Sunday 12 February 2005

09:00 12:25

Sebastian Lopienski

CERN

Computer Security 2: From Theory to Implementation

Overview

Computer security has been an increasing concern for IT professionals for a number of years, yet despite all the efforts, computer systems and networks remain highly vulnerable to attacks of different kinds. Design flaws and security bugs in the underlying software are among the main reasons for this situation. This series of lecture aims at explaining what computer security is, and how secure systems should be designed and developed.

The series will start with a definition of computer security and introduction of concepts like threat modeling and risk assessment, as well as protection, detection and reaction strategies. It then presents real-life examples of vulnerabilities and attacks, and describe the role of cryptography: where it can help, and where this needs to be complemented by other mechanisms. One of the focuses of the series is security of software applications. This part targets software developers, drawing their attention to the main pitfalls and providing guidelines for best practices.

Outline

Introduction to Computer Security

First lecture starts with a definition of computer security and an explanation of why it is so difficult to achieve. The lecture highlights the importance of proper threat modelling and risk assessment. It then presents three complementary methods of mitigating threats: protection, detection, reaction; and tries to prove that security thru obscurity is not a good choice.

Real-life threats, vulnerabilities, exploits and attacks

Second lecture discusses different vectors of attacks and motives behind them, various types of attackers and ways they exploit vulnerabilities. It includes studies of real-life cases and scenarios. The conclusion drawn here is that while many problems can be solved with cryptography, some lie outside the scope of cryptographic solutions. Several miscellaneous issues like social engineering threats are also covered in this part.

Security in different phases of software development

Last lecture addresses the following question: how to create secure software? It introduces the main security principles (like least-privilege, or defense-in-depth) and discusses security in different phases of the software development cycle. The emphasis is put on the implementation part: most common pitfalls and security bugs are listed, followed by advice on best practice for security development.