Secure Programming

Secure Programming is a Level 11 course given in Semester 2. See the Course Catalogue Entry for syllabus and assessment information.

Lectures are on Mondays and Thursdays at 11.10am in 7 George Square, Lecture Theatre F.21.

  • The first lecture is on Mon 15th Jan
  • There will be no lectures on:
    • Mon 29th Jan
    • Mon 5th Mar, Thu 8th Mar
    • Thu 29th Mar
  • The final lecture is on Mon 2nd Apr

The course lecturer is David Aspinall. You can reach him at David.Aspinall@ed[...].

The course is aimed at MSc students and 4th/5th year undergraduates. It is designed to build on a first course in Computer Security, such as our Computer Security course.

Note: our Computer Security course has been extended in 2016/17 and 17/18 with some secure programming topics (especially, buffer overflows and web security). The Secure Programming course will revisit these topics in greater depth, as well as study other aspects.

The course focuses on software security quite broadly, discussing attacks as well as defensive programming. A good programming and systems background will be necessary.

Lecture slides and other materials appear here as the course goes along. There is no fixed text book. Reading recommendations will be given in lectures and slides. See the links in the first lecture for some starting points.

10K students

Resources on Learn

All course content will be published on this web page.

On Learn you can access the Discussion Board and the lecture recordings.

Slides and reading

To preview likely upcoming material, please see the previous session of this course.

1.   Introduction     view     print    more
2.   Landscape     view     print    more
3.   Memory Corruption     view     print    more
4.   MC: Stacks & Heaps     view     print    more
5.   MC: Countermeasures     view     print    more
6.   CWEs, Injection     view     print    more
7.   SQL Injection     view     print    more
8.   Development     view     print    more
9.   Web I (authentication)     view     print    more
10.   Static Analysis     view     print    more


There will 4 lab sessions in the course, consisting of guided exercises with checkpoint questions. You are encouraged to take brief notes as answers to checkpoints which you may submit to us for additional feedback.

Labs are on Tuesdays in Weeks 2, 4, 6 and 9 and run from 10am-1pm.

1. (23rd Jan) Basic Stuff
2. (6th Feb) Data Corruption
3. (27th Feb)   Injection and Web Security
4. (20th Mar) Secure App Programming

The labs are an essential part of the delivery of the course and supported by a team of hands-on demonstrators. If you have a lecture clash, you should come to as much of the lab as you can. You may undertake (or complete) labs in your own time but you will not have access to the lab demonstrators.

Lab checkpoint notes will be accepted until 4pm on the following Monday after the lab, feedback will be available at the next lab and solutions will be posted online.


There is one assessed coursework for the course.

  • Part 1 (Issued 12th Feb, recommended deadline 2nd March; final deadline 23rd March)
  • Part 2 (Issued 23rd Mar, deadline 13th Apr)

Update: the coursework component of the final mark will be for Part 1 only (weighted at 30%).


Some guidance about the examination is available here.

Home : Teaching : Courses 

Informatics Forum, 10 Crichton Street, Edinburgh, EH8 9AB, Scotland, UK
Tel: +44 131 651 5661, Fax: +44 131 651 1426, E-mail:
Please contact our webadmin with any comments or corrections. Logging and Cookies
Unless explicitly stated otherwise, all material is copyright © The University of Edinburgh