Secure Coding (Sommersemester 2020)
Dozent: Sebastian Roschke
(Internet-Technologien und -Systeme)
Dr. Feng Cheng
(Internet-Technologien und -Systeme)
- Semesterwochenstunden: 4
- ECTS: 6
- Einschreibefrist: 06.04.2020 - 22.04.2020
- Lehrform: Vorlesung / Übung
- Belegungsart: Wahlpflichtmodul
- Lehrsprache: Englisch
Studiengänge & Module
- ISAE-Konzepte und Methoden
- ISAE-Techniken und Werkzeuge
- OSIS-Konzepte und Methoden
- OSIS-Techniken und Werkzeuge
Important: Due to many uncertain issues caused by the current spread of Covid-19, we have to cancel this course for this semester. We are sorry for any inconveniences it may bring you!
Security is a major consideration for building reliable applications for the web, as well as on desktop and mobile platforms. While common security problems have been known for years, they are still prevalent in complex software systems. On top of that, new security issues are discovered every year which makes it hard to keep track of all the different problems.
This block lecture focuses on
- security issues of applications on different platforms, such as web, desktop as well as mobile
- secure development: guidelines, standards and best practices
- security testing approaches: code review, pen-testing, vulnerability analysis, auditing and metrics (benchmarks)
Another major component of this lecture will be practical exercises to apply learned concepts in a CTF environment.
About the lecturer: Dr. Sebastian Roschke studied IT-Systems Engineering at HPI and finished with a PhD in 2012. His research was focused on Intrusion Detection, Alert Correlation, as well as attack and defense techniques in general. After two internships at Google (2010, 2011), he started 2012 at Google in Mountain View California as Information Security Engineer. His focus as part of Google’s product security team was on security reviews; breaking new and existing Google products and advice development teams on secure application development across all of Google. In Dec 2018, he moved to Snap as a Security Engineering manager. (Note from Dr. Sebastian Roschke: "I am teaching this course as an individual, and the thoughts presented are my own, not those of my current or previous employer").
This is NOT the full list of requirements, but to give you an idea on some of the non-functional requirements:
- The application should be implemented in python and run on Google App Engine (https://developers.google.com/appengine/)
- The application should make use of Ajax and HTML5
- The application should avoid security problems, e.g., XSS, XSRF, XSSI, SQLi, ...
Detailed requirements will be given out during the introductory session.
IMPORTANT: Please let us know beforehand if you are interested in taking this course by sending an email (E-Mail: s.roschke'at'gmail.com / feng.cheng'at'hpi.de) with the subject [SS2020_SECURE_CODING] so that we can plan the lecture accordingly and send you the invite for the introductory session.
- OWASP - https://www.owasp.org
- Browser Security Handbook - https://code.google.com/p/browsersec/wiki/Main
- Michal Zalewski - The Tangled Web - http://www.amazon.com/Tangled-Web-Securing- Modern-Applications/dp/1593273886
Lern- und Lehrformen
The students will be evaluated based on a score that considers the quality of their developed application and their individual report covering the results of their individual pen-testing. The quality of the developed application includes design, code quality, functional completeness, and the number of security issues found. The individual report will be evaluated based on the quality and completeness of discovered vulnerabilities as well as formal quality of the report itself. The individual report should also describe the contribution to the developed application.
(Subject to change)
This lecture will be carried out in two phases over one week each.
- In the first week (currently planned for the week on July 06.-10., 2020), the major concepts will be discussed in a lecture over 4 days. This week is followed by an examination on Friday.
- In the second week, the students will be asked to solve practical exercises and produce write-ups which will be graded based on quality and completeness.
An introductory session will be given via Google hangouts after the semester starts- invites will be sent out (only) to all students who expressed interest by mail.