SlideShare une entreprise Scribd logo

1.1. course introduction

Nicholas Wong
Nicholas Wong
1  sur  14
Télécharger pour lire hors ligne
Introduction Justin Cappos Dan Guido CS9163: Application Security
About us Prof. Justin Cappos ● 2008 PhD University of Arizona ● I build deployed secure systems ○ Stork, Seattle, TUF, upPIR, etc. ○ open source / participation ■ Seattle has patches from ~100 devels! Prof. Dan Guido ● Co-Founder & CEO, Trail of Bits ○ Helps companies develop effective security strategies ● Hacker-in-Residence, NYU Poly ○ Helps maintain and grow security program at Poly
About this class ● Philosophy: learn by doing ○ hands-on (practical exercises) ■ You will build applications ■ You will find bugs in applications ■ You will fix bugs in applications ● Online / in-class interaction ○ Content is identical for on-line and in-class version ■ Videotaped lectures will be available online ○ You may have project partners in other 'classes' ■ This mimics real world projects ○ This class will heavily use the forum on Blackboard
About this class (cont.) ● Lecture-inversion ○ There will be videos to watch before most classes ○ In class time (normally) used for projects ■ Remote students can join in project classes ■ Google+ hangout or Skype session (details to come) ○ Attendance is strongly recommended (but not required) ■ I will treat you like an adult ● Course textbook ○ The Art of Software Security Assessment ■ We will heavily use this book ○ Outside materials ○ Finish reading assignment before class
Academic Integrity ● Tests, etc. ○ Read the university guidelines ● Assignments ○ Collaboration is encouraged ○ Specific policy in assignment ■ Intro Project: on your own ■ Main Project: very collaborative ● Strongly dislike cheaters! ○ I caught 6 last year.
Important Resources ● Course Web Page on Blackboard ○ Discussion forum ○ Assignment information ○ Reading schedule / materials ● Instructor: Justin Cappos ○ Office hours: 2 MetroTech 10.026, TBD ○ Email: jcappos@poly.edu, Google / Skype: justincappos ● Instructor: Dan Guido ○ Office hours: ??? ○ Email: ??? ● TA: Ojas Gosar ○ Office hours: RH 219, M 4-5, Th, 3-4 ○ Email:ogosar01@students.poly.edu,Google / Skype: ojas. gosar ● TA: Jeffrey Dileo ○ Office hours: RH 219, TBD ○ Email:jtd@isis.poly.edu, Google / Skype: jtdileo
What will I learn? ●How to build secure applications ●Windows exploits, secure code lifecycle, mobile app hacking, memory corruption, sandboxing, SQL injection attacks, code auditing, security for enterprises, security for startups, application use of crypto, web app security: XSS, XREF, etc., bug bounties, ...
Other Security Classes ● Intro / Overlapping ○ CS 392 / 6813: Intro security ■ background ○ CS 6823: Network security ○ CS 6903: Modern Cryptography ○ CS 9163: Application security ■ Building secure applications (always with source) ○ CS 6573: Penetration Testing and Vulnerability Analysis ■ Exploiting flaws in applications (usually binaries) ● Advanced Security seminars ○ EL 9423: Special Topics in Computer Engineering: Introduction to Secure and Trusted Hardware (Spring 2010) ○ CS 9413: Readings in Comp Sci: Secure Systems ○ ...
Expectations ● About your background ○ Strong programming skills (C, Ruby, Python, Java) You'll need basic competency for the class to make sense! ● Consistent workload ○ Practical / exploration focused ○ Background reading (see webpage) Be sure to keep up!
Grading ● Midterm: 15% ● Final: 25% ● Projects: 50% ○ Projects are very, very important! ● In-Class Labs: 10%
Course Outline Sept 4 Intro / Development Practices (*) A1.1 asgn Sept 11 Windows Internals (*) Sept 18 Memory Corruption A1.1 due Sept 25 Sandboxing A1.2 due Oct 2 Mobile App Sec A1.3 due Oct 9 Midterm Review A2.1 asgn Oct 23 Midterm Oct 30 Security for enterprise / startup (*) A2.X due Nov 6 Code Auditing 1 A2.X due Nov 13 Code Auditing 2 A2.X due Nov 20 Web apps Nov 27 Practical crypto Dec 4 Project presentations A2.X due Dec 11 Final
Assignment outline Assignment 1 (Intro): Build a simple application (a Turing- complete sandbox) ● Look for flaws in other sandboxes ● Fix minor code issues ● Re-architect code ● Individual Assignment 2 (Main): Build a secure application ● Substantial application (>1 thousand LOC) ● Must have different trust domains ● Mix of code types: SQL or Android or JavaScript... ○ (More to come) ● Group project with a changing group ○ accept outside patches, bug reports, etc.
Assignment 1, part 1 See blackboard Discuss general questions on the forums
Reading Next Week See blackboard

Recommandé

Rekayasa perangkat lunak 00
Rekayasa perangkat lunak 00Rekayasa perangkat lunak 00
Rekayasa perangkat lunak 00andy rachman
 
Development of a mobile French language learning platform
Development of a mobile French language learning platformDevelopment of a mobile French language learning platform
Development of a mobile French language learning platformEducational Technology
 
Advanced exploit development
Advanced exploit developmentAdvanced exploit development
Advanced exploit developmentDan H
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
Forms : a UX manifesto
Forms : a UX manifestoForms : a UX manifesto
Forms : a UX manifestoDanielle Swank
 
Clase d educacion fisica
Clase d educacion fisicaClase d educacion fisica
Clase d educacion fisicajogb64
 
Jack D Ryger: Hot Air Balloon Trip in Vermont
Jack D Ryger: Hot Air Balloon Trip in VermontJack D Ryger: Hot Air Balloon Trip in Vermont
Jack D Ryger: Hot Air Balloon Trip in VermontJack D. Ryger
 

Recommandé

Rekayasa perangkat lunak 00
Rekayasa perangkat lunak 00Rekayasa perangkat lunak 00
Rekayasa perangkat lunak 00andy rachman
 
Development of a mobile French language learning platform
Development of a mobile French language learning platformDevelopment of a mobile French language learning platform
Development of a mobile French language learning platformEducational Technology
 
Advanced exploit development
Advanced exploit developmentAdvanced exploit development
Advanced exploit developmentDan H
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
Forms : a UX manifesto
Forms : a UX manifestoForms : a UX manifesto
Forms : a UX manifestoDanielle Swank
 
Clase d educacion fisica
Clase d educacion fisicaClase d educacion fisica
Clase d educacion fisicajogb64
 
Jack D Ryger: Hot Air Balloon Trip in Vermont
Jack D Ryger: Hot Air Balloon Trip in VermontJack D Ryger: Hot Air Balloon Trip in Vermont
Jack D Ryger: Hot Air Balloon Trip in VermontJack D. Ryger
 
When it comes to Building your team, Who Makes the Cut? by Reo Kobayashi
When it comes to Building your team, Who Makes the Cut? by Reo KobayashiWhen it comes to Building your team, Who Makes the Cut? by Reo Kobayashi
When it comes to Building your team, Who Makes the Cut? by Reo KobayashiReo Kobayashi
 
Estudo de violão
Estudo de violãoEstudo de violão
Estudo de violãoAlace Pereira Nonato
 
Trending and viral story 4th part
Trending and viral story 4th partTrending and viral story 4th part
Trending and viral story 4th partNetMarkersNews
 
Con canal nacional interactivo word
Con canal nacional interactivo wordCon canal nacional interactivo word
Con canal nacional interactivo wordGuiidoo Sarmiento
 
Leading in the Age of Rransparency
Leading in the Age of RransparencyLeading in the Age of Rransparency
Leading in the Age of RransparencyThe Employee Engagement Alliance
 
Paychex Small Business Snapshot: How Does the Election Impact Hiring and Wage...
Paychex Small Business Snapshot: How Does the Election Impact Hiring and Wage...Paychex Small Business Snapshot: How Does the Election Impact Hiring and Wage...
Paychex Small Business Snapshot: How Does the Election Impact Hiring and Wage...Paychex
 
EY Business Barometer - O viziune a creșterii - ediția de toamnă 2016
EY Business Barometer - O viziune a creșterii - ediția de toamnă 2016EY Business Barometer - O viziune a creșterii - ediția de toamnă 2016
EY Business Barometer - O viziune a creșterii - ediția de toamnă 2016Mihaela Matei
 
Microcredit and the culture of reciprocity
Microcredit and the culture of reciprocity Microcredit and the culture of reciprocity
Microcredit and the culture of reciprocity Africa2011
 
Understanding the EU Referendum through IRT
Understanding the EU Referendum through IRTUnderstanding the EU Referendum through IRT
Understanding the EU Referendum through IRTIpsos UK
 
9 Field-Tested, No-Fail Strategies To Help You Succeed In Your Next Negotia...
9 Field-Tested, No-Fail Strategies To Help You Succeed In Your Next Negotia...9 Field-Tested, No-Fail Strategies To Help You Succeed In Your Next Negotia...
9 Field-Tested, No-Fail Strategies To Help You Succeed In Your Next Negotia...Christopher Voss
 
Information Security Benchmarking 2016
Information Security Benchmarking 2016Information Security Benchmarking 2016
Information Security Benchmarking 2016Capgemini
 
How branding effects conversions & what that means for CROs
How branding effects conversions & what that means for CROsHow branding effects conversions & what that means for CROs
How branding effects conversions & what that means for CROsWil Reynolds
 
Hays Journal 11
Hays Journal 11Hays Journal 11
Hays Journal 11Hays
 
Работает ли мой контент? Основы аналитики контентого маркетинга.
Работает ли мой контент? Основы аналитики контентого маркетинга.Работает ли мой контент? Основы аналитики контентого маркетинга.
Работает ли мой контент? Основы аналитики контентого маркетинга.Nimax
 
Web Marketing Master
Web Marketing MasterWeb Marketing Master
Web Marketing MasterInSide Training
 
บทที่ 2 การฟัง
บทที่ 2 การฟังบทที่ 2 การฟัง
บทที่ 2 การฟังAj.Mallika Phongphaew
 
Programming Languages of Importance in Modern Academics & Industries
Programming Languages of Importance in Modern Academics & IndustriesProgramming Languages of Importance in Modern Academics & Industries
Programming Languages of Importance in Modern Academics & IndustriesLinkCompanyAdmin
 
Project udir
Project udirProject udir
Project udirPatel Sohil
 
Udir final
Udir finalUdir final
Udir finalPatel Sohil
 
Academic Day 2211.pptx
Academic Day 2211.pptxAcademic Day 2211.pptx
Academic Day 2211.pptxssuser75ce13
 
The essentials of the IT industry or What I wish I was taught about at Univer...
The essentials of the IT industry or What I wish I was taught about at Univer...The essentials of the IT industry or What I wish I was taught about at Univer...
The essentials of the IT industry or What I wish I was taught about at Univer...Equal Experts
 
Curtain call of zooey - what i've learned in yahoo
Curtain call of zooey - what i've learned in yahooCurtain call of zooey - what i've learned in yahoo
Curtain call of zooey - what i've learned in yahoo羽祈 張
 

Contenu connexe

En vedette

When it comes to Building your team, Who Makes the Cut? by Reo Kobayashi
When it comes to Building your team, Who Makes the Cut? by Reo KobayashiWhen it comes to Building your team, Who Makes the Cut? by Reo Kobayashi
When it comes to Building your team, Who Makes the Cut? by Reo KobayashiReo Kobayashi
 
Trending and viral story 4th part
Trending and viral story 4th partTrending and viral story 4th part
Trending and viral story 4th partNetMarkersNews
 
Con canal nacional interactivo word
Con canal nacional interactivo wordCon canal nacional interactivo word
Con canal nacional interactivo wordGuiidoo Sarmiento
 
Paychex Small Business Snapshot: How Does the Election Impact Hiring and Wage...
Paychex Small Business Snapshot: How Does the Election Impact Hiring and Wage...Paychex Small Business Snapshot: How Does the Election Impact Hiring and Wage...
Paychex Small Business Snapshot: How Does the Election Impact Hiring and Wage...Paychex
 
EY Business Barometer - O viziune a creșterii - ediția de toamnă 2016
EY Business Barometer - O viziune a creșterii - ediția de toamnă 2016EY Business Barometer - O viziune a creșterii - ediția de toamnă 2016
EY Business Barometer - O viziune a creșterii - ediția de toamnă 2016Mihaela Matei
 
Microcredit and the culture of reciprocity
Microcredit and the culture of reciprocity Microcredit and the culture of reciprocity
Microcredit and the culture of reciprocity Africa2011
 
Understanding the EU Referendum through IRT
Understanding the EU Referendum through IRTUnderstanding the EU Referendum through IRT
Understanding the EU Referendum through IRTIpsos UK
 
9 Field-Tested, No-Fail Strategies To Help You Succeed In Your Next Negotia...
9 Field-Tested, No-Fail Strategies To Help You Succeed In Your Next Negotia...9 Field-Tested, No-Fail Strategies To Help You Succeed In Your Next Negotia...
9 Field-Tested, No-Fail Strategies To Help You Succeed In Your Next Negotia...Christopher Voss
 
Information Security Benchmarking 2016
Information Security Benchmarking 2016Information Security Benchmarking 2016
Information Security Benchmarking 2016Capgemini
 
How branding effects conversions & what that means for CROs
How branding effects conversions & what that means for CROsHow branding effects conversions & what that means for CROs
How branding effects conversions & what that means for CROsWil Reynolds
 
Hays Journal 11
Hays Journal 11Hays Journal 11
Hays Journal 11Hays
 
Работает ли мой контент? Основы аналитики контентого маркетинга.
Работает ли мой контент? Основы аналитики контентого маркетинга.Работает ли мой контент? Основы аналитики контентого маркетинга.
Работает ли мой контент? Основы аналитики контентого маркетинга.Nimax
 
บทที่ 2 การฟัง
บทที่ 2 การฟังบทที่ 2 การฟัง
บทที่ 2 การฟังAj.Mallika Phongphaew
 

En vedette (16)

When it comes to Building your team, Who Makes the Cut? by Reo Kobayashi
When it comes to Building your team, Who Makes the Cut? by Reo KobayashiWhen it comes to Building your team, Who Makes the Cut? by Reo Kobayashi
When it comes to Building your team, Who Makes the Cut? by Reo Kobayashi
 
Estudo de violão
Estudo de violãoEstudo de violão
Estudo de violão
 
Trending and viral story 4th part
Trending and viral story 4th partTrending and viral story 4th part
Trending and viral story 4th part
 
Con canal nacional interactivo word
Con canal nacional interactivo wordCon canal nacional interactivo word
Con canal nacional interactivo word
 
Leading in the Age of Rransparency
Leading in the Age of RransparencyLeading in the Age of Rransparency
Leading in the Age of Rransparency
 
Paychex Small Business Snapshot: How Does the Election Impact Hiring and Wage...
Paychex Small Business Snapshot: How Does the Election Impact Hiring and Wage...Paychex Small Business Snapshot: How Does the Election Impact Hiring and Wage...
Paychex Small Business Snapshot: How Does the Election Impact Hiring and Wage...
 
EY Business Barometer - O viziune a creșterii - ediția de toamnă 2016
EY Business Barometer - O viziune a creșterii - ediția de toamnă 2016EY Business Barometer - O viziune a creșterii - ediția de toamnă 2016
EY Business Barometer - O viziune a creșterii - ediția de toamnă 2016
 
Microcredit and the culture of reciprocity
Microcredit and the culture of reciprocity Microcredit and the culture of reciprocity
Microcredit and the culture of reciprocity
 
Understanding the EU Referendum through IRT
Understanding the EU Referendum through IRTUnderstanding the EU Referendum through IRT
Understanding the EU Referendum through IRT
 
9 Field-Tested, No-Fail Strategies To Help You Succeed In Your Next Negotia...
9 Field-Tested, No-Fail Strategies To Help You Succeed In Your Next Negotia...9 Field-Tested, No-Fail Strategies To Help You Succeed In Your Next Negotia...
9 Field-Tested, No-Fail Strategies To Help You Succeed In Your Next Negotia...
 
Information Security Benchmarking 2016
Information Security Benchmarking 2016Information Security Benchmarking 2016
Information Security Benchmarking 2016
 
How branding effects conversions & what that means for CROs
How branding effects conversions & what that means for CROsHow branding effects conversions & what that means for CROs
How branding effects conversions & what that means for CROs
 
Hays Journal 11
Hays Journal 11Hays Journal 11
Hays Journal 11
 
Работает ли мой контент? Основы аналитики контентого маркетинга.
Работает ли мой контент? Основы аналитики контентого маркетинга.Работает ли мой контент? Основы аналитики контентого маркетинга.
Работает ли мой контент? Основы аналитики контентого маркетинга.
 
Web Marketing Master
Web Marketing MasterWeb Marketing Master
Web Marketing Master
 
บทที่ 2 การฟัง
บทที่ 2 การฟังบทที่ 2 การฟัง
บทที่ 2 การฟัง
 

Similaire à 1.1. course introduction

Programming Languages of Importance in Modern Academics & Industries
Programming Languages of Importance in Modern Academics & IndustriesProgramming Languages of Importance in Modern Academics & Industries
Programming Languages of Importance in Modern Academics & IndustriesLinkCompanyAdmin
 
Academic Day 2211.pptx
Academic Day 2211.pptxAcademic Day 2211.pptx
Academic Day 2211.pptxssuser75ce13
 
The essentials of the IT industry or What I wish I was taught about at Univer...
The essentials of the IT industry or What I wish I was taught about at Univer...The essentials of the IT industry or What I wish I was taught about at Univer...
The essentials of the IT industry or What I wish I was taught about at Univer...Equal Experts
 
Curtain call of zooey - what i've learned in yahoo
Curtain call of zooey - what i've learned in yahooCurtain call of zooey - what i've learned in yahoo
Curtain call of zooey - what i've learned in yahoo羽祈 張
 
Developing Better Software
Developing Better SoftwareDeveloping Better Software
Developing Better SoftwareHean Hong Leong
 
Android Architecture, Environment, and Components.pptx
Android Architecture, Environment, and Components.pptxAndroid Architecture, Environment, and Components.pptx
Android Architecture, Environment, and Components.pptxHasanulFahmi2
 
Teaching by twitter [Presented at Curtin University, Western Australia]
Teaching by twitter [Presented at Curtin University, Western Australia]Teaching by twitter [Presented at Curtin University, Western Australia]
Teaching by twitter [Presented at Curtin University, Western Australia]Andrew Smith
 
An introduction to python | Python Assignment Help
An introduction to python | Python Assignment HelpAn introduction to python | Python Assignment Help
An introduction to python | Python Assignment HelpSample Assignment
 
February 11, 2016 - Adobe Marketing Cloud User Group - Concordia's AEM Story ...
February 11, 2016 - Adobe Marketing Cloud User Group - Concordia's AEM Story ...February 11, 2016 - Adobe Marketing Cloud User Group - Concordia's AEM Story ...
February 11, 2016 - Adobe Marketing Cloud User Group - Concordia's AEM Story ...INM_
 
Kickstarting career as an Android developer.pdf
Kickstarting career as an Android developer.pdfKickstarting career as an Android developer.pdf
Kickstarting career as an Android developer.pdfShreyaDhurde
 
Services, tools & practices for a software house
Services, tools & practices for a software houseServices, tools & practices for a software house
Services, tools & practices for a software houseParis Apostolopoulos
 
Devops syllabus
Devops syllabusDevops syllabus
Devops syllabusLen Bass
 
Creating a social media mediated learning experience (LILAC17)
Creating a social media mediated learning experience (LILAC17)Creating a social media mediated learning experience (LILAC17)
Creating a social media mediated learning experience (LILAC17)Andrew Smith
 
TutorStack Devconf.cz.pptx
TutorStack Devconf.cz.pptxTutorStack Devconf.cz.pptx
TutorStack Devconf.cz.pptxColm Dunphy
 
Context Aware Recommendations at Netflix
Context Aware Recommendations at NetflixContext Aware Recommendations at Netflix
Context Aware Recommendations at NetflixLinas Baltrunas
 
Umbraco development across large and distributed teams
Umbraco development across large and distributed teamsUmbraco development across large and distributed teams
Umbraco development across large and distributed teamsJanusz Stabik
 

Similaire à 1.1. course introduction (20)

Programming Languages of Importance in Modern Academics & Industries
Programming Languages of Importance in Modern Academics & IndustriesProgramming Languages of Importance in Modern Academics & Industries
Programming Languages of Importance in Modern Academics & Industries
 
Project udir
Project udirProject udir
Project udir
 
Udir final
Udir finalUdir final
Udir final
 
Academic Day 2211.pptx
Academic Day 2211.pptxAcademic Day 2211.pptx
Academic Day 2211.pptx
 
The essentials of the IT industry or What I wish I was taught about at Univer...
The essentials of the IT industry or What I wish I was taught about at Univer...The essentials of the IT industry or What I wish I was taught about at Univer...
The essentials of the IT industry or What I wish I was taught about at Univer...
 
Curtain call of zooey - what i've learned in yahoo
Curtain call of zooey - what i've learned in yahooCurtain call of zooey - what i've learned in yahoo
Curtain call of zooey - what i've learned in yahoo
 
Developing Better Software
Developing Better SoftwareDeveloping Better Software
Developing Better Software
 
Android Architecture, Environment, and Components.pptx
Android Architecture, Environment, and Components.pptxAndroid Architecture, Environment, and Components.pptx
Android Architecture, Environment, and Components.pptx
 
Technology Helps
Technology HelpsTechnology Helps
Technology Helps
 
Teaching by twitter [Presented at Curtin University, Western Australia]
Teaching by twitter [Presented at Curtin University, Western Australia]Teaching by twitter [Presented at Curtin University, Western Australia]
Teaching by twitter [Presented at Curtin University, Western Australia]
 
An introduction to python | Python Assignment Help
An introduction to python | Python Assignment HelpAn introduction to python | Python Assignment Help
An introduction to python | Python Assignment Help
 
February 11, 2016 - Adobe Marketing Cloud User Group - Concordia's AEM Story ...
February 11, 2016 - Adobe Marketing Cloud User Group - Concordia's AEM Story ...February 11, 2016 - Adobe Marketing Cloud User Group - Concordia's AEM Story ...
February 11, 2016 - Adobe Marketing Cloud User Group - Concordia's AEM Story ...
 
Kickstarting career as an Android developer.pdf
Kickstarting career as an Android developer.pdfKickstarting career as an Android developer.pdf
Kickstarting career as an Android developer.pdf
 
Services, tools & practices for a software house
Services, tools & practices for a software houseServices, tools & practices for a software house
Services, tools & practices for a software house
 
Devops syllabus
Devops syllabusDevops syllabus
Devops syllabus
 
Creating a social media mediated learning experience - Andrew Smith & Ha...
Creating a social media mediated learning experience - Andrew Smith & Ha...Creating a social media mediated learning experience - Andrew Smith & Ha...
Creating a social media mediated learning experience - Andrew Smith & Ha...
 
Creating a social media mediated learning experience (LILAC17)
Creating a social media mediated learning experience (LILAC17)Creating a social media mediated learning experience (LILAC17)
Creating a social media mediated learning experience (LILAC17)
 
TutorStack Devconf.cz.pptx
TutorStack Devconf.cz.pptxTutorStack Devconf.cz.pptx
TutorStack Devconf.cz.pptx
 
Context Aware Recommendations at Netflix
Context Aware Recommendations at NetflixContext Aware Recommendations at Netflix
Context Aware Recommendations at Netflix
 
Umbraco development across large and distributed teams
Umbraco development across large and distributed teamsUmbraco development across large and distributed teams
Umbraco development across large and distributed teams
 

1.1. course introduction

  • 2. About us Prof. Justin Cappos ● 2008 PhD University of Arizona ● I build deployed secure systems ○ Stork, Seattle, TUF, upPIR, etc. ○ open source / participation ■ Seattle has patches from ~100 devels! Prof. Dan Guido ● Co-Founder & CEO, Trail of Bits ○ Helps companies develop effective security strategies ● Hacker-in-Residence, NYU Poly ○ Helps maintain and grow security program at Poly
  • 3. About this class ● Philosophy: learn by doing ○ hands-on (practical exercises) ■ You will build applications ■ You will find bugs in applications ■ You will fix bugs in applications ● Online / in-class interaction ○ Content is identical for on-line and in-class version ■ Videotaped lectures will be available online ○ You may have project partners in other 'classes' ■ This mimics real world projects ○ This class will heavily use the forum on Blackboard
  • 4. About this class (cont.) ● Lecture-inversion ○ There will be videos to watch before most classes ○ In class time (normally) used for projects ■ Remote students can join in project classes ■ Google+ hangout or Skype session (details to come) ○ Attendance is strongly recommended (but not required) ■ I will treat you like an adult ● Course textbook ○ The Art of Software Security Assessment ■ We will heavily use this book ○ Outside materials ○ Finish reading assignment before class
  • 5. Academic Integrity ● Tests, etc. ○ Read the university guidelines ● Assignments ○ Collaboration is encouraged ○ Specific policy in assignment ■ Intro Project: on your own ■ Main Project: very collaborative ● Strongly dislike cheaters! ○ I caught 6 last year.
  • 6. Important Resources ● Course Web Page on Blackboard ○ Discussion forum ○ Assignment information ○ Reading schedule / materials ● Instructor: Justin Cappos ○ Office hours: 2 MetroTech 10.026, TBD ○ Email: jcappos@poly.edu, Google / Skype: justincappos ● Instructor: Dan Guido ○ Office hours: ??? ○ Email: ??? ● TA: Ojas Gosar ○ Office hours: RH 219, M 4-5, Th, 3-4 ○ Email:ogosar01@students.poly.edu,Google / Skype: ojas. gosar ● TA: Jeffrey Dileo ○ Office hours: RH 219, TBD ○ Email:jtd@isis.poly.edu, Google / Skype: jtdileo
  • 7. What will I learn? ●How to build secure applications ●Windows exploits, secure code lifecycle, mobile app hacking, memory corruption, sandboxing, SQL injection attacks, code auditing, security for enterprises, security for startups, application use of crypto, web app security: XSS, XREF, etc., bug bounties, ...
  • 8. Other Security Classes ● Intro / Overlapping ○ CS 392 / 6813: Intro security ■ background ○ CS 6823: Network security ○ CS 6903: Modern Cryptography ○ CS 9163: Application security ■ Building secure applications (always with source) ○ CS 6573: Penetration Testing and Vulnerability Analysis ■ Exploiting flaws in applications (usually binaries) ● Advanced Security seminars ○ EL 9423: Special Topics in Computer Engineering: Introduction to Secure and Trusted Hardware (Spring 2010) ○ CS 9413: Readings in Comp Sci: Secure Systems ○ ...
  • 9. Expectations ● About your background ○ Strong programming skills (C, Ruby, Python, Java) You'll need basic competency for the class to make sense! ● Consistent workload ○ Practical / exploration focused ○ Background reading (see webpage) Be sure to keep up!
  • 10. Grading ● Midterm: 15% ● Final: 25% ● Projects: 50% ○ Projects are very, very important! ● In-Class Labs: 10%
  • 11. Course Outline Sept 4 Intro / Development Practices (*) A1.1 asgn Sept 11 Windows Internals (*) Sept 18 Memory Corruption A1.1 due Sept 25 Sandboxing A1.2 due Oct 2 Mobile App Sec A1.3 due Oct 9 Midterm Review A2.1 asgn Oct 23 Midterm Oct 30 Security for enterprise / startup (*) A2.X due Nov 6 Code Auditing 1 A2.X due Nov 13 Code Auditing 2 A2.X due Nov 20 Web apps Nov 27 Practical crypto Dec 4 Project presentations A2.X due Dec 11 Final
  • 12. Assignment outline Assignment 1 (Intro): Build a simple application (a Turing- complete sandbox) ● Look for flaws in other sandboxes ● Fix minor code issues ● Re-architect code ● Individual Assignment 2 (Main): Build a secure application ● Substantial application (>1 thousand LOC) ● Must have different trust domains ● Mix of code types: SQL or Android or JavaScript... ○ (More to come) ● Group project with a changing group ○ accept outside patches, bug reports, etc.
  • 13. Assignment 1, part 1 See blackboard Discuss general questions on the forums
  • 14. Reading Next Week See blackboard