TDT4237 Software Security Introduction
Transcript of TDT4237 Software Security Introduction
About me
• 2002 – siv.ing. computer science – information security
• 2002-2009 – reserach scientist, information security, SINTEF
• 2004-2009 – PhD, Access Control, NTNU
• 2009 – 2013 – CISO, Lånekassen
• 2013 -> Head of information security section, Difi
• Teaching TDT4237 since 2006
How it works
• Part 1: Threats & hacking
• Part 2: Building Security In
• Part 3: Classic security + selected topics
• Exercises: Learning By Failing & Fixing– 3 parts
– Groups
Lecture plan (tentative)● 29/8 - Introduction lecture
● 5/9 - OWASP Testing Guide Part 1 - information gathering + injection attacks
● 12/9 - OWASP Testing Guide Part 2 - injection attacks (contd.) + sessions, authentication, authorisation
● 19/9 - OWASP Workshop - hosted by Kantega. NB: 4 hours - 12:00-16:00
● 26/9 - Threat Modelling
● 3/10 - Building Security In Maturity Model (BSIMM)
● 10/10 - Risk Management Framework and Software Security Touchpoints
● 17/10 - Understanding Risk and RMF in-class example. NB: 4 hours - 12:00-16:00
● 24/10 - Risk-based security testing
● 31/10 - Authentication and authorisation
● 7/11 - Cryptography in software
● 14/11 - Security and insecurity
● 21/11 - Summary lecture
Exercises – learning by failing & fixing
● Exercise 1 – Black box + White box testing of vulnerable web app
– Presented 12/9 14:15-16:00 KJL1
– Deadline 25/9
● Exercise 2 - Fixing and extending the vulnerable app
– Presented 26/9 14:15-16:00 KJL1
– Deadline 23/10
● Exercise 3 – Black box + White box testing of another group's fixed (?) app
– Presented 24/10 14:15-16:00 KJL1
– Deadline 13/11
● The timeslot for exercise lectures is only used when announced!
Exercise groups● 4-6 students
● To form a group– Send an e-mail with a list of the names and e-mails of
the group members to [email protected]
● If you don't have a group– Send an e-mail to [email protected]
– You will be assigned to a group
● Deadline: September 11th
Evaluation and grading
● Exercises: 30%● Exam: 70%
● You have to pass both!– If have to hand in all the exercises and get a passing
grade to be allowed to take the exam
– If you fail the exam, you will fail the course
NewsBites
China til launch PC operating system this fall
US companies are not implementing Secure Shell (SSH) appropriately or well
10 Guiding Principles for Software Security
1. Secure the weakest link
2. Practice defense in depth
3. Fail securely
4. Follow the principle of least privilege
5. Compartmetalize
6. Keep it simple
7. Promote privacy
8. Remember that hiding secrets is hard
9. Be reluctant to trust
10. Use your community resourcesBuilding Secure Software: How to avoid security problems the right way
(John Viega and Gary McGraw)