Software Applications: Security Lifecycle Threats

Harvard Extension School

CSCI E-149A

Section 1

CRN 16691

View Course Details
You have been tasked with the design, development, and deployment of a new application, and there is more involved than just writing some code and testing it. In this course, we take a fictional product through the entire secure development lifecycle, through ideation, design, development, testing, and deployment. We explore how to think about and embed security into each phase, including those phases where security has traditionally been an afterthought. Some of the questions that we address include how do we make sure that we have included security thinking throughout the entire product lifecycle? How do we know what to test, how, and why—are we actually testing what matters? How do we ensure that we are developing within a secure development environment? What about the impact of all that third-party code, especially open-source software, that we want to use with our application? And what happens when this product is nearing end life—how do we make sure that we maintain its security posture even if we are no longer actively developing new features? How do you present- and future-proof against emerging technologies, regulations and industry trends? How do you make sure that you are set up to protect against threats from emerging technologies including machine learning/artificial intelligence (AI) and quantum computing? How do you apply all these of this present- and future-proofing to legacy applications, that is, applications that are already built and in-use, including hybrid applications, critical infrastructure, and industrial systems? The net is that you can be sure that whatever you do today may well not be enough to protect you tomorrow. Throughout the course we apply these concepts and tradeoffs as students create and take their own software product through its end-to-end lifecycle. Threats and things to pay attention to include discussions drawn from the news (sadly there are always on-point things in the cybersecurity news that we can use as the basis of discussion), as well as CISA's Zero Trust Maturity Model, Secure by Design requirements, guidelines for secure AI system development, CISA's Known Exploitable Vulnerability (KEV) lists, MITRE's ATT&CK framework, threat modeling techniques, risk management concepts, and whatever is topical at the time in the news.

Instructor Info

Heather Hinton, PhD

Chief Information Security Officer in Residence, Professional Association of CISOs


Meeting Info

T 5:30pm - 7:30pm (9/2 - 12/20)

Participation Option: Online Asynchronous or Online Synchronous

In online asynchronous courses, you are not required to attend class at a particular time. Instead you can complete the course work on your own schedule each week.

Deadlines

Last day to register: August 28, 2025

Prerequisites

Familiarity or experience with security software development principles. A basic understanding of security threats, tools, and landscape.

Notes

This course meets via web conference. Students may attend at the scheduled meeting time or watch recorded sessions asynchronously. Recorded sessions are typically available within a few hours of the end of class and no later than the following business day. See minimum technology requirements.

All Sections of this Course

CRN Section # Participation Option(s) Instructor Section Status Meets Term Dates
16691 1 Online Asynchronous, Online Synchronous Heather Hinton Open T 5:30pm - 7:30pm
Sep 2 to Dec 20