Secure Coding Resources

Secure coding is the use of best practices through the lifecycle of applications and systems to ensure optimal protection of the data they handle. Utilizing secure coding practices is central to meeting IT professionals’ responsibility for protecting the university’s digital assets.

Many of the resources on this page are free to access with U-M login. Some require payment, particularly if you want a completion certificate. If coding is part of your work at or for U-M, we recommend checking with your department to see if they will fund the paid courses.

Understanding Your Shared Responsibility

Foundations of Secure Coding

  • Learning Threat Modeling for Security Professionals, 41 minutes LinkedIn Learning (free with U-M login). Threat modeling can identify areas of concern in applications or systems throughout their lifecycle, from development to testing to retirement. If threat modeling starts during the design process, security is built in. Threat modeling can identify both existential threats, and also concerns and vulnerabilities not directly related to malicious actions.
     
  • Programming Foundations: Secure Coding, 94 minutes, LinkedIn Learning (free with U-M login). This course provides a foundational understanding of secure coding best practices. The learning goals for this course include:
    • Understanding attackers and risks.
    • Documenting your risks.
    • Issues related to web client–server interactions.
    • Issues related to thick app and client–server interactions.
    • Authorization and cryptography issues.
    • Implementing security in each phase of the software development life cycle.
       
  • Principles of secure coding UC Davis presented on Coursera. A fee may be required to get a certificate for this course. This course introduces you to the principles of secure programming. Sections include:
    • Philosophy and principles of secure programming.
    • Robust programming and the relationship between it and secure programming.
       
  • DevOps Foundations: DevSecOps, 65 minutes, LinkedIn Learning (free with U-M login). This course explains how to incorporate security into the DevOps process.
     
  • Additional Resources: These assessments may be helpful for understanding how to incorporate the best practices for secure coding in the development process.

Developing and Testing Secure Applications

  • Developing Secure Applications, 96 minutes, LinkedIn Learning (free with U-M login). This course builds on the previous section by discussing how to design secure software by addressing vulnerabilities and concerns such as:
    • Buffer overflows.
    • Insecure direct object references.
    • Securing sensitive data.
    • Testing software security.
       
  • Dynamic Application Security Testing, 3 hours 24 minutes, Linked in Learning (free with U-M login). This course covers the many options for security testing of applications and code. It includes information about testing methods and how to incorporate them into the development process.

Secure Coding and Artificial Intelligence (AI)

AI has become a popular tool for a number of coding tasks. While it can speed up some parts of application and system development, extra caution should be taken when using AI for any coding task. 

The same security rules and standards used in any other type of coding apply when using AI. The developer using AI tools should understand and verify the code being generated, and in particular, how that code will execute key tasks, such as authentication, encryption, and other aspects of handling sensitive data.

Do not use U-M data with AI systems, unless those systems are approved for that data. Developers may find that AI is good for generating examples and supporting learning that can be applied to projects without exposing U-M data to the AI system.

Secure Coding Courses You May Find Useful

These additional courses offer deep dives into secure coding that can be taken for a fee and result in learning certificates.