Secure coding is the use of best practices through the lifecycle of applications and systems to ensure optimal protection of the data they handle. Utilizing secure coding practices is central to meeting IT professionals’ responsibility for protecting the university’s digital assets.
Many of the resources in this curriculum are free to access with U-M login. Some require payment, particularly if you want a completion certificate. If coding is part of your work at or for U-M, we recommend checking with your department to see if they will fund the paid courses.
We recommend that you should, at a minimum, complete the first section of this course, Understanding Your Shared Responsibility, if you work in a group or on a project at U-M that involves code development.
In addition, we recommend that anyone who writes code for U-M complete the other courses below (or their equivalent) that apply to their job/duties.
Secure Coding and Application Security (DS-18). This is the primary standard governing secure coding at U-M.
Encryption (DS-15). This standard includes directions for when data must be encrypted and may be a handy reference when developing systems and applications that handle U-M data.
Secure Coding and Application Security Summary on Safe Computing.
Secure Coding Best Practices Overview (Safe Computing)
Learning Threat Modeling for Security Professionals, 41 minutes LinkedIn Learning (free with U-M login). Threat modeling can identify areas of concern in applications or systems throughout their lifecycle, from development to testing to retirement. If threat modeling starts during the design process, security is built in. Threat modeling can identify both existential threats, and also concerns and vulnerabilities not directly related to malicious actions.
Programming Foundations: Secure Coding, 94 minutes, LinkedIn Learning (free with U-M login). This course provides a foundational understanding of secure coding best practices. The learning goals for this course include:
Principles of secure coding UC Davis presented on Coursera. A fee may be required to get a certificate for this course. This course introduces you to the principles of secure programming. Sections include:
DevOps Foundations: DevSecOps, 65 minutes, LinkedIn Learning (free with U-M login). This course explains how to incorporate security into the DevOps process.
Additional Resources: These assessments may be helpful for understanding how to incorporate the best practices for secure coding in the development process.
Developing Secure Applications, 96 minutes, LinkedIn Learning (free with U-M login). This course builds on the previous section by discussing how to design secure software by addressing vulnerabilities and concerns such as:
Dynamic Application Security Testing, 3 hours 24 minutes, Linked in Learning (free with U-M login). This course covers the many options for security testing of applications and code. It includes information about testing methods and how to incorporate them into the development process.
AI has become a popular tool for a number of coding tasks. While it can speed up some parts of application and system development, extra caution should be taken when using AI for any coding task.
The same security rules and standards used in any other type of coding apply when using AI. The developer using AI tools should understand and verify the code being generated, and in particular, how that code will execute key tasks, such as authentication, encryption, and other aspects of handling sensitive data.
Do not use U-M data with AI systems, unless those systems are approved for that data. Developers may find that AI is good for generating examples and supporting learning that can be applied to projects without exposing U-M data to the AI system.
These additional courses offer deep dives into secure coding that can be taken for a fee and result in learning certificates.
Secure Coding Practices Specialization. A 4-course series from UC Davis on Coursera that is 4 hours a week for 4-5 months. Individual courses can be taken if desired.
Web Technologies and Security Specialization. A 4-course series from Codio requiring about 4 hours a week for 2 to 3 weeks per course.
Writing Secure Code (Stanford online). This course uses an interactive virtual lab to teach you to identify flaws and manipulate systems, learn hacker-prevention skills, and perform ethical hacking.
Application Security: Securing Web Apps, APIs, and Microservices (SANS). This course is intended to raise awareness about common security flaws in modern web applications. It will also teach students how to recognize and mitigate these flaws early and efficiently. Course includes 20 hands-on labs and a "defend the flag" game.
Use the space provided below for optional notes or reminders to yourself.
