Skip Ribbon Commands
Skip to main content
Sign In Skip to Content

Advice for teachers -
Applied Computing

Unit 4 Software development

Area of Study 2: Cybersecurity: software security​

Outcome 2

Respond to a teacher-provided case study to examine the current software development security strategies of an organisation, identify the risks and the consequences of ineffective strategies and recommend a risk management plan to improve current security practices.

Examples of learning activities

  • Discuss how the use of physical and software security controls can protect software development practices. For example:
    • Climate control, physical locks and closed-circuit television cameras can be used to protect the physical devices and network hardware that is used to develop software, use software, and store data from physical threats to data and software.
    • Version control techniques, such as file naming, network storage and cloud services, can be used to ensure that the most recent solution files are being used and maintained.
    • User authentication and credentials, such as device/network log in/passwords, biometrics, and two-factor authentication, can be used to restrict access to systems/networks and protect spaces within systems/networks.
    • Encryption can be used to protect data that is being transmitted across or stored on systems, networks or the internet.
    • Software updates can be used to patch identified application vulnerabilities, which in turn, improve the security of systems and networks.
  • As a class, examine the release notes for an operating system and the software updates to highlight why they are necessary and how they protect data, software and the privacy of individuals.
  • Example icon for advice for teachers
    Using practical activities, demonstrate how encryption techniques can protect data and individuals when transmitted over a Wi-Fi network or stored on the network. Students practise this concept in class.
  • Students research software auditing and testing strategies (such as penetration testing, Static/Dynamic/Interactive Application Security Testing (SAST/DAST/IASP) and Runtime Application Self-Protection (RASP) technologies) to better understand how risk minimisation occurs as part of software development.
  • Students analyse media and online articles about data breaches, considering when the data breach occurred, the methods employed to acquire the data, and how the data was potentially used after its release.
  • Role-play the use of social engineering techniques with students to demonstrate how software and data can be easily compromised.
  • Create a multimedia presentation that focuses on the technical underpinnings of man-in-the-middle attacks, cross-site scripting and SQL injections, and the risks they pose to software and web applications, data and users.
  • Present examples of third-party applications that have undermined the security of the desktop or mobile operating systems they were installed on, how these did so, and the impact on users of the imposed vulnerability.
  • Conduct an analysis of examples of small data sets from a range of contexts that are presented in tabular or visual form. Students evaluate this data to identify whether data integrity is observable. Where data integrity has not been observed, students make suggestions to improve the integrity of the data.
  • Discuss examples of media and online articles that focus on why individuals have developed disruptive solutions and technologies.
  • Discuss examples of media and online articles that focus on why organisations embark on large-scale software development.
  • Prepare a presentation that compares how key features of relevant copyright, health records and privacy legislation impact the collection, storage and communication of data in public and private-sector organisations.
  • Propose a number of ethically challenging scenarios to students, facilitating discussion and debate, and asking them to clearly justify their position. For example:
    • taking credit for the work of others
    • lying to clients about products they are interested in purchasing, so you can receive a commission or earn more profit
    • having a large sum of money transferred into your bank account (by accident) when you have several expenses due in the next week. (Do you report the error
      or spend the money?)
  • Provide students with examples of criteria that evaluate the effectiveness of software development security strategies. These examples should be provided in a number of forms (e.g. questions, statements, dot points). For example, for the criterion of ‘security of development’:
    • The development of the solution will be protected using a range of physical and software security controls.
    • To what degree will physical and software security controls protect software development practices?
  • Discuss how the integrity of data may be impacted by ineffective security strategies employed by organisations. For example:
    • Web applications may present data stored in SQL tables using a range of techniques. If the application has not been secured effectively, malicious individuals could modify the organisation’s data using a SQL injection, and negatively impact on the accuracy, correctness or reasonableness of the data and reducing its effectiveness.
    • A server hosting a critical database for a weather modelling system used by an ocean shipping organisation has software updates applied once a week. On one occasion, the updates cause the server to be restarted unexpectedly overnight. This reduces the integrity of the data because the system relies on timely data to produce the weather forecasts.
  • Recommend a framework for students to develop risk management strategies that includes identified security risks, mitigation techniques, risk-minimisation approaches, and individuals responsible for managing specific risks.
  • Research online the risk management strategies used by familiar organisations (such as supermarkets or department store chains, financial institutions and government organisations) and compare the key elements and risk aversion techniques that each employs. Discuss how each organisation approaches risk differently.

Example icon for advice for teachers 

Detailed example

Encryption

Teachers employ a range of strategies to demonstrate the concept of encryption, the use of keys and how the process protects data during transmission and when being stored. Examples of approaches include:

  • using a simple message encryption/decryption activity or software application
  • running packet sniffer/network analysis software.

Simple message encryption/decryption activity (offline)

Students write a short message and then encrypt the message using a substitution cipher. Teachers provide students with a substitution cipher (letters, numbers, and symbols) or ask them to develop their own. In this activity, the substitution cipher acts as the encryption key.

In pairs, students share their messages around (without the cipher). Very quickly, students will discover that without the cipher the messages are not able to be understood. Students provide their cipher to their partner who then decrypts the message.

Simple message encryption/decryption activity (online)

Teachers can find simple message or data encryption/decryption applications online or create their own using a character substitution algorithm that shifts the characters x number of positions in the character table. For example:

  • If the algorithm changes a character using original_character_value + 5, the letter A would become F.
  • The original ASCII character value of A is 65. 65 + 5 = 70.
  • The new ASCII character value is 70, which translates to F.
  • Using the same algorithm on the number 7, would transform the character to <.
  • The original ASCII character value of 9 is 57. 57 + 5 = 62.
  • The new ASCII character value is 62, which translates to >.

Teachers demonstrate the software to students, highlighting how data stored using encryption can protect data by making it unreadable.

Running packet sniffer/network analyser software

Before conducting this activity, teachers should confirm its suitability with their IT Department personnel, and test the software on the school network prior to running it in class.

In consultation with IT staff, context and software chosen, teachers may choose to capture live data travelling through the network during class, or capture data prior to the class. Teachers may also choose to screen record the data capture process and then show the video to their class.

Teachers can select packets and demonstrate to students that while most data is transmitted securely over a network, some data is still transmitted in plain-text.