If you somehow cannot register for the course (yet), send me an email, so that I can make sure email announcements via Brightspace reach you!
Lectures: Fridays 10:30-12:15 in lecture room 00.28 in Mercator I.
NB the description below will be updated as we go along, with slides and pointers to papers. The obligatory reading material and exam material for the course includes the slides, some academic research papers listed below, and the following textbook material:
|1st assignment (individual or in pairs): PREfast. Deadline: Oct 3||Generic feedback on typical problems|
Techniques to prevent or detect problems include threat modeling, checklists and coding standards, code reviews, "safe" programming languages, LangSec (language-theoretic security), fuzzing and other forms of security testing, static analysis tools and source code analyzers, information flow analysis (incl. tainting), program verification, and proof-carrying code.
The focus of this course is not on pen-testing or hacking to find vulnerabilities, as in the RU bachelor courses 'Hacking in C' and 'Web Security', but more on (addressing) the underlying causes and general techniques to improve the security of software.
You MUST seriously participate in the project work to take the exam, and do all individual exercises. Final grade will be based on the exam (50%) and results on the projects (where project grades are weighed: 10% individual project(s), 40% group project), but you MUST pass the exam to pass the course.
The exam will cover the material presented in the lectures, the obligatory literature listed below, and the project work. The exam is closed book, ie. you cannot bring copies of slides, papers etc to the exam. You're not expected to be able to reproduce technical details from the papers, but you should be able to explain the core ideas. I will only ask about technical details from the papers that have been discussed in the lectures (and are covered by the slides).
You are expected to be able to spot simple buffer overflow problems given some hints,
but are not expected to spot tricky ones even with hints.
Optional background reading
For additional background info I can recommend:
If you are completely new to things like SQL injection, XSS, etc., it is useful to look through The 24 Deadly Sins of Software Security. There is a copy of this book in the library of the Faculty of Science. You can't take it out, but you can always read it there. More information on typical security issues can be found in the OWASP Top 10 and CWE/SANS Top 25 Most Dangerous Programming Errors.
Not always directly related to this course: a good way to keep up to date with the news and developments in cybersecurity is following Risky Biz podcast, which also pays plenty of attention to software problems, and Bruce Schneier's blog.