2. About us
Prof. Justin Cappos
● 2008 PhD University of Arizona
● I build deployed secure systems
○ Stork, Seattle, TUF, upPIR, etc.
○ open source / participation
■ Seattle has patches from ~100 devels!
Prof. Dan Guido
● Co-Founder & CEO, Trail of Bits
○ Helps companies develop effective security strategies
● Hacker-in-Residence, NYU Poly
○ Helps maintain and grow security program at Poly
3. About this class
● Philosophy: learn by doing
○ hands-on (practical exercises)
■ You will build applications
■ You will find bugs in applications
■ You will fix bugs in applications
● Online / in-class interaction
○ Content is identical for on-line and in-class version
■ Videotaped lectures will be available online
○ You may have project partners in other 'classes'
■ This mimics real world projects
○ This class will heavily use the forum on Blackboard
4. About this class (cont.)
● Lecture-inversion
○ There will be videos to watch before most classes
○ In class time (normally) used for projects
■ Remote students can join in project classes
■ Google+ hangout or Skype session (details to
come)
○ Attendance is strongly recommended (but not required)
■ I will treat you like an adult
● Course textbook
○ The Art of Software Security Assessment
■ We will heavily use this book
○ Outside materials
○ Finish reading assignment before class
5. Academic Integrity
● Tests, etc.
○ Read the university guidelines
● Assignments
○ Collaboration is encouraged
○ Specific policy in assignment
■ Intro Project: on your own
■ Main Project: very collaborative
● Strongly dislike cheaters!
○ I caught 6 last year.
6. Important Resources
● Course Web Page on Blackboard
○ Discussion forum
○ Assignment information
○ Reading schedule / materials
● Instructor: Justin Cappos
○ Office hours: 2 MetroTech 10.026, TBD
○ Email: jcappos@poly.edu, Google / Skype: justincappos
● Instructor: Dan Guido
○ Office hours: ???
○ Email: ???
● TA: Ojas Gosar
○ Office hours: RH 219, M 4-5, Th, 3-4
○ Email:ogosar01@students.poly.edu,Google / Skype: ojas.
gosar
● TA: Jeffrey Dileo
○ Office hours: RH 219, TBD
○ Email:jtd@isis.poly.edu, Google / Skype: jtdileo
7. What will I learn?
●How to build secure applications
●Windows exploits, secure code lifecycle,
mobile app hacking, memory corruption,
sandboxing, SQL injection attacks, code
auditing, security for enterprises, security
for startups, application use of crypto, web
app security: XSS, XREF, etc., bug
bounties, ...
8. Other Security Classes
● Intro / Overlapping
○ CS 392 / 6813: Intro security
■ background
○ CS 6823: Network security
○ CS 6903: Modern Cryptography
○ CS 9163: Application security
■ Building secure applications (always with source)
○ CS 6573: Penetration Testing and Vulnerability Analysis
■ Exploiting flaws in applications (usually binaries)
● Advanced Security seminars
○ EL 9423: Special Topics in Computer Engineering: Introduction
to Secure and Trusted Hardware (Spring 2010)
○ CS 9413: Readings in Comp Sci: Secure Systems
○ ...
9. Expectations
● About your background
○ Strong programming skills (C, Ruby, Python, Java)
You'll need basic competency for the class to make sense!
● Consistent workload
○ Practical / exploration focused
○ Background reading (see webpage)
Be sure to keep up!
11. Course Outline
Sept 4 Intro / Development Practices (*) A1.1 asgn
Sept 11 Windows Internals (*)
Sept 18 Memory Corruption A1.1 due
Sept 25 Sandboxing A1.2 due
Oct 2 Mobile App Sec A1.3 due
Oct 9 Midterm Review A2.1 asgn
Oct 23 Midterm
Oct 30 Security for enterprise / startup (*) A2.X due
Nov 6 Code Auditing 1 A2.X due
Nov 13 Code Auditing 2 A2.X due
Nov 20 Web apps
Nov 27 Practical crypto
Dec 4 Project presentations A2.X due
Dec 11 Final
12. Assignment outline
Assignment 1 (Intro): Build a simple application (a Turing-
complete sandbox)
● Look for flaws in other sandboxes
● Fix minor code issues
● Re-architect code
● Individual
Assignment 2 (Main): Build a secure application
● Substantial application (>1 thousand LOC)
● Must have different trust domains
● Mix of code types: SQL or Android or JavaScript...
○ (More to come)
● Group project with a changing group
○ accept outside patches, bug reports, etc.
13. Assignment 1, part 1
See blackboard
Discuss general questions on the forums