Security in Computer Applications
| |
|
|
Thursday 24 February |
|
|
11:30 - 12:25 |
Theory Block |
Lecture 3 |
Security in Computer Applications |
Sebastian Lopienski |
|
The lecture will address the following issues:
-
how to think of
about security, how to design a secure computer system,
and how to implement it
-
what are the
common errors, pitfalls, bugs and traps while
implementing, what are common ways for attackers to
exploit some code,
-
how to make a
good use of cryptography (which algorithms to use,
length of keys, validity of certificates etc.),
-
threats appearing
on the human-machine (or human-application) interface,
and threats coming from dishonest users
-
many real-life
examples of good security, poor security, misunderstood
security and security which in fact makes things less
secure
|
| |
|
• |
What is security in computer world |
|
| |
|
• |
Is it an issue for average software
developer (at CERN)? |
|
| |
|
• |
Prevention, detection and
counteraction |
|
| |
|
• |
Why security is difficult to achieve |
|
| |
|
• |
General rules: simplicity,
modularity etc. |
|
| |
|
• |
What about security by obscurity? |
|
| |
|
• |
Bugs, flaws, vulnerabilities |
|
|
3. Architecture and design
|
| |
|
• |
Advantages of modularity |
|
| |
|
• |
Security of the whole system is only
as strong as its weakest element |
|
| |
|
• |
Least privilege principle |
|
| |
|
• |
Other design principles |
|
| |
|
• |
Readable and understandable code |
|
|
5. Enemy number one: input data
|
| |
|
• |
Strings and buffer overflow issue |
|
| |
|
• |
Canonical representation problems |
|
|
6. Common problems, pitfalls, traps
while implementing
|
| |
|
• |
Environment variables and settings |
|
| |
|
• |
Parallel or non-atomic execution |
|
| |
|
• |
Deal with error / Catch exceptions |
|
| |
|
• |
Dumping core/leaving debug
information |
|
| |
|
• |
Open source vs. proprietary
solutions |
|
|
9. Identification, authentication,
authorization
|
| |
|
• |
Authentication with something you
know, something you have, something
you are (or a combination) |
|
|
10. Cryptography - practical review
|
| |
|
• |
Encryption (symmetric and asymmetric
algorithms) |
|
| |
|
• |
Cryptography in network protocols
(ex.: SSL) |
|
|
11. How cryptography can help
|
| |
|
• |
keys: confidential, algorithm:
public |
|
| |
|
• |
Don’t implement cryptographic
algorithms |
|
|
12. Other interesting techniques
|
|
13. Social engineering risks
|
| |
|
• |
How can we help users (education,
restrictive software, clear design) |
|
| |
|
• |
What is the main message? |
|
| |
|
• |
Future readings (at the lecture's
web page) |
|
|
|
|
|
