CYBR271 (2021) - Secure Programming


This course addresses the concepts, techniques and tools required for developing software that reliably preserves the security properties of the information and systems they protect. The course covers common software vulnerabilities, specifying security requirements, secure design principles and techniques for evaluating software security. Practical work will involve developing and evaluating the security of C and Java programs.

Course learning objectives

Students who pass this course will be able to:

  1. Describe the role of, and develop security requirements and abuse scenarios based upon, an understanding of the differences between the methodologies used by attacker and a testers to discover security vulnerabilities that could lead to security risks.
  2. Apply knowledge of threats, vulnerabilities and how these may interact to choosing and implementing client-side and server-side software security controls to mitigate software security risks.
  3. Evaluate the security of software using a range of security techniques including vulnerability assessment, fuzzing and code review.

Course content

The course is primarily offered in-person, but there will also be a remote option and there will be online alternatives for all the components of the course for students who cannot attend in-person.
Students taking this course remotely must have access to a computer with camera and microphone and a reliable high speed internet connection that will support real-time video plus audio connections and screen sharing.  Students must be able to use Zoom; other communication applications may also be used. A mobile phone connection only is not considered sufficient.   The comuputer must be adequate to support the programming required by the course: almost any modern windows, macintosh, or unix laptop or desktop computer will be sufficient, but an Android or IOS tablet will not.
If the assessment of the course includes tests, the tests will generally be run in-person on the Kelburn campus. There will be a remote option for students who cannot attend in-person and who have a strong justification (for example, being enrolled from overseas).
The remote test option will use Zoom for online supervision of the tests and you must be able to use Zoom with a camera, microphone, and screen-sharing. Students who will need to use the remote test option must contact the course coordinator in the first two weeks to get permission and make arrangements.

Withdrawal from Course

Withdrawal dates and process:


Dr Jennifer Ferreira (Coordinator)

Dr Aaron Chen

Teaching Format

This course will be offered in-person and online.  For students in Wellington, there will be a combination of in-person components and web/internet based resources. It will also be possible to take the course entirely online for those who cannot attend on campus, with all the components provided in-person also made available online.

There are two lectures per week that will be recorded, a tutorial that will be livestreamed and starting from week four there will be weekly helpdesks will be both in person and provided over Zoom. Our second assignment requires you to demonstrate your code and understanding of the problem, this will be able to be done either in person or using Zoom.

Student feedback

Student feedback on University courses may be found at:

Dates (trimester, teaching & break dates)

  • Teaching: 05 July 2021 - 08 October 2021
  • Break: 16 August 2021 - 29 August 2021
  • Study period: 11 October 2021 - 14 October 2021
  • Exam period: 15 October 2021 - 06 November 2021

Class Times and Room Numbers

05 July 2021 - 15 August 2021

  • Monday 12:00 - 12:50 – LT1, Te Toki a Rata, Kelburn
  • Wednesday 12:00 - 12:50 – LT1, Te Toki a Rata, Kelburn
  • Thursday 12:00 - 12:50 – LT1, Te Toki a Rata, Kelburn
30 August 2021 - 10 October 2021

  • Monday 12:00 - 12:50 – LT1, Te Toki a Rata, Kelburn
  • Wednesday 12:00 - 12:50 – LT1, Te Toki a Rata, Kelburn
  • Thursday 12:00 - 12:50 – LT1, Te Toki a Rata, Kelburn

Other Classes

The Friday lecture slot is used as a tutorial.


There are no required texts for this course.

Mandatory Course Requirements

In addition to achieving an overall pass mark of at least 50%, students must:

  • Achieve at least a D in the take home test.

If you believe that exceptional circumstances may prevent you from meeting the mandatory course requirements, contact the Course Coordinator for advice as soon as possible.


This assessment scheme is the 2020 version. It is likely to change somewhat in 2021.

Assessment ItemDue Date or Test DateCLO(s)Percentage
Threat and risk modelling assignment (5 weeks).Week 6CLO: 140%
Practical assignment (5 weeks).Week 12CLO: 2,340%
Take home test.Assessment weekCLO: 1,2,320%


Late assignment submissions will receive a penalty of 10% for each day late (pro-rata).


Each student will have three "late days" which you may choose to use for any assignment or assignments during the course. There will be no penalty applied for these late days. You do not need to apply for these, instead any late days you have left will be automatically applied to assignments that you submit late.

Submission & Return

All work is submitted through the ECS submission system, accessible through the course web pages. Marks and comments will be returned through the ECS marking system, also available through the course web pages.

Marking Criteria

The two practical assignments are marked in person. They are assessed on your undestanding of the security issue, code quality and how well the student can explain how they solved the problem to the marker. All other assessment is done by tutors or lecturers, marking to a scheme produced by the lecturers.


The total workload for CYBR 271 is 150 hours. In order to maintain satisfactory progress in CYBR 271, you should plan to spend an average of 10 hours per week on this course. An approximate breakdown is: lectures 2 hours, tutorial 1 hour, assignments 5 hours and reading/review of assigned readings and lecture notes 2 hours.

Teaching Plan


Week 1

LectureIntroduction to managing software risk.

Week 2

LectureThreat modeling.

Week 3

LectureGuiding principles for software security.

Week 4

LectureBuffer and stack overruns.

Week 5

LectureFormat string problems.

Week 6

LectureSql and command injection.

Week 7

LectureScript injection.

Week 8

LectureAll input is evil.

Week 9

LectureFailure to handle errors correctly.

Week 10

LectureSecurity testing.

Week 11

LectureSecurity code reviews.

Week 12

LectureCourse wrap up.

Communication of Additional Information

All online material for this course can be accessed at

Offering CRN: 30040

Points: 15
Prerequisites: CYBR 171, NWEN 241
Duration: 05 July 2021 - 07 November 2021
Starts: Trimester 2
Campus: Kelburn