Security in Computer Applications

     

Thursday 24 February

  
11:30 - 12:25 Theory Block

Lecture 3

Security in Computer Applications

 Sebastian Lopienski

The lecture will address the following issues:

  • how to think of about security, how to design a secure computer system, and how to implement it

  • what are the common errors, pitfalls, bugs and traps while implementing, what are common ways for attackers to exploit some code,

  • how to make a good use of cryptography (which algorithms to use, length of keys, validity of certificates etc.),

  • threats appearing on the human-machine (or human-application) interface, and threats coming from dishonest users

  • many real-life examples of good security, poor security, misunderstood security and security which in fact makes things less secure
1. Introduction:
 
• What is security in computer world
 
• Dangerous times
 
• Types of dangers
 
• Is it an issue for average software developer (at CERN)?
 
2. Getting secure
 
• Prevention, detection and counteraction
 
• Why security is difficult to achieve
 
• General rules: simplicity, modularity etc.
 
• What about security by obscurity?
 
• Bugs, flaws, vulnerabilities
 
3. Architecture and design
 
• Advantages of modularity
 
• Security of the whole system is only as strong as its weakest element
 
• Least privilege principle
 
• Other design principles
 
4. Coding (introduction)
 
• Readable and understandable code
 
5. Enemy number one: input data
 
• Strings and buffer overflow issue
 
• Canonical representation problems
 
• Command-line arguments
 
• Data
 
• External code
 
6. Common problems, pitfalls, traps while implementing
 
• Using temporary files
 
• Working on files
 
• Environment variables and settings
 
• Parallel or non-atomic execution
 
• Hardcoding passwords
 
• SUID/SGID programs
 
7. Coding - advices
 
• Deal with error / Catch exceptions
 
• Assertions
 
• Logging
 
• Dumping core/leaving debug information
 
• Optimizing code
 
• Network programs
 
8. After implementation
 
• Reviewing, testing
 
• Open source vs. proprietary solutions
 
• Tools
 
9. Identification, authentication, authorization
 
• Authentication with something you know, something you have, something you are (or a combination)
 
• Passwords
 
• ACLs
 
10. Cryptography - practical review
 
• Encryption (symmetric and asymmetric algorithms)
 
• PKI
 
• Hash functions and MAC
 
• Cryptography in network protocols (ex.: SSL)
 
11. How cryptography can help
 
• A lock in a door
 
• keys: confidential, algorithm: public
 
• Don’t implement cryptographic algorithms
 
• Encrypted = secure ?
 
• Key lengths
 
12. Other interesting techniques
 
• Steganography
 
• Port knocking
 
• etc.
 
13. Social engineering risks
 
• Phishing, hoaxes etc.
 
• How can we help users (education, restrictive software, clear design)
 
• Password policy
 
14. Summary
 
• What is the main message?
 
• Future readings (at the lecture's web page)
 
• Questions?