Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Course Wrap-up

advertisement 
Course Wrap-up
TDDC90 – Software Security
Ulf Kargén
Department of Computer and Information Science (IDA)
Division for Database and Information Techniques (ADIT)
Course topics
 Vulnerabilities in C/C++ programs
 Web security
 Secure software development
 Code reviews
 Static analysis
 Security testing
2
The Exam
 40 points total
 Grading:
 Pass (3): 20p
 4: 29p
 5: 35p
 No aids (except English dictionary in book format)
 Points per subjects will roughly correspond to the number of
lectures given for the subject.
 The two lectures on C/C++ vulnerabilities and the part about secure
software development are central to the course, and will be given
higher weight.
3
What to expect on the exam?
Vulnerabilities in C/C++ programs
 Vulnerabilities:
 Be able to describe all vulnerability types in the lecture –
What is the reason for the vulnerability and how to avoid it?
 Attacks:
 Be able to describe the stack-buffer overflow exploit in detail
 Conceptual understanding of the other exploit methods
 Mitigations
 Conceptual understanding of the mitigation techniques
described in the lecture – and attacks that circumvent them
 Be able to reason about which attacks could be mitigated
using a particular method
4
What to expect on the exam?
Vulnerabilities in C/C++ programs
 Exam questions:
 Will generally emphasize understanding over knowledge of
details.
 Will possibly require reading some code:

5
Spotting simple bugs in code examples, etc.
What to expect on the exam?
Web security
 Vulnerabilities:
 Be able to describe all vulnerability types in the lecture –
What is the reason for the vulnerability and how to avoid it.
 Attacks:
 Be able to describe basic ideas behind attacks
 Exam questions:
 Will be more conceptual than code-oriented
6
What to expect on the exam?
Secure software development and Code reviews
 Methods:
 Be able to describe methods and processes
 Be able to apply modelling and analysis methods on small
examples
 Design patterns:
 Be able to describe design patterns in course literature and
their motivation

Descriptions may require both UML-diagrams and Pseudo code
 No questions on accreditation in this year’s course
7
What to expect on the exam?
Static analysis
 Emphasize on conceptual understanding of the methods
described in the lectures, rather than the mathematical
formalisms.
 Important properties of methods
 Soundness and completeness
8
What to expect on the exam?
Security testing
 Understand challenges of security testing in general
 Conceptual understanding of methods
 Penetration testing
 Mutation based fuzzing
 Generation based fuzzing
 Concolic testing
 Compare strengths and weaknesses of said methods
 Understand fundamental challenges of concolic testing
 Questions will again focus on understanding rather than details
9
Final words
Remember:
 Hard hand-in deadline for labs 18th of December (18:00)
 Register for exam!
 Fill out course evaluation!
Where to go from here?
 TDDD17 – Information security, second course
 Master’s thesis opportunities at ADIT
10
Related documents
Abstract
Abstract
Vendor security questions
Vendor security questions
Lecture 3
Lecture 3
Digital vulnerabilitz atlas of South Asia [PPT, 2.05
Digital vulnerabilitz atlas of South Asia [PPT, 2.05
Syllabus
Syllabus
10 General Security Rules
10 General Security Rules
Program (in)security Thierry Sans
Program (in)security Thierry Sans
Software Security Risk Mitigation with Historical Information Web Site: www.ijaiem.org Email: ,
Software Security Risk Mitigation with Historical Information Web Site: www.ijaiem.org Email: ,
Software Security for Open- Source Systems Crispin Cowan, Ph.D. Chief Scientist, Immunix Inc.
Software Security for Open- Source Systems Crispin Cowan, Ph.D. Chief Scientist, Immunix Inc.
2. COSC 6301 – Computer Security Threats and Vulnerabilities
2. COSC 6301 – Computer Security Threats and Vulnerabilities
T he infrastructure of modern society is controlled by computational systems
T he infrastructure of modern society is controlled by computational systems
Computational Vulnerability Analysis for Information Survivability Howard Shrobe
Computational Vulnerability Analysis for Information Survivability Howard Shrobe
Document14671429 14671429
Document14671429 14671429
Vulnerability Cause Graphs: A Case of Study Linköpings universitet, Sweden Email:
Vulnerability Cause Graphs: A Case of Study Linköpings universitet, Sweden Email:
Questions Developers Ask While Diagnosing Potential Security
Questions Developers Ask While Diagnosing Potential Security
Static Techniques for Vulnerability Detection $EVWUDFW /LQN|SLQJVXQLYHUVLW\6ZHGHQ
Static Techniques for Vulnerability Detection $EVWUDFW /LQN|SLQJVXQLYHUVLW\6ZHGHQ
Cryptography Vulnerabilities on HackerOne
Cryptography Vulnerabilities on HackerOne
Secure Coding Principles and Practices
Secure Coding Principles and Practices
Zero-DayAttackDefence
Zero-DayAttackDefence
The Disclosure and Diffusion of Security Information
The Disclosure and Diffusion of Security Information
CISSP in 21 Days, Second Edition
CISSP in 21 Days, Second Edition
√ 3
√ 3
Download
advertisement