Textbook ($30)


Secure Coding

Spring 2024 Sam Bowne

Sat 9:00 am - 11:00 am

To attend class online:

For interactive help, connect to:
Password: student1


Pirate Class

No official college credit

Class Description

Learn how to find vulnerabilities in code and fix them. First we will discuss threat analysis and how to prioritize risks using the STRIDE model and the CVSS scoring system. Then participants will examine deliberately insecure apps written in PHP, NodeJS, or other common languages.

Prior knowledge: participants should have some experience coding apps in any language.


Designing Secure Software: A Guide for Developers


The quizzes are multiple-choice, online, and open-book. However, you may not ask other people to help you during the quizzes. You will need to study the textbook chapter before the lecture covering it, and take the quiz before that class. Each quiz is due 30 min. before class. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts. If you take the quiz twice, the higher score counts.

Don't use CCSF's Canvas system for this class. Instead, all students should use this Canvas server:

Enroll Here · View Course · Reset password



Sat 3-30  8 Secure Programming
Demos: H 201, SC 200, SC 201, SC 202, SC 203, SC 204

Sat 4-6Quizzes Ch 8 and 9
Proj H 201, SC 200, SC 201
9 Low-Level Coding Flaws

Sat 4-13 Holiday: No Class

Sat 4-20Quiz Ch 10
Proj SC 202, SC 203, SC 204
10 Untrusted Input

Sat 4-27Quiz Ch 11
Proj SC 100, W 700, SC 101, SC 101
11 Web Security

Sat 5-4Quiz Ch 12
Proj SC 130, SC 300
12 Security Testing

Sat 5-11Quiz Ch 13 Last Class
13 Secure Development Best Practices

All Quizzes due 30 min. before class


8 Secure Programming   KEY · PDF
9 Low-Level Coding Flaws   KEY · PDF
10 Untrusted Input   KEY · PDF
11 Web Security   
12 Security Testing   
13 Secure Development Best Practices   


Scoreboard · Submit Flags

Linux Server Setup

H 201: Google Cloud Linux Server 10
SC 200: Cloud PHP Server 20

Manual Testing

SC 201: XSS 25
SC 202: Shell Code Injection 25
SC 203: SQL Injection 35
SC 204: Local File Inclusion 35

Windows Server Setup

F 61: Google Cloud Windows Server 15
SC 105: Building a Vulnerable Windows Server in the Cloud 25
PMA 125: Installing Visual Studio 2022 10

Static Testing

SC 100: Installing the OWASP Juice Shop in the Cloud 25
W 700: SonarQube Code Scanner 15
SC 101: Scanning the OWASP Juice Shop with SonarQube 10 + 10 extra
SC 110: Finding Security Issues with Codacy 15
SC 111: Investigating Security Issues with Codacy 20
SC 120: Finding Security Issues with Semgrep 15
SC 130: Finding and Fixing Security Issues with Snyk 25

Dynamic Testing

SC 300: OWASP ZAP 45

Updated 4-15-24 7:57 pm