Hasso-Plattner-Institut25 Jahre HPI
Hasso-Plattner-Institut25 Jahre HPI
 

Application Security (Wintersemester 2020/2021)

Lecturer: Dr. Anne Kayem (Internet-Technologien und -Systeme)

General Information

  • Weekly Hours: 4
  • Credits: 6
  • Graded: yes
  • Enrolment Deadline: 01.10.-20.11.2020
  • Teaching Form: Lecture
  • Enrolment Type: Compulsory Elective Module
  • Course Language: English
  • Maximum number of participants: 20

Programs, Module Groups & Modules

Cybersecurity MA

Description

Software applications have become an integral part of daily life, sharing information across devices pervasively and seamlessly to conduct and ever growing number of computing operations. One of the results of software application ubiquity is the complexity of designing and maintaining these applications in ways that guarantee security in addition to reliability and availability. Main stream press examples of data and application breaches such as the case of the MyFitnessPal security breach in 2018 that resulted in hackers acquiring the private data of more than 150 million users, underline the importance of secure design and coding. The goal of this course therefore, is to learn how to identify, fix, and prevent security vulnerabilities.

In order to achieve this, we will study the principles, methods, and approaches needed for the development of secure applications such as web, mobile, and classic applications. This will be achieved through a series of twice weekly lectures during the winter semester, focused on studying methods of analysing software applications to identify and analyse vulnerability classes and corresponding attack vectors on a theoretical as well as practical level.

Topics to be covered include:

  • Confidentiality, privacy and trust management
  • Secure databases 
  • Secure distributed systems
  • Flaws (Vulnerabilities) in Applications
  • Threats and Attack Vectors
  • Data Flow and Interprocedural Analysis
  • ...

=====

Course Schedule:

=====

Block 1: Preliminaries

  • Lecture 1: Nov. 4, 2020 - Introduction & Course Overview
  • Lecture 2: Nov. 5, 2020 - Notions of Condentiality, Privacy, and Trust Management
  • Lecture 3: Nov. 11, 2020 - Secure Software Design and Development
  • Lecture 4: Nov. 12, 2020 - Threats and Attack Vectors

-------

Block 2: Identifying Security Flaws in Applications

  • Lecture 5: Nov. 18, 2020 - Vulnerability Analysis and Errors
  • Lecture 6: Nov. 19, 2020 - Parsing and Sensitive Data Exposure
  • Lecture 7: Nov. 25, 2020 - Security Misconguration
  • Lecture 8: Nov. 26, 2020 - Insecure Direct Object References

-------

Block 3: Context-Sensitive Vulnerability Analysis

  • Lecture 9: Dec. 2, 2020 - Beyond Syntax in Vulnerability Analysis
  • Lecture 10: Dec. 3, 2020 - Information Disclosure and Data Tampering
  • Lecture 11: Dec. 9, 2020 - Denial of Service
  • Lecture 12: Dec. 10, 2020 - Buer Overflows

--------

Block 4: Data Flow Analysis and Secure Coding

  • Lecture 13: Dec. 16, 2020 - Data Flow Abstraction for Vulnerability Analysis
  • Lecture 14: Dec. 17, 2020 - Eliminating Redundancies and Loops

-- Christmas Break (21.12.2020 - 01.01.2021) --

  • Lecture 15: Jan. 6, 2021 - Mid-Semester Presentation (Group I)
  • Lecture 16: Jan. 7, 2021 - Mid-Semester Presentation (Group II)
  • Lecture 17: Jan. 13, 2021 - Principles of Secure Coding
  • Lecture 18: Jan. 14, 2021 - Identifying Security Vulnerabilities
  • Lecture 19: Jan. 20, 2021 - Identifying Security Vulnerabilities in C/C++ Programming
  • Lecture 20: Jan. 21, 2021 - Exploiting and Securing Vulnerabilities in Java Applications

---------

Block 5: Interprocedural Analysis

Lecture 21: Jan. 27, 2021 - Call Graphs, Context Sensitivity & Vulnerabilities

Lecture 22: Jan. 28, 2021 - Context Sensitive Security and Analysis

Lecture 23: Feb. 3, 2021 - Context-Sensitive Inter-Application Analysis

Lecture 24: Feb. 4, 2021 - Data Flow Analysis

Lecture 25: Feb. 10, 2021 - Coordinated Vulnerability Disclosure 

Lecture 26: Feb. 11, 2021 - Secure Programming - Best Practices 

Requirements

Prerequisites:

  • Algorithms and Data Structures
  • Compiler Theory
  • Probability and Statistics
  • Programming skills in C, C++, Java, Python, Javascript, PHP, and SQL

Literature

References and Study Material will be provided on a per lecture basis.

Learning

At the end of this course you should be able to do the following:

  • Critically assess applications for robustness to security vulnerabilities at dierent stages of the application'slifecycle such as design, implementation, maintenance, and upgrades
  • Design secure applications by adopting secure by design principles
  • Critically analyse applications for security aws and threats
  • Design features to counter identied threats

Examination

Evaluations towards the final grade, will be based on presentations of coursework project results (mid-point and final), as well as an exam. Presentations will count for 50% and the exam for 50%. The grading rubric is summarised below:

Grading Rubric When? & Where? Grade %
Mid-Semester Presentation  06.01 - 07.01. 2021 (Online via Zoom) 20%
Final Presentation  24.02 -25.02.2021 (Workshop: Online via Zoom) 30%
Exam (Take-Home) 26.02 - 01.03.2020  50%

Dates

Over the Winter Semester (02.11.2020 - 15.02.2021), lectures will be organised on a twice (2X) weekly basis as follows:

Weekday Time Location
Wednesday 09.15 - 10.45 Online (Zoom) or In-Class (HS1 & HS2)
Thursday 09.15 - 10.45 Online (Zoom) or In-Class (H.E. 51/52)

 

Lecture materials and further details on course modalities will be accessible on Moodle.

Note: To participate in the course you must be registered on the University of Potsdam's Moodle platform, and have registered to attend this course. Search for the course using "Application Security" or "AS" and enroll using "AS-2020".

Zurück