Inverted School 2005

CSC 2005

CSC2005 Overview

Practical Information

Examination results

Grants from EU -FP6

Eligibility Conditions

Level of grant support

How to apply

CSC-Live

New Lecture videos

New Photo-Contest

New Updated news

New Social activities

CSC-Live

inverted CERN School of Computing 2005 23-25 February 2005, CERN

Programme Overview

Data Management and Data Bases

Advanced Software Development Engineering

Web Services
in Distributed Computing

Schedule

Lecturers

Lecturer Bios

Printable Version

Security in Computer Applications

Thursday 24 February

11:30 - 12:25

Theory Block

Lecture 3

Security in Computer Applications

Sebastian Lopienski

The lecture will address the following issues:

how to think of about security, how to design a secure computer system, and how to implement it
what are the common errors, pitfalls, bugs and traps while implementing, what are common ways for attackers to exploit some code,
how to make a good use of cryptography (which algorithms to use, length of keys, validity of certificates etc.),
threats appearing on the human-machine (or human-application) interface, and threats coming from dishonest users
many real-life examples of good security, poor security, misunderstood security and security which in fact makes things less secure

1. Introduction:

•	What is security in computer world

•	Dangerous times

•	Types of dangers

•	Is it an issue for average software developer (at CERN)?

2. Getting secure

•	Prevention, detection and counteraction

•	Why security is difficult to achieve

•	General rules: simplicity, modularity etc.

•	What about security by obscurity?

•	Bugs, flaws, vulnerabilities

3. Architecture and design

•	Advantages of modularity

•	Security of the whole system is only as strong as its weakest element

•	Least privilege principle

•	Other design principles

4. Coding (introduction)

•	Readable and understandable code

5. Enemy number one: input data

•	Strings and buffer overflow issue

•	Canonical representation problems

•	Command-line arguments

•

Data

•	External code

6. Common problems, pitfalls, traps while implementing

•	Using temporary files

•	Working on files

•	Environment variables and settings

•	Parallel or non-atomic execution

•	Hardcoding passwords

•	SUID/SGID programs

7. Coding - advices

•	Deal with error / Catch exceptions

•	Assertions

•

Logging

•	Dumping core/leaving debug information

•	Optimizing code

•	Network programs

8. After implementation

•	Reviewing, testing

•	Open source vs. proprietary solutions

•

Tools

9. Identification, authentication, authorization

•	Authentication with something you know, something you have, something you are (or a combination)

•

Passwords

•

ACLs

10. Cryptography - practical review

•	Encryption (symmetric and asymmetric algorithms)

•

PKI

•	Hash functions and MAC

•	Cryptography in network protocols (ex.: SSL)

11. How cryptography can help

•	A lock in a door

•	keys: confidential, algorithm: public

•	Don’t implement cryptographic algorithms

•	Encrypted = secure ?

•	Key lengths

12. Other interesting techniques

•	Steganography

•	Port knocking

•

etc.

13. Social engineering risks

•	Phishing, hoaxes etc.

•	How can we help users (education, restrictive software, clear design)

•	Password policy

14. Summary

•	What is the main message?

•	Future readings (at the lecture's web page)

•	Questions?

iCSC

All on iCSCs

News

Registration

Post-reg.

Handouts

Forum

Programme

Soft Theme

Exercises New

FAQ

Social Events


	Feedback: Computing (dot) School (at) cern (dot) ch Last update: Thursday, 14. November 2013 11:48	Copyright CERN