Hasso-Plattner-Institut25 Jahre HPI
Hasso-Plattner-Institut25 Jahre HPI
 

Application Security (Sommersemester 2021)

Lecturer: Dr. Anne Kayem (Internet-Technologien und -Systeme)

General Information

  • Weekly Hours: 4
  • Credits: 6
  • Graded: yes
  • Enrolment Deadline: 18.03.2021 - 09.04.2021
  • Teaching Form: Lecture
  • Enrolment Type: Compulsory Module
  • Course Language: English

Programs, Module Groups & Modules

Cybersecurity MA

Description

Software applications have become an integral part of daily life, sharing information across devices pervasively and seamlessly to conduct and ever growing number of computing operations. One of the results of software application ubiquity is the complexity of designing and maintaining these applications in ways that guarantee security in addition to reliability and availability. Main stream press examples of data and application breaches such as the case of the MyFitnessPal security breach in 2018 that resulted in hackers acquiring the private data of more than 150 million users, underline the importance of secure design and coding. The goal of this course therefore, is to learn how to identify, fix, and prevent security vulnerabilities.

In order to achieve this, we will study the principles, methods, and approaches needed for the development of secure applications such as web, mobile, and classic applications. This will be achieved through a series of twice weekly lectures during the winter semester, focused on studying methods of analysing software applications to identify and analyse vulnerability classes and corresponding attack vectors on a theoretical as well as practical level.

Topics to be covered include:

  • Confidentiality, privacy and trust management
  • Secure databases 
  • Secure distributed systems
  • Flaws (Vulnerabilities) in Applications
  • Threats and Attack Vectors
  • Data Flow and Interprocedural Analysis
  • ...

=====

Course Schedule:

=====

Block 1: Preliminaries

  • Lecture 1: 13.04.2021 - Introduction & Course Overview
  • Lecture 2: 14.04.2021 - Notions of Condentiality, Privacy, and Trust Management
  • Lecture 3: 20.04.2021 - Secure Software Design and Development
  • Lecture 4: 21.04.2021 - Threats and Attack Vectors

-------

Block 2: Identifying Security Flaws in Applications

  • Lecture 5: 27.04.2021 - Vulnerability Analysis and Errors
  • Lecture 6: 28.04.2021 - Parsing and Sensitive Data Exposure
  • Lecture 7: 04.05.2021 - Security Misconguration
  • Lecture 8: 05.05.2021 - Insecure Direct Object References

-------

Block 3: Context-Sensitive Vulnerability Analysis

  • Lecture 9: 11.05.2021 - Beyond Syntax in Vulnerability Analysis
  • Lecture 10: 12.05.2021 - Information Disclosure and Data Tampering
  • Lecture 11: 18.05.2021 - Denial of Service
  • Lecture 12: 19.05.2021 - Buffer Overflows

--------

Block 4: Data Flow Analysis and Secure Coding

  • Lecture 13: 25.05.2021 - Data Flow Abstraction for Vulnerability Analysis
  • Lecture 14: 26.05.2021 - Eliminating Redundancies and Loops

-------

  • Lecture 15: 01.06.2021 - Mid-Semester Presentations (Group I)
  • Lecture 16: 02.06.2021 - Mid-Semester Presentations (Group II)

--------

  • Lecture 17: 08.06.2021 - Principles of Secure Coding
  • Lecture 18: 09.06.2021 - Identifying Security Vulnerabilities
  • Lecture 19: 15.06.2021 - Identifying Security Vulnerabilities in C/C++ Programming
  • Lecture 20: 16.06.2021 - Exploiting and Securing Vulnerabilities in Java Applications

---------

Block 5: Interprocedural Analysis

  • Lecture 21: 22.06.2021 - Call Graphs, Context Sensitivity & Vulnerabilities
  • Lecture 22: 23.06.2021 - Context Sensitive Security and Analysis
  • Lecture 23: 29.06.2021 - Context-Sensitive Inter-Application Analysis
  • Lecture 24: 30.06.2021 - Data Flow Analysis
  • Lecture 25: 06.07.2021 - Coordinated Vulnerability Disclosure 
  • Lecture 26: 07.07.2021 - Secure Programming - Best Practices 

----

  • Lecture 27: 13.07.2021 - Final Presentations (Group I)
  • Lecture 28: 14.07.2021 - Final Presentations (Group II)

Requirements

Prerequisites:

  • Algorithms and Data Structures
  • Programming skills in any one (or several) of the following: C, C++, Java, Python, Javascript, PHP, and SQL

Literature

References and Study Material will be provided on a per lecture basis.

Learning

At the end of this course you should be able to do the following:

  • Critically assess applications for robustness to security vulnerabilities at dierent stages of the application's lifecycle such as design, implementation, maintenance, and upgrades
  • Design secure applications by adopting secure by design principles
  • Critically analyse applications for security flaws and threats
  • Design features to counter identied threats

Examination

Evaluations towards the final grade, will be based on presentations of coursework project results (mid-point and final), as well as an exam. Presentations will count for 50% and the exam for 50%. The grading rubric is summarised below:

Grading Rubric When? & Where? Grade %
Mid-Semester Presentation  Online via Zoom (01.06.2021 & 02.06.2021) 20%
Final Presentation  Online via Zoom. (13.07.2021 & 14.07.2021) 30%
Exam (Take-Home) Submission on Moodle (26.07 @12noon - 29.07.2021 @12 noon ) 50%

Dates

Over the Summer Semester (13.04.2021 - 23.07.2021), lectures will be organised on a twice (2X) weekly basis as follows:

Weekday Time Location
Tuesdays 09.15 - 10.45 Online (Zoom) 
Wednesdays 11.00 - 12.30 Online (Zoom) 

 

Lecture materials and further details on the course will be accessible on Moodle.

Note: To participate in the course you must be registered on the University of Potsdam's Moodle platform, and have registered to attend this course. Search for the course using "Application Security (Summer Semester)" or "AS-SoSe-202_1" and enroll using "AS-SoSe-2021".

Zurück