Creating Secure Software |
||
Session |
Description |
Lecturer |
Lecture 1 |
Introduction to computer security First lecture starts with a definition of computer security and an explanation of why it is so difficult to achieve. The lecture highlights the importance of proper threat modelling and risk assessment. It then presents three complementary methods of mitigating threats: protection, detection, reaction; and tries to prove that security through obscurity is not a good choice. |
|
Lecture 2 |
Security in different phases of software development The second lecture addresses the following question: how to create secure software? It introduces the main security principles (like least-privilege, or defense-in-depth) and discusses security in different phases of the software development cycle. The emphasis is put on the implementation part: most common pitfalls and security bugs are listed, followed by advice on best practice for security development. |
|
Lecture 3 |
Web application security, exercise
debriefing This third hour consists of a debriefing of the exercises, and in particular those web-related. Various vulnerabilities typical to web applications (such as Cross-site scripting, SQL injection, cross-site request forgery etc.) are introduced and discussed. |
|
Exercise 1 Exercise 2 Exercise 3 |
Avoiding, detecting and removing software security vulnerabilities
In
the practice session, a range of typical security
vulnerabilities will be presented. The goal is to learn how
they can be exploited (for privilege escalation, data
confidentiality compromise etc.), how to correct them, and
how to avoid them in the first place! Students will be given
small pieces of source code in different programming
languages, and will be asked to find vulnerabilities and fix
them. The online course documentation will gradually reveal
more and more information to help students in this task.
Additionally, students will have a chance to try several
source code analysis tools, and see how such tools can help
them find functionality bugs and security vulnerabilities. |
|
Prerequisite and References |
Desirable Prerequisite
Books
|