Security and Secure Programming

Přednášející:

Tomáš Zahradnický, Róbert Lórencz (gar.)

Cvičící:

Tomáš Zahradnický

Předmět zajišťuje:

katedra počítačových systémů

Anotace:

Students will learn how to assess security risks and how to take them into account in the design phase of their own code and solutions. After getting familiar with the threat modeling theory, students gain practical experience with running programs with reduced privileges and methods of specifying these privileges, since not every program needs to run with administrator privileges. Students will also be briefly introduced to the principles of securing data and the relationships of security and database systems, web, remote procedure calls, and sockets in general. The module concludes with Denial of Service attacks and writing a secure code.

Požadavky:

Programming in C, knowledge of basic application interfaces and computer systems architectures.

Osnova přednášek:

1. Introduction to secure programming, current security trends.

2. Threat modeling.

3. The buffer overflow.

4. Writing secure code in C.

5. Security levels, Access Control Lists (ACL).

6. Running a program with low privileges.

7. Data security and integrity.

8. Data input, canonical representation, and security.

9. Security of databases.

10. Security of web applications.

11. Security of sockets and RPC.

12. Defence against Denial of Service attacks.

13. Summary and recapitulation.

Osnova cvičení:

1. Threat modeling.

2. The buffer overflow.

3. Running a program with low privileges.

4. Security of databases.

5. Security of web applications.

6. Defence against Denial of Service attacks.

Cíle studia:

The aim of the module is to teach the students to take into account the security aspects already in the design phase of their own software applications and solutions. Students will start with theoretical modeling of security threats, and move on to practical exercises with C programs. They will learn to determine the minimal privileges for a program to run. They will also learn to secure data, data communication, remote procedure calls, and websites.

Studijní materiály:

Howard, M., LeBlanc, D. ''Writing Secure Code (2nd Edition)''. Microsoft Press, 2003. ISBN 0735617228.

Howard, M., LeBlanc, D. „Writing Secure Code for Windows Vista“. Microsoft Press, 2007.

http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project

Poznámka:

Rozsah=prednasky+proseminare+cviceni2p+1c, Prednasejici: doc. Ing. Róbert Lórencz CSc.

Rozvrh na zimní semestr 2011/2012:

Rozvrh není připraven

Rozvrh na letní semestr 2011/2012:

Rozvrh není připraven

Předmět je součástí následujících studijních plánů:

• Computer Security, Presented in English, Version for Students, who Enrolled in 2010 and 2011 (povinný předmět oboru)
• System Programming, in English, Version for Students, who Enrolled in 2010 and 2011 (povinný předmět zaměření)
• Master Informatics, Presented in English - Version for Students who Enrolled in 2010 (VO)
• Master Informatics, Presented in English - Version for Students who Enrolled in 2011 (VO)
• Master Informatics, Presented in English - Version for Students who Enrolled in 2012 (VO)
• Computer Security, Presented in English - Version for Students who Enrolled in 2012 (povinný předmět oboru)
• System Programming, Presented in English - Version for Students who Enrolled in 2012 (povinný předmět zaměření)