Introduction
Bad software is probably the most important cause of computer security problems. This course is about the challenges in developing secure software and the technologies that can be used to improve software security, at the various stages in the software development life-cycle, and at various "levels", eg. specific to an individual application or at the level of the programming language.
|
Objectives
At the end of the course students
- can explain the common ways in which software security fails;
- are able to identify security objectives of applications and identify likely places where they might fail;
- can explain methods and technologies that can help in the development of secure software;
- can apply some of these techniques in practice.
Concrete examples of attacks and countermeasures are often specific to a certain setting (a programming language and/or type of application); the aim provide enough insight to be able to assess problems and proposed solutions in other situations.
|
Subjects
- Common security vulnerabilities, such as input validation problems (buffer overflows, SQL injections, etc.), race conditions, broken access control, XSS, CSRF, etc.
- Security measures in the software development life cycle: architecture, language/platform, implementation, testing, code review
- Language-based security: typing, (Java) sandboxing, untrusted code security
- Information flow
- (Tool-supported) Static Analysis
- Examples of advanced type systems, e.g. for alias control or information flow
- Program Verification and Proof-Carrying Code (PCC)
|
Study investment
- 8 hrs computer course
- 4 hrs groepsgewijs college
- 30 hrs lecture
- 2 hrs personal study counseling
- 2 hrs student presentation
- 40 hrs student project
- 82 hrs individual study period
|
Teaching methods
Weekly lectures and project assignments. The project work consists of assignments in which students analyse more or less realistic pieces of code for potential security flaws using various techniques and tools.
|
Examination
The final grade is based on a written exam and marks for the project assignments.
|
Pre-requisites
Programming skills, in particular in C(++) and Java.
|
Literature
Selected articles on topics treated in the course are made available via the course webpage.
Interesting background material to read are the books
- Building Secure Software, by John Viega and Gary McGraw. Addison-Wesley, 2002.
- Secure Coding: Principles & Practices, by Mark G. Graff and Kenneth R. van Wyk. O'Reilly, 2003.
- The 24 Deadly Sins of Software Security, by Michael Howard, David LeBlanc and John Viega, McGraw-Hill, 2009.
which all available in the library.
|
Website
http://www.cs.ru.nl/~erikpoll/ss
|
Extra information
This course is an obligatory course in the Kerckhoffs security master specialisation.
|