Software Security Lecture 0 - PowerPoint PPT Presentation

Software security lecture 0
1 / 13

  • Uploaded on
  • Presentation posted in: General

Software Security Lecture 0. Fang Yu Dept. of MIS National Chengchi University Spring 2011. Software Security. Instructor: Fang Yu Office: 150409 Weekly Meeting on Tuesday 9:00-12:00. Errors and Failures. Software is developed by humans, and hence it is not perfect

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Software Security Lecture 0

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Software security lecture 0

Software SecurityLecture 0

Fang Yu

Dept. of MIS

National Chengchi University

Spring 2011

Software security

Software Security

Instructor: Fang Yu

Office: 150409

Weekly Meeting on Tuesday 9:00-12:00

Errors and failures

Errors and Failures

Software is developed by humans, and hence it is not perfect

A human error may introduce a bug in the system

When a bug get triggered, it may generate a failure

Security bugs and failures

Security Bugs and Failures

A security bug is also called a vulnerability

When a vulnerability get triggered (exploited), it may generate a security failure (against the security policy) and compromise the system

Security analysis

Security Analysis

Security analysis is the process to determine the security posture of a system

It answers the question: is the system vulnerable with respect to the known vulnerabilities?

About this course

About this course

  • We will focus on Web application security and static analysis techniques

  • You will

    • Learn how to identify and detect vulnerabilities in web applications

    • Learn how to exploit vulnerabilities in web applications

    • Learn how to remove vulnerabilitiesand how to prevent exploits of vulnerabilities in web applications

M ain topics

Main topics

  • Web Application Security (8-10 weeks)

    • What are the most common vulnerabilities in web applications?

      • Common Vulnerability and Exposure

      • OWASP

  • Static Analysis Techniques (2-4 weeks)

    • (Automatic) Code Review

      • Taint analysis

      • String analysis

  • Advance Issues/Techniques/Tools (3-5 weeks)

    • Selected Papers/Tools

Text books

Text books

  • The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws.

    • By DafyddStuttard and Marcus Pinto, Wiley Publishing, Inc, 2007

    • 全華圖書 02-22625666

  • Secure Programming with Static Analysis.

    • By Brain Chess and Jacob West, Addison-Wesley Professional, 2007

Selected papers

Selected Papers

PrateekSaxena, DevdattaAkhawe, Steve Hanna, Feng Mao, Stephen McCamant, Dawn Song. “A Symbolic Execution Framework for JavaScript.” In Proc. of the 31st IEEE Symposium on Security & Privacy (Oakland 2010)

Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code M. Cova, C. Kruegel, and G. VignaProceedings of the World Wide Web Conference (WWW2010)

PrateekSaxena, Steve Hanna, PongsinPoosankam, Dawn Song. “FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications.“ In Proc. of the 17th Network and Distributed System Security Symposium (NDSS 2010)

Toward Automated Detection of Logic Vulnerabilities in Web Applications V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna Proceedings of the USENIX Security Symposium Washington, 2010

Gary Wassermann and Zhendong Su. “Static Detection of Cross-site Scripting Vulnerabilities.” In Proc. of the 30th International Conference on Software Engineering (ICSE 2008)

YichenXie and Alex Aiken. “Static Detection of Security Vulnerabilities in Scripting Languages.” In Proc. of the 15th USENIX Security Symposium (USENIX 2006)

Some related tools

Some Related Tools

  • Stranger

    • a string analysis tool for PHP


    • we are working on a web-based version

  • Java String Analyzer

    • a string analysis tool for Java


Course requirement

Course Requirement

Select a chapter* of the Hacker’s hand book to present

Select a paper* to present

Select a tool and find an application to analyze

*Send me your topics as soon as you decide (first come first get)

Grade policy

Grade Policy

None of you will be failed

Participation 10%

Chapter and Paper Presentations 40%

Term paper 50%

Beyond the technical issue s

Beyond the technical issues…

A comfortable environment for you to practice English

Don’t hesitate to ask questions

Feel free to drop by my office

  • Login