This is the page of the 2016 Software Security course. A wiki page for Spring 2018 will be published soon.

This is a joint (4 credit) course between Aalto University Department of Computer Science & University of Helsinki Department of Computer Science in spring 2016. The course code for Aalto University is T-110.6220 and for University of Helsinki is 582708. Lectures will be held by Antti Vähä-Sipilä from F-Secure Corporation.

Course staff

Course staff can be reached by email. For anything related to the university (enrollment, grades, etc.), please contact the Aalto contacts. For questions regarding the content of the course, please contact Antti.

The course IRC channel is #tkt-swsec on IRCnet, which was inherited from the 2014 course at the University of Helsinki. You are welcome to join here to meet other course participants! If you have any questions about content and want to chat, feel free to contact the lecturer on IRC (I'll react if I'm awake and online).

Andrew and Samuel have office hours on Mondays 10:30 - 12:00 in B151 and B156 in the Aalto CS building. 

The course uses MyCourses for returning weekly exercises, lecture notes, and for public lecture Q&A.


I'd like to thank F-Secure and Microsoft for their support in making the course possible.


  • No news at the moment. Please read the course email list.

Course Overview

This is a basic course on software security. The target group are software developers and generalists who are not necessarily security specialists. However, the course provides a lot of practical insight to those contemplating security related career options. The content of the course is geared towards practical and commercial software development.

The course will explain how software breaks in the security sense, and how to determine whether software is broken. We look at the variety of activities and strategies available for software developers and organizations to create more secure software. We learn how to perform security and privacy threat modelling (architectural risk analysis and privacy impact assessment), and how to apply language-theoretic approach to security engineering. We conclude with economics of software security, its regulation (mainly from a Finnish and EU viewpoint), and relationship to society.


Especially for the two first weeks' topic, the students need to be familiar with operating system basics such as the concepts of processes and memory allocation, fluent in at least one programming language, understand the concept of a protocol stack, know how HTTP works, and be comfortable on the command line on GNU/Linux, Mac OS X, or Windows. Prior information security knowledge is not a requirement.

For some of the weekly exercises, you need access to a computer (GNU/Linux, Mac OS X or Windows) with a Java JRE.

Grading and passing the course

Weekly exercises

The course has no exam, but has six weekly graded home exercises, whose average score will be the final grade. Students must complete at least four of the six exercises in order to get a final grade. A skipped exercise will be evaluated as zero. Grading guidelines are available from MyCourses.

Each exercise deadline is one week after the lecture. Exercises are returned on the MyCourses page.

Responses to weekly assignments can be written in either English or Finnish. Writings must be returned in plain text (including Moodle text fields), HTML or PDF formats. Images (diagrams drawn in some assignments) must be returned in PDF, JPEG or PNG formats. If using lossy compression, please use maximum quality settings.

Weekly exercise support sessions

In addition to the lectures, we have an optional support meeting each week where we can discuss any challenges you might face with the weekly exercises. This is where you can get face-to-face support or discuss your ideas. If nobody has any problems, we will discuss the weekly lecture topic in more depth - typically real life experiences and other unstructured discussion as long as we have something interesting to share. As said, these sessions are fully optional. You can also ask lecture and exercise specific questions on the MyCourses page.


Although lectures do not, strictly speaking, have mandatory attendance, we would ask you not to enroll on the course unless you really also plan to attend the lectures. The course has limited space and there will be someone else who wants to attend. If you are looking for a completely virtual course, Coursera still had a Software Security course in November 2015, but it has apparently disappeared - I'm leaving this link here hoping it will be back.

Concept inventory tests

This course is also an experiment in computer security education. We will measure the participants' knowledge of some key concepts immediately before and after the course using a 15-minute multiple choice test. This test is pseudonymous; it will not affect your grade, and we are not interested in the identity of any single responder. The only thing we require is that we can correlate the responses before and after the course.

Course Registration

Registration period will start on March 13th, 2016 at 9:00 and close on April 4th, 2016 at 23:59.

Important note on registrations: The course will have limited capacity. Based on past years' experience, it is likely that it will be 'sold out'. To ensure that everyone who starts the course will also finish it, we will kindly ask for your commitment to finish the course. Registrants will get an email prior to the course, and it is necessary to reply to that email in order to secure your place. Also, we'd suggest you register as soon as you know you can take the course.


  • Lecture: Lectures will be mostly held on Monday morning (8am-10am) in T6 room of Aalto CS building, Konemiehentie 2, Espoo. There are two exceptions: There is no lecture on Monday 18 Apr, and one lecture is on Tuesday 17 May.
  • Exercise: Exercise sessions will be held on Tuesday afternoon (2pm-4pm) in TU5 room of Aalto TUAS building, Otaniementie 17, Espoo. On the last week, there is no exercise session - instead, Tuesday 17 May we have a lecture.

DateLecture topicLecture notesWeekly Assignment Support & Discussion Meeting
Exercise and deadline (all deadlines 07:00 UTC+3)


11 Apr

  • Concept inventory test
  • Introduction
  • How software breaks (low level)

Week 1 lecture notes (2016)

12 Apr

  • More advanced fuzzing concepts (demos and discussion possible)
  • We'll try to finish at 15:00

Exercise info removed, see the 2018 page.


25 Apr

  • How software breaks (web apps)
  • Concepts of language theoretic security
  • Note: No lecture on 18/19 Apr

Week 2 Lecture Notes

26 Apr Was an online meeting

  • Deeper dive into Burp Suite Professional

Exercise info removed, see the 2018 page.


2 May

  • Security in a software project
  • Visitor: A consultant's view - Henri Lindberg

Week 3 lecture notes (2016)

3 May

  • Modern software development processes and security activities

Exercise info removed, see the 2018 page.


9 May

  • Threat modelling (architectural risk analysis) 1

Week 4 lecture notes (2016)

10 May

  • Special cases in threat modelling: Modelling build and deployment, reliability, some specific design patterns

Exercise info removed, see the 2018 page.


16 May

  • Engineering for privacy
  • Threat modelling (architectural risk analysis) 2

Week 5 lecture notes (2016)

None (timeslot used for the next lecture instead)

Exercise info removed, see the 2018 page.


17 May

  • Software security in the society
  • Economics of software security
  • EU and national regulation
  • Concept inventory test
  • Note: Lecture is on Tuesday

Week 6 lecture notes (2016)


Exercise info removed, see the 2018 page.


Neither book is a strict requirement for passing the course, but will support your learning as follows: If you have no previous exposure to software or application security, you would be strongly recommended to obtain the Secure Coding book, and if you are planning to work in information security, I recommend getting the Threat Modeling book.

  1. Mark G. Graff, Kenneth R. van Wyk: Secure Coding: Principles and Practices. O'Reilly, 2003. The book is out of print, but it is still available to buy directly from O'Reilly as a DRM free PDF: (Hint: O'Reilly regularly has 50% off days, at least on "the day against DRM" on May 6th)
    Note: Aalto students can loan E-book copy (DRM protected) for 1 to 7 days from Alli. Link
  2. Adam Shostack: Threat Modeling: Designing for Security. Wiley, 2014.
    Note: E-book copy is available for 14 days for Aalto students. Link -


This course was lectured for the first time in 2014 at the University of Helsinki. You can find the old course pages on their wiki. Please don't copy their answers.

This course is not a CYBERsecurity course.

  • No labels