Hasso-Plattner-InstitutSDG am HPI
Hasso-Plattner-InstitutDSG am HPI

Secure Coding (Sommersemester 2013)

Dozent: Prof. Dr. Christoph Meinel (Internet-Technologien und -Systeme)

Allgemeine Information

  • Semesterwochenstunden: 4
  • ECTS: 6
  • Benotet: Ja
  • Einschreibefrist: 10.2.2013 - 30.4.2013
  • Lehrform: Seminar
  • Belegungsart: Wahlpflichtmodul

Studiengänge, Modulgruppen & Module

IT-Systems Engineering BA


Security is a major reason for modern web applications to fail. Often this is caused by design flaws or simple implementation issues. Although the common problems (XSS, XSRF, XSSI, SQLi, etc) in web development are known for years, it is sometimes hard to avoid these problems. This seminar aims at teaching secure web development by working through the following tasks: 1) coding an application according to certain requirements and 2) pen testing of the former developed applications (and possibly others). The seminar includes a significant amount of development work


This seminar will be done in two phases. The first phase covers web development of an application according to certain requirements (a common task you’ll get when working in the industry). The students will be divided into dev-groups and develop on application per group. The second phase covers penetration testing of all developed applications and possibly more. This phase is supposed to be done individually per student. The detailed schedule can be found below:

  • 2013-04-17 - Introductory session - I will talk about the seminar on site
  • till 2013-06-13 (~8 weeks) - Phase I - Development of the applications
  • till 2013-07-13 (~4 weeks) - Phase II - Penetration testing of the applications

Requirements Outlook

This is NOT the full list of requirements, but to give you an idea on some of the non-functional requirements:


  • The application should be implemented in python and run on Google App Engine (https://developers.google.com/appengine/)
  • The application should make use of Ajax and HTML5
  •  The application should avoid security problems, e.g., XSS, XSRF, XSSI, SQLi, ...
  •   ...

 Detailed requirements will be given out during the introductory session.


IMPORTANT: Please let me know beforehand if you are interested in taking this seminar by sending an email with the subject [SS2013_SECURE_CODING]. I need to adjust requirements and plan the seminar accordingly. (Dr. Sebastian Roschke - E-Mail: s.roschke(at)gmail.com)



I studied IT-Systems engineering at HPI and finished with a PhD in 2012. My research was focused on Intrusion Detection, Alert Correlation, as well as attack and defense techniques in general. Now I work at Google in Mountain View California as Information Security Engineer. However, I am teaching this course as an individual, not as a Google employee, and the thoughts presented are my own, not necessarily those of my employer.


Lern- und Lehrformen



The students will be evaluated based on a score that considers the quality of their developed application and their individual report covering the results of their individual pen-testing. The quality of the developed application includes design, code quality, functional completeness, and the number of security issues found. The individual report will be evaluated based on the quality and completeness of discovered vulnerabilities as well as formal quality of the report itself. The individual report should also describe the contribution to the developed application.


Introduction: 17.04.2013, 11:00-12:30, H-2.57