Tools.
Unit IV SECURITY TESTING – 9 Hours
Software Testing vs Security Testing – Risk
Based Testing – Threat Modeling –
Penetration Testing – Exploit Analysis –
Firewall Bypass Techniques.
Unit V SECURE PROJECT MANAGEMENT – 9
Hours
Secure Software Governance – Security
Policies – Enterprise Security Frameworks
– Security Metrics – Security Maturity
Models – Security Project Planning and
Monitoring.
LESSON PLAN
Lecture Hours Unit Major Topics to be covered Mode of Delivery References

Lecture Hours Unit Major Topics to Mode of References

be covered Delivery
1 I Introduction to Chalk and Talk T1
SDLC and
Security Needs
2 I Threats, ICT T1
Vulnerabilities,
and Software
Assurance
3 I Secure Discussion T1
Development
Principles
4 II SQUARE ICT / Case- T1
Process – based Learning
Overview
5 II Security Chalk and Talk T1
Requirement
Prioritization
6 II Secure Role Play / T1
Software Presentation
Architecture
7 III Security Risk Chalk and Talk T2
Lifecycle
8 III Risk Profiling Flipped T2
and Evaluation Classroom
9 III Vulnerability ICT / Problem T2
Management Solving
Tools
10 IV Security Chalk and Talk T3
Testing
Techniques
11 IV Penetration ICT / T3
Testing Demonstration
Practices
12 IV Bypassing Problem T3
Firewalls and Solving
Exploits
13 V Governance Chalk and Talk T1
and Security
Frameworks
14 V Security Project Case Study T1
Monitoring
15 V Security ICT / Group T1
Maturity Discussion
Models
LESSON PLAN (Detailed - 9 Hours per Unit)
Lecture Hours Unit Major Topics to Mode of References
be covered Delivery
1 I Overview of Chalk and Talk T1
SDLC and
secure
development
needs
2 I Security Chalk and Talk T1
threats,
vulnerabilities,
and basic
concepts
3 I Introduction to ICT T1
Software
Assurance
4 I Secure Discussion T1
Development
Lifecycle and its
properties
5 I Waterfall and Chalk and Talk T1
Agile SDLC
models
6 I DevOps and Role-play / T1
security in Case Study
DevOps
7 I Early risk ICT / Activity T1
detection and
mitigation
during design
8 I Security as a ICT / T1
quality Brainstorm
attribute
9 I Unit Summary Chalk and Talk T1
and Recap with
Q&A
10 II Introduction to Chalk and Talk T1
secure software
design
11 II SQUARE ICT T1
process model (Animations)
12 II Requirement Case-based T1
elicitation – Discussion
security focus
13 II Requirement ICT + Exercise T1
prioritization
and validation
14 II Secure software Chalk and Talk T1
 architecture
basics
15 II Security design Discussion + T1
principles Role Play
16 II Use of security ICT T1
patterns
17 II Design Practical / Peer T1
documentation Review
and risk
alignment
18 II Unit Summary Chalk and Talk T1
and Recap with
Q&A
19 III Introduction to Chalk and Talk T2
software
security risk
management
20 III Software risk Chalk and Talk T2
life cycle and
profiling
21 III Risk exposure ICT T2
and mitigation
overview
22 III Risk evaluation Discussion T2
techniques –
qualitative vs
quantitative
23 III Vulnerability ICT T2
identification
and
classification
24 III Vulnerability Hands-on T2
scanning tools (Demo)
25 III Threat Group Activity T2
modeling with
DREAD/STRID
E
26 III Mitigation ICT / Peer T2
strategy Review
development
27 III Recap and Case Study T2
discussion on
industry case
28 IV Software Chalk and Talk T3
testing vs
security testing
29 IV Types of ICT T3
security testing
and tools
30 IV Risk-based Case-based T3
testing Learning
planning
31 IV Threat Chalk and Talk T3
modeling for
test case
generation
32 IV Penetration ICT (Demo T3
testing Tools)
concepts
33 IV Pen-testing Hands-on / T3
tools: Demo
Metasploit,
Burp Suite
34 IV Exploits and Problem T3
bypassing Solving
firewalls
35 IV Reporting and Case Discussion T3
remediation
36 IV Unit recap – ICT / T3
summarize Presentation
tools and
techniques
37 V Software Chalk and Talk T1
project
governance
overview
38 V Security policy Discussion + T1
creation and ICT
management
39 V Enterprise ICT (Slides) T1
frameworks –
NIST, OWASP
SAMM
40 V Security Case-based T1
metrics for Learning
projects
41 V Security ICT T1
maturity
models
(BSIMM,
OpenSAMM)
42 V Aligning Chalk and Talk T1
security to
project
planning
43 V Security Discussion / T1
compliance and Demo
audits
44 V Security ICT / Tools T1
monitoring and Overview
risk board
45 V Unit wrap-up Case Study T1
and case study
discussion
CO-PO AND CO-PSO MAPPING
Co PO PO PO PO PO PO PO PO PO PO PO PS PS PS
urs 1 2 3 4 5 6 7 8 9 10 11 O1 O2 O3
e
Out
co
me
s

CO 3 2 2 1 1 1 1 1 2 1 2 3 2 3
1
CO 3 3 2 2 2 2 1 1 2 2 3 3 3 3
2
CO 3 3 2 2 2 2 1 1 2 2 3 3 3 3
3
CO 3 3 2 2 2 2 1 1 2 2 3 3 3 3
4
CO 2 3 1 2 2 2 1 1 3 2 3 2 3 3
5
ASSIGNMENTS AND PROJECTS

Assignment I
**Topic:** Secure SDLC Mini Project
**Description:** Model and implement a Secure SDLC framework using GitHub. Include
version control, README, screenshots, and documentation.

Assignment II
**Topic:** Secure Architecture Design
**Description:** Design a secure software architecture using SQUARE model and validate
requirements.

Assignment III
**Topic:** Online Certification
**Description:** Complete an online course on risk management or secure design (e.g.,
NPTEL, Coursera) and submit a report.

Assignment IV
**Topic:** Penetration Testing Case Study
**Description:** Simulate or analyze a real-world penetration testing scenario using open-
source tools.

Assignment V
**Topic:** Project Governance Report
**Description:** Write a detailed report on enterprise security frameworks (e.g., OWASP
SAMM, NIST). Align with a project plan.
TEXTBOOKS, REFERENCES AND WEB LINKS
 Textbooks:

1. Julia H. Allen, 'Software Security Engineering', Pearson, 2008

2. Evan Wheeler, 'Security Risk Management', Syngress, 2011

3. Chris Wysopal et al., 'The Art of Software Security Testing', Addison-Wesley

 References:

1. Mike Shema, 'Hacking Web Apps', 2012

2. Bryan Sullivan & Vincent Liu, 'Web Application Security', McGraw Hill, 2012

3. Lee Allen, 'Advanced Penetration Testing', Packt, 2012

 Web Resources:

• https://www.coursera.org/learn/packet-security-and-risk-management-4v4d

• https://archive.nptel.ac.in/courses/106/105/106105087/