Information–Flow Security

Who is the material made for?

Software developers (and students) who wish to discover, understand, and meet, application–level security requirements in the software that they write.

This module assumes the ability to read and write (non–esoteric) software applications in an object–oriented programming language. If you have completed 1 year of study in software development, then you meet these criteria.

Introduction

Businesses increasingly rely on software to operate. Software security is therefore a growing concern, since information leaks and software exploitation are a risk to their business.

7

Businesses are therefore taking security more seriously, placing security requirements on software vendors. Unfortunately, despite software developers wanting, and trying, to develop secure software, they still produce vulnerable software.

The situation on the Web today is especially alarming; hackers can attack users in 9 out of 10 web apps, over 80% of vulnerabilities are located in application code, and 1 in 5 vulnerabilities are high–severity.

This module gives you a deep understanding of how information flows through software. This awareness gives you a new perspective when writing software with security requirements; it helps you avoid introducing information leaks into software and gives you a conceptual framework for reasoning about software security in general.

You will meet concepts like information leak, sources & sinks, dependencies, side–channels, and flow policies. You will learn to identify information flows in software, to express application–specific security requirements as flow policies, and to implement software that adheres to said flow policies.