Introduction to software security

Security is a non-functional requirement of software engineering. Creating inherently secure applications is a fundamental, yet often unknown, skill for a good developer or software engineer.

A vulnerability is software is an unmet security specification. Bug-free software does not exist and not all bugs lead to vulnerabilities.

Even if a vulnerability exists, there may not be an exploit for it.

The key issues in secure designs are:

Reduce privileged parts to a minimum
Keep it simple
Discard privileges definitively as soon as possible
Open design: not rely on obscurity
Take care of concurrency and race conditions
Fail-safe and default deny.
Filter the input and the output.
Use trusted libraries
Use trusted entropy sources such as /dev/urandom

Introduction to computer security

Authentication

Access control

Exercises on introduction

Exercises on authentication and access control

Introduction to cryptography and perfect ciphers

Computationally secure ciphers and pseudorandom number generators

Chosen Plaintext Attacks (CPAs)

Data integrity and Message Authentication Codes (MAC)

Asymmetric cryptosystems

Data authentication and digital signatures

The public key binding problem and digital certificates

Fundamentals of Information Theory

Exercises on cryptography

Introduction to software security

Recalls of Linux

Buffer overflows

Format String Bugs

Exercises on software security

Introduction to web security

Cross Site Scripting (XSS)

SQL injection

Cookies and sessions

Cross-Site Requests Forgery (CSRF)

Other vulnerabilities

Exercises on web security

Network Protocol Attacks

Firewalls

Architectures for secure networks

TLS and SET

Exercises on network security

Malwares introduction

Defending againts malware and stealth techniques

Exercises on malwares

Introduction to software security

No Comments