CSC2013  
The 36th main summer school  
19-30 August, Nicosia, Cyprus  
 

 Creating Secure Software

Session

Description

Lecturer

Lecture 1

Introduction to computer security

First lecture starts with a definition of computer security and an explanation of why it is so difficult to achieve. The lecture highlights the importance of proper threat modelling and risk assessment. It then presents three complementary methods of mitigating threats: protection, detection, reaction; and tries to prove that security through obscurity is not a good choice.

Sebastian Lopienski

Lecture 2

Security in different phases of software development

The second lecture addresses the following question: how to create secure software? It introduces the main security principles (like least-privilege, or defense-in-depth) and discusses security in different phases of the software development cycle. The emphasis is put on the implementation part: most common pitfalls and security bugs are listed, followed by advice on best practice for security development.

Sebastian Lopienski

Lecture 3 Web application security, exercise debriefing
This third hour consists of a debriefing of the exercises, and in particular those web-related. Various vulnerabilities typical to web applications (such as Cross-site scripting, SQL injection, cross-site request forgery etc.) are introduced and discussed.

Sebastian Lopienski

Exercise 1

Exercise 2

Exercise 3

Avoiding, detecting and removing software security vulnerabilities

In the practice session, a range of typical security vulnerabilities will be presented. The goal is to learn how they can be exploited (for privilege escalation, data confidentiality compromise etc.), how to correct them, and how to avoid them in the first place! Students will be given small pieces of source code in different programming languages, and will be asked to find vulnerabilities and fix them. The online course documentation will gradually reveal more and more information to help students in this task. Additionally, students will have a chance to try several source code analysis tools, and see how such tools can help them find functionality bugs and security vulnerabilities.

Sebastian Lopienski
Giuseppe Lo Presti

Prerequisite

and

References

Desirable Prerequisite

  • Basic knowledge of C and/or PHP

  • PHP tutorial: http://php.net/tut.php

  • Basic understanding of HTTP protocol

  • Basic knowledge of SQL

Books

  • Secrets and Lies: Digital Security in a Networked World by Bruce Schneier

  • Security Engineering: A Guide to Building Dependable Distributed Systems by Ross Anderson

  • Writing Secure Code by Michael Howard, David LeBlanc

  • Secure Coding: Principles and Practices by Mark G. Graff, Kenneth R. van Wyk

 

 
 

Copyright CERN

Print version