CSC

Creating Secure Software
Session	Description	Lecturer
Lecture 1	Introduction to computer security First lecture starts with a definition of computer security and an explanation of why it is so difficult to achieve. The lecture highlights the importance of proper threat modelling and risk assessment. It then presents three complementary methods of mitigating threats: protection, detection, reaction; and tries to prove that security through obscurity is not a good choice.	Sebastian Lopienski
Lecture 2	Security in different phases of software development The second lecture addresses the following question: how to create secure software? It introduces the main security principles (like least-privilege, or defense-in-depth) and discusses security in different phases of the software development cycle. The emphasis is put on the implementation part: most common pitfalls and security bugs are listed, followed by advice on best practice for security development.	Sebastian Lopienski
Lecture 3	Web application security, exercise debriefing This third hour consists of a debriefing of the exercises, and in particular those web-related. Various vulnerabilities typical to web applications (such as Cross-site scripting, SQL injection, cross-site request forgery etc.) are introduced and discussed.	Sebastian Lopienski
Exercise 1 Exercise 2 Exercise 3	Avoiding, detecting and removing software security vulnerabilities In the practice session, a range of typical security vulnerabilities will be presented. The goal is to learn how they can be exploited (for privilege escalation, data confidentiality compromise etc.), how to correct them, and how to avoid them in the first place! Students will be given small pieces of source code in different programming languages, and will be asked to find vulnerabilities and fix them. The online course documentation will gradually reveal more and more information to help students in this task. Additionally, students will have a chance to try several source code analysis tools, and see how such tools can help them find functionality bugs and security vulnerabilities.	Sebastian Lopienski Giuseppe Lo Presti
Prerequisite and References	Desirable Prerequisite Basic knowledge of C and/or PHP PHP tutorial: http://php.net/tut.php Basic understanding of HTTP protocol Basic knowledge of SQL Books Secrets and Lies: Digital Security in a Networked World by Bruce Schneier Security Engineering: A Guide to Building Dependable Distributed Systems by Ross Anderson Writing Secure Code by Michael Howard, David LeBlanc Secure Coding: Principles and Practices by Mark G. Graff, Kenneth R. van Wyk