Hasso-Plattner-Institut25 Jahre HPI
Hasso-Plattner-Institut25 Jahre HPI
 

Application Security (Sommersemester 2022)

Lecturer: Dr. Anne Kayem (Internet-Technologien und -Systeme)

General Information

  • Weekly Hours: 4
  • Credits: 6
  • Graded: yes
  • Enrolment Deadline: 01.04.2022 - 30.04.2022
  • Examination time §9 (4) BAMA-O: 08.06.2022
  • Teaching Form: Lecture
  • Enrolment Type: Compulsory Module
  • Course Language: English

Programs, Module Groups & Modules

Cybersecurity MA
Data Engineering MA
Digital Health MA

Description

Software applications have become an integral part of daily life, sharing information across devices pervasively and seamlessly to conduct and ever growing number of computing operations. One of the results of software application ubiquity is the complexity of designing and maintaining these applications in ways that guarantee security in addition to reliability and availability. Main stream press examples of data and application breaches such as the case of the MyFitnessPal security breach in 2018 that resulted in hackers acquiring the private data of more than 150 million users, underline the importance of secure design and coding. The goal of this course therefore, is to learn how to identify, fix, and prevent security vulnerabilities.

In order to achieve this, we will study the principles, methods, and approaches needed for the development of secure applications such as web, mobile, and classic applications. This will be achieved through a series of twice weekly lectures during this summer semester, focused on studying methods of analysing software applications to identify and analyse vulnerability classes and corresponding attack vectors on a theoretical as well as practical level.

Topics to be covered include:

  • Confidentiality, privacy and trust management
  • Secure databases 
  • Secure distributed systems
  • Flaws (Vulnerabilities) in Applications
  • Threats and Attack Vectors
  • Data Flow and Interprocedural Analysis
  • ...

=====

Course Schedule:

=====

Block 1: Preliminaries

  • Lecture 1: 19.04.2022 - Introduction & Course Overview
  • Lecture 2: 20.04.2022 - Notions of Condentiality, Privacy, and Trust Management
  • Lecture 3: 26.04.2022 - Secure Software Design and Development
  • Lecture 4: 27.04.2022 - Threats and Attack Vectors

-------

Block 2: Identifying Security Flaws in Applications

  • Lecture 5: 03.05.2022 - Vulnerability Analysis and Errors
  • Lecture 6: 04.05.2022 - Parsing and Sensitive Data Exposure
  • Lecture 7: 10.05.2022 - Security Misconguration
  • Lecture 8: 11.05.2022 - Insecure Direct Object References

-------

Block 3: Context-Sensitive Vulnerability Analysis

  • Lecture 9: 17.05.2022 - Beyond Syntax in Vulnerability Analysis
  • Lecture 10: 18.05.2022 - Information Disclosure and Data Tampering
  • Lecture 11: 24.05.2022 - Denial of Service
  • Lecture 12: 25.05.2022 - Buffer Overflows

--------

Block 4: Data Flow Analysis and Secure Coding

  • Lecture 13: 31.05.2022 -  Data Flow Abstraction for Vulnerability Analysis

-------

  • Mid-Semester Presentations (Dates to be confirmed - Tentative: 01.06 - 08.06.2022)

--------

  • Lecture 17: 14.06.2022 - Principles of Secure Coding
  • Lecture 18: 15.06.2022 - Identifying Security Vulnerabilities
  • Lecture 19: 21.06.2022 - Identifying Security Vulnerabilities in C/C++ Programming
  • Lecture 20: 22.06.2022 - Exploiting and Securing Vulnerabilities in Java Applications

---------

Block 5: Interprocedural Analysis

  • Lecture 21:  28.06.2022 - Coordinated Vulnerability Disclosure
  • Lecture 22:  29.06.2022 - Secure Programming - Best Practices 

----

  • Final Presentations (Dates to be confirmed - Tentative: 05.07 - 20.07.2022)

-----

  • Lecture 29: 26.07.2022 - No lecture (Revision for Exam)
  • Lecture 30: 27.07.2022 - Final Exam @ 13.30 in H.2.57/58

Requirements

Prerequisites:

  • Algorithms and Data Structures
  • Programming skills in any one (or several) of the following: C, C++, Java, Python, Javascript, PHP, and SQL

Literature

References and Study Material will be provided on a per lecture basis.

Learning

At the end of this course you should be able to do the following:

  • Critically assess applications for robustness to security vulnerabilities at dierent stages of the application's lifecycle such as design, implementation, maintenance, and upgrades
  • Design secure applications by adopting secure by design principles
  • Critically analyse applications for security flaws and threats
  • Design features to counter identied threats

Examination

Evaluations towards the final grade, will be based on presentations of coursework project results (mid-point and final), as well as an exam. Presentations will count for 50% and the exam for 50%. The grading rubric is summarised below:

Grading Rubric When? & Where? Grade %
Mid-Semester Presentations  Dates to be confirmed (H.2.57/58) 20%
Final Presentations Dates to be connfirmed (H.2.57/58) 30%
Exam (Written - 90mins) July 27, 2022 @13.30 (H.2.57/58) 50%

Lecture materials and further details on course modalities will be accessible on Moodle.

Note: To participate in the course you must be registered on the University of Potsdam's Moodle platform, and have registered to attend this course. Search for the course using "Application Security Summer 2022" and register using "AS-SoSe-2022".

Dates

Unless otherwise stated, formal lectures and presentations, will hold as follows over the period of April 19 - July 29, 2022: 

  • Tuesdays: 09.15 - 10.45am (H.2.57/58)
  • Wednesdays: 13.30 - 15.00 (H.2.57/58)

Zurück