SOFSEC1 – Software Security

Module 1: Introduction to Software Security

Prof. Justin Pineda

Jan 2026

About the Faculty: Justin Pineda

Industry

Certs

Academe

Pineda Cybersecurity

Alorica

Ingram Micro

Bnext Inc.

JG Summit Holdings Inc.

The Coca-Cola Company

Silversky/Perimeter Security

DPO ACE, CISSP, ISO/IEC 27032, ISO/IEC 27035, ISO 27034, ISO 42001, ISO 27001, CISM, CEH, GWAPT, GMOB, CEH, Security+, CCNA, IBM DB2, ISO 27002, Cato SASE, Parallels RAS, ITILv3, APMG CISM, ISC2 Trainer

​

Asian Institute of Management (AIM)

DLS-CSB

Asia Pacific College

LPU

NU

San Beda

Mapua

TIP

Page 2

Learning Process

Learning Objectives

​

• Analyze core concepts of Information Security (LO1)
• Summarize fundamental concepts of Privacy (LO2)
• Explain the importance of Software Security
• Identify common software security flaws and threats

Motivation Question

​

Why do breaches still happen despite firewalls and security tools?

​

What is Software Development?

• Designing, building, testing, and maintaining software
• Driven by functionality, deadlines, and business goals
• Security is often secondary

​

Software Development Life Cycle (SDLC)

What Is Software Security?

​

• Protecting software from vulnerabilities
• Covers design, code, configuration, dependencies

Why Software Security Matters

​

• Most attacks exploit application flaws
• Defects scale rapidly in cloud environments

Cybersecurity Across the SDLC

• Security must exist in every phase
• Late fixes are costly and incomplete
• Early mistakes propagate forward

Weak Point: Requirements Phase

• No security requirements defined
• No misuse or abuse cases
• Lack of threat modeling

​

Weak Point: Design Phase

• Insecure architecture
• Missing trust boundaries
• Weak authentication models

​

Weak Point: Implementation Phase

• Input validation errors
• Hardcoded secrets
• Unsafe libraries

Weak Point: Testing Phase

• Security testing skipped
• Only functional testing done
• No attacker mindset

​

Weak Point: Deployment Phase

• Insecure default configurations
• Exposed admin services
• Poor secrets handling

​

Weak Point: Maintenance Phase

• Delayed patching
• Outdated dependencies
• Accumulated security debt

​

Threat Actor Perspective

• Seek the easiest entry point
• Exploit neglected phases
• Reuse known techniques

​

Summary

• Software security begins in development
• Each SDLC phase affects security
• Neglect creates attack surfaces

Knowledge Check 1

Which SDLC phase presents the highest long-term security risk when security is completely ignored, even if later phases apply security testing?

​

• A. Implementation (Coding)
• B. Testing
• C. Deployment
• D. Requirements

Knowledge Check 2

A development team skips formal requirements documentation and relies on verbal instructions. From a cybersecurity perspective, what is the most likely outcome?

• A. Faster development with minimal security impact
• B. Security issues limited only to coding errors
• C. Inconsistent security controls and exploitable assumptions
• D. Improved flexibility against threat actors

Knowledge Check 3

Which security activity is best suited for the Design phase of the SDLC?

• A. Penetration testing
• B. Secure configuration hardening
• C. Threat modeling and secure architecture review
• D. Incident response planning

Knowledge Check 4

Why do threat actors prefer exploiting logic flaws rather than technical vulnerabilities?

​

A. Logic flaws require advanced malware

B. Logic flaws are easier to automate

C. Logic flaws are rarely detected by security tools

D. Logic flaws exist only in legacy systems

Knowledge Check 5

Which statement best reflects the relationship between SDLC and cybersecurity?

​

A. Cybersecurity is mainly a concern during testing and deployment

B. Secure coding eliminates the need for secure design

C. Cybersecurity is an overlay added after development

D. Cybersecurity must be embedded across all SDLC phases

Key Takeaways

​

• Security failures often start at software level
• Secure design matters as much as tools
• Foundations matter for later technical topics

References

​

• SOFSEC1 Course Syllabus
• Recorded Lectures
• Recommended Online Resources

Group Exercise 1: Web Application Security Evaluation

• This exercise helps students understand how software functionality, security controls, and threat actor behavior intersect early in the SDLC—especially when security is missing or assumed.

Group Instructions

• Form groups of 3–4 students
• Choose ONE industry from the list provided
• (Industries may repeat across groups)
• Select a real web application under that industry
• Complete ALL tables
• Be ready to defend your assumptions

Industry to choose from:

• Banking / FinTech
• (e.g., Online banking portal, e-wallet, loan application system)
• E-Commerce / Retail
• (e.g., Online shopping site, food delivery platform)
• Healthcare
• (e.g., Patient portal, appointment booking system)
• Education
• (e.g., Student information system, learning management system)
• Government Services
• (e.g., Online permits, tax filing system, citizen portal)