Hasso-Plattner-Institut25 Jahre HPI
Hasso-Plattner-Institut25 Jahre HPI

Application Security (Sommersemester 2024)

Lecturer: Henryk Plötz (Cyber Security - Enterprise Security)

General Information

  • Weekly Hours: 4
  • Credits: 6
  • Graded: yes
  • Enrolment Deadline: 01.04.2024 - 30.04.2024
  • Examination time §9 (4) BAMA-O: 06.08.2024
  • Teaching Form: Lecture
  • Enrolment Type: Compulsory Module
  • Course Language: English

Programs, Module Groups & Modules

Cybersecurity MA
Digital Health MA
Data Engineering MA
Software Systems Engineering MA
  • HPI-SSE-S Systems Foundations
  • SSYS: Software Systems
    • HPI-SSYS-C Concepts and Methods
  • SSYS: Software Systems
    • HPI-SSYS-T Technologies and Tools
  • SSYS: Software Systems
    • HPI-SSYS-S Specialization
  • OISY: Online and Interactive Systems
    • HPI-OISY-C Concepts and Methods
  • OISY: Online and Interactive Systems
    • HPI-OISY-T Technologies and Tools
  • OISY: Online and Interactive Systems
    • HPI-OISY-S Specialization


Software is at the core of all computing. Computing is in all aspects of modern life. The security of software thus will affect all of the world around us. Modern interconnected systems must work correctly not only in the face of random faults and malfunctions, they need to resist targeted malfeasance and fraud.

The goal of the course is to give students a broad understanding how to build secure software and, consequently, secure systems. For this we need to study the different interactions between the various parts and stages (hardware, operating system, compiler, runtime) of a computing platform, focusing on existing/past/potential attacks on the various components. Each step is accompanied by a case-study from a real-world project that showcases the principles at play.

Once we have built an understanding of the mechanisms of compromise, we will seek to not only prevent individual attacks, but entire attack classes, making our way towards a positive definition of application security.

Topics covered include

  • Mechanisms of access control and entity authentication
  • Attacks against control flow, memory safety, and side channels
  • Defenses and mitigations on hardware, kernel, and runtime layer
  • Defense bypasses and more advanced attack construction
  • Techniques to find and identify flaws
  • Approaches to prevent entire classes of flaws
  • Good development processes and habits, defensive programming


Students must be fluent in at least one programming language and have a cursory understanding of the different components of a computer system (hardware, OS)

The teaching language generally used is Python. Some examples will be presented in C.