General
About CSC
Organisation

People
Process for CSC hosting
School Models
Role of Local Organisers
Other Roles

Participants
Past Schools

2004 2005 2006 2007 2008 2009 2010 2011

Diploma at CSC
Sport at CSC
Inverted CSCs

iCSC05 iCSC06 iCSC08 iCSC10 iCSC11

Special schools

School@chep06

Inverted School 2005

CSC 2005

CSC2005 Overview

Practical Information

Programme

Schedule

Lecturers

Participants

Organisers

 
Examination results
 
Grants from EU -FP6

Eligibility Conditions

Level of grant support

How to apply
CSC-Live
New  Lecture videos
New  Photo-Contest
New  Updated news
New  Social activities

CSC-Live

     

inverted CERN School of Computing 2005 23-25 February 2005, CERN

Programme Overview

Data Management and Data Bases

Advanced Software Development Engineering

Web Services
in Distributed Computing

Schedule

Lecturers

Lecturer Bios

Printable Version

Security in Computer Applications

     

Thursday 24 February

 
11:30 - 12:25 Theory Block

Lecture 3

Security in Computer Applications

Sebastian Lopienski

The lecture will address the following issues:

  • how to think of about security, how to design a secure computer system, and how to implement it

  • what are the common errors, pitfalls, bugs and traps while implementing, what are common ways for attackers to exploit some code,

  • how to make a good use of cryptography (which algorithms to use, length of keys, validity of certificates etc.),

  • threats appearing on the human-machine (or human-application) interface, and threats coming from dishonest users

  • many real-life examples of good security, poor security, misunderstood security and security which in fact makes things less secure

1. Introduction:
 
What is security in computer world
 
Dangerous times
 
Types of dangers
 
Is it an issue for average software developer (at CERN)?
 
2. Getting secure
 
Prevention, detection and counteraction
 
Why security is difficult to achieve
 
General rules: simplicity, modularity etc.
 
What about security by obscurity?
 
Bugs, flaws, vulnerabilities
 
3. Architecture and design
 
Advantages of modularity
 
Security of the whole system is only as strong as its weakest element
 
Least privilege principle
 
Other design principles
 
4. Coding (introduction)
 
Readable and understandable code
 
5. Enemy number one: input data
 
Strings and buffer overflow issue
 
Canonical representation problems
 
Command-line arguments
 
Data
 
External code
 
6. Common problems, pitfalls, traps while implementing
 
Using temporary files
 
Working on files
 
Environment variables and settings
 
Parallel or non-atomic execution
 
Hardcoding passwords
 
SUID/SGID programs
 
7. Coding - advices
 
Deal with error / Catch exceptions
 
Assertions
 
Logging
 
Dumping core/leaving debug information
 
Optimizing code
 
Network programs
 
8. After implementation
 
Reviewing, testing
 
Open source vs. proprietary solutions
 
Tools
 
9. Identification, authentication, authorization
 
Authentication with something you know, something you have, something you are (or a combination)
 
Passwords
 
ACLs
 
10. Cryptography - practical review
 
Encryption (symmetric and asymmetric algorithms)
 
PKI
 
Hash functions and MAC
 
Cryptography in network protocols (ex.: SSL)
 
11. How cryptography can help
 
A lock in a door
 
keys: confidential, algorithm: public
 
Don’t implement cryptographic algorithms
 
Encrypted = secure ?
 
Key lengths
 
12. Other interesting techniques
 
Steganography
 
Port knocking
 
etc.
 
13. Social engineering risks
 
Phishing, hoaxes etc.
 
How can we help users (education, restrictive software, clear design)
 
Password policy
 
14. Summary
 
What is the main message?
 
Future readings (at the lecture's web page)
 
Questions?

 

iCSC
All on iCSCs
News
Registration

Post-reg.

Handouts
Forum
Programme

Data Theme

Lecture1

Lecture2

Lecture3

Lecture4

Lecture5

All lectures

Soft Theme

Lecture1

Lecture2

Lecture3

Lecture4

Lecture5

Lecture6

All lectures

WS Theme

Lecture1

Lecture2

Lecture3

All lectures

Exercises New
FAQ
Social Events

 

Feedback: Computing (dot) School (at) cern (dot) ch
Last update: Thursday, 14. November 2013 11:48

Copyright CERN