For TU/e students: if you somehow cannot register for the course (yet), send me an email, so that I can make sure email announcements via Brightspace reach you. A pdf with links to the online lectures has been sent over the security mailing list, so make sure you get on that list (via this web form)!
Lectures: Fridays 10:30-12:15
NB the description below will be updated as we go along, with slides and pointers to papers. The obligatory reading material and exam material for the course includes the slides, some academic research papers listed below, and the following textbook material:
day | slides | Mandatory reading & mini-assignments | ||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Sept 4 |
|
| ||||||||||||||||||||||||||||||||||||||||||||||
Sept 11 |
| |||||||||||||||||||||||||||||||||||||||||||||||
Sept 18 | ||||||||||||||||||||||||||||||||||||||||||||||||
1st assignment (individual or in pairs): PREfast. Deadline: Thursday Sept 24, 23:59 | Some generic feedback | |||||||||||||||||||||||||||||||||||||||||||||||
Sept 25 |
|
Techniques to prevent or detect problems include threat modeling, checklists and coding standards, code reviews, "safe" programming languages, LangSec (language-theoretic security), fuzzing and other forms of security testing, static analysis tools and source code analyzers, information flow analysis (incl. tainting), program verification, and proof-carrying code.
The focus of this course is not on pen-testing or hacking to find vulnerabilities, as in the RU bachelor courses 'Hacking in C' and 'Web Security', but more on (addressing) the underlying causes and general techniques to improve the security of software.
The exam will cover the material presented in the lectures, the obligatory literature listed below, and the project work. The exam is closed book, ie. you cannot bring copies of slides, papers etc to the exam. You're not expected to be able to reproduce technical details from the papers, but you should be able to explain the core ideas. I will only ask about technical details from the papers that have been discussed in the lectures (and are covered by the slides).
You are expected to be able to spot simple buffer overflow problems given some hints,
but are not expected to spot tricky ones even with hints.
Optional background reading
For additional background info I can recommend:
If you are completely new to things like SQL injection,
XSS, etc., it is useful to look through
The 24 Deadly Sins of Software Security.
There is a copy of this book in the library of the Faculty of
Science. You can't take it out, but you can always read it there.
More information on typical security issues can be
found in the
OWASP Top 10 and
CWE/SANS Top 25 Most
Dangerous Programming Errors.
Not always directly related to this course: a good way to keep up to date
with the news and developments in cybersecurity
is following Risky Biz
podcast, which also pays plenty of attention to software
problems, and
Bruce Schneier's blog.