Application Security (Wintersemester 2020/2021)
Lecturer:
Dr. Anne Kayem
(Internet-Technologien und -Systeme)
General Information
- Weekly Hours: 4
- Credits: 6
- Graded:
yes
- Enrolment Deadline: 01.10.-20.11.2020
- Teaching Form: Lecture
- Enrolment Type: Compulsory Elective Module
- Course Language: English
- Maximum number of participants: 20
Programs, Module Groups & Modules
- Cybersecurity
- HPI-CS-A Application Security
Description
Software applications have become an integral part of daily life, sharing information across devices pervasively and seamlessly to conduct and ever growing number of computing operations. One of the results of software application ubiquity is the complexity of designing and maintaining these applications in ways that guarantee security in addition to reliability and availability. Main stream press examples of data and application breaches such as the case of the MyFitnessPal security breach in 2018 that resulted in hackers acquiring the private data of more than 150 million users, underline the importance of secure design and coding. The goal of this course therefore, is to learn how to identify, fix, and prevent security vulnerabilities.
In order to achieve this, we will study the principles, methods, and approaches needed for the development of secure applications such as web, mobile, and classic applications. This will be achieved through a series of twice weekly lectures during the winter semester, focused on studying methods of analysing software applications to identify and analyse vulnerability classes and corresponding attack vectors on a theoretical as well as practical level.
Topics to be covered include:
- Confidentiality, privacy and trust management
- Secure databases
- Secure distributed systems
- Flaws (Vulnerabilities) in Applications
- Threats and Attack Vectors
- Data Flow and Interprocedural Analysis
- ...
=====
Course Schedule:
=====
Block 1: Preliminaries
- Lecture 1: Nov. 4, 2020 - Introduction & Course Overview
- Lecture 2: Nov. 5, 2020 - Notions of Condentiality, Privacy, and Trust Management
- Lecture 3: Nov. 11, 2020 - Secure Software Design and Development
- Lecture 4: Nov. 12, 2020 - Threats and Attack Vectors
-------
Block 2: Identifying Security Flaws in Applications
- Lecture 5: Nov. 18, 2020 - Vulnerability Analysis and Errors
- Lecture 6: Nov. 19, 2020 - Parsing and Sensitive Data Exposure
- Lecture 7: Nov. 25, 2020 - Security Misconguration
- Lecture 8: Nov. 26, 2020 - Insecure Direct Object References
-------
Block 3: Context-Sensitive Vulnerability Analysis
- Lecture 9: Dec. 2, 2020 - Beyond Syntax in Vulnerability Analysis
- Lecture 10: Dec. 3, 2020 - Information Disclosure and Data Tampering
- Lecture 11: Dec. 9, 2020 - Denial of Service
- Lecture 12: Dec. 10, 2020 - Buer Overflows
--------
Block 4: Data Flow Analysis and Secure Coding
- Lecture 13: Dec. 16, 2020 - Data Flow Abstraction for Vulnerability Analysis
- Lecture 14: Dec. 17, 2020 - Eliminating Redundancies and Loops
-- Christmas Break (21.12.2020 - 01.01.2021) --
- Lecture 15: Jan. 6, 2021 - Mid-Semester Presentation (Group I)
- Lecture 16: Jan. 7, 2021 - Mid-Semester Presentation (Group II)
- Lecture 17: Jan. 13, 2021 - Principles of Secure Coding
- Lecture 18: Jan. 14, 2021 - Identifying Security Vulnerabilities
- Lecture 19: Jan. 20, 2021 - Identifying Security Vulnerabilities in C/C++ Programming
- Lecture 20: Jan. 21, 2021 - Exploiting and Securing Vulnerabilities in Java Applications
---------
Block 5: Interprocedural Analysis
Lecture 21: Jan. 27, 2021 - Call Graphs, Context Sensitivity & Vulnerabilities
Lecture 22: Jan. 28, 2021 - Context Sensitive Security and Analysis
Lecture 23: Feb. 3, 2021 - Context-Sensitive Inter-Application Analysis
Lecture 24: Feb. 4, 2021 - Data Flow Analysis
Lecture 25: Feb. 10, 2021 - Coordinated Vulnerability Disclosure
Lecture 26: Feb. 11, 2021 - Secure Programming - Best Practices
Requirements
Prerequisites:
- Algorithms and Data Structures
- Compiler Theory
- Probability and Statistics
- Programming skills in C, C++, Java, Python, Javascript, PHP, and SQL
Literature
References and Study Material will be provided on a per lecture basis.
Learning
At the end of this course you should be able to do the following:
- Critically assess applications for robustness to security vulnerabilities at dierent stages of the application'slifecycle such as design, implementation, maintenance, and upgrades
- Design secure applications by adopting secure by design principles
- Critically analyse applications for security aws and threats
- Design features to counter identied threats
Examination
Evaluations towards the final grade, will be based on presentations of coursework project results (mid-point and final), as well as an exam. Presentations will count for 50% and the exam for 50%. The grading rubric is summarised below:
Grading Rubric | When? & Where? | Grade % |
Mid-Semester Presentation | 06.01 - 07.01. 2021 (Online via Zoom) | 20% |
Final Presentation | 24.02 -25.02.2021 (Workshop: Online via Zoom) | 30% |
Exam (Take-Home) | 26.02 - 01.03.2020 | 50% |
Dates
Over the Winter Semester (02.11.2020 - 15.02.2021), lectures will be organised on a twice (2X) weekly basis as follows:
Weekday | Time | Location |
Wednesday | 09.15 - 10.45 | Online (Zoom) or In-Class (HS1 & HS2) |
Thursday | 09.15 - 10.45 | Online (Zoom) or In-Class (H.E. 51/52) |
Lecture materials and further details on course modalities will be accessible on Moodle.
Note: To participate in the course you must be registered on the University of Potsdam's Moodle platform, and have registered to attend this course. Search for the course using "Application Security" or "AS" and enroll using "AS-2020".
Zurück