software security lecture 0 n.
Skip this Video
Download Presentation
Software Security Lecture 0

Loading in 2 Seconds...

play fullscreen
1 / 13

Software Security Lecture 0 - PowerPoint PPT Presentation

  • Uploaded on

Software Security Lecture 0. Fang Yu Dept. of MIS National Chengchi University Spring 2011. Software Security. Instructor: Fang Yu Office: 150409 Weekly Meeting on Tuesday 9:00-12:00. Errors and Failures. Software is developed by humans, and hence it is not perfect

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Software Security Lecture 0' - kizzy

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
software security lecture 0

Software SecurityLecture 0

Fang Yu

Dept. of MIS

National Chengchi University

Spring 2011

software security
Software Security

Instructor: Fang Yu

Office: 150409

Weekly Meeting on Tuesday 9:00-12:00

errors and failures
Errors and Failures

Software is developed by humans, and hence it is not perfect

A human error may introduce a bug in the system

When a bug get triggered, it may generate a failure

security bugs and failures
Security Bugs and Failures

A security bug is also called a vulnerability

When a vulnerability get triggered (exploited), it may generate a security failure (against the security policy) and compromise the system

security analysis
Security Analysis

Security analysis is the process to determine the security posture of a system

It answers the question: is the system vulnerable with respect to the known vulnerabilities?

about this course
About this course
  • We will focus on Web application security and static analysis techniques
  • You will
    • Learn how to identify and detect vulnerabilities in web applications
    • Learn how to exploit vulnerabilities in web applications
    • Learn how to remove vulnerabilitiesand how to prevent exploits of vulnerabilities in web applications
m ain topics
Main topics
  • Web Application Security (8-10 weeks)
    • What are the most common vulnerabilities in web applications?
      • Common Vulnerability and Exposure
      • OWASP
  • Static Analysis Techniques (2-4 weeks)
    • (Automatic) Code Review
      • Taint analysis
      • String analysis
  • Advance Issues/Techniques/Tools (3-5 weeks)
    • Selected Papers/Tools
text books
Text books
  • The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws.
    • By DafyddStuttard and Marcus Pinto, Wiley Publishing, Inc, 2007
    • 全華圖書 02-22625666
  • Secure Programming with Static Analysis.
    • By Brain Chess and Jacob West, Addison-Wesley Professional, 2007
selected papers
Selected Papers

PrateekSaxena, DevdattaAkhawe, Steve Hanna, Feng Mao, Stephen McCamant, Dawn Song. “A Symbolic Execution Framework for JavaScript.” In Proc. of the 31st IEEE Symposium on Security & Privacy (Oakland 2010)

Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code M. Cova, C. Kruegel, and G. VignaProceedings of the World Wide Web Conference (WWW2010)

PrateekSaxena, Steve Hanna, PongsinPoosankam, Dawn Song. “FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications.“ In Proc. of the 17th Network and Distributed System Security Symposium (NDSS 2010)

Toward Automated Detection of Logic Vulnerabilities in Web Applications V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna Proceedings of the USENIX Security Symposium Washington, 2010

Gary Wassermann and Zhendong Su. “Static Detection of Cross-site Scripting Vulnerabilities.” In Proc. of the 30th International Conference on Software Engineering (ICSE 2008)

YichenXie and Alex Aiken. “Static Detection of Security Vulnerabilities in Scripting Languages.” In Proc. of the 15th USENIX Security Symposium (USENIX 2006)

some related tools
Some Related Tools
  • Stranger
    • a string analysis tool for PHP
    • we are working on a web-based version
  • Java String Analyzer
    • a string analysis tool for Java
course requirement
Course Requirement

Select a chapter* of the Hacker’s hand book to present

Select a paper* to present

Select a tool and find an application to analyze

*Send me your topics as soon as you decide (first come first get)

grade policy
Grade Policy

None of you will be failed

Participation 10%

Chapter and Paper Presentations 40%

Term paper 50%

beyond the technical issue s
Beyond the technical issues…

A comfortable environment for you to practice English

Don’t hesitate to ask questions

Feel free to drop by my office