Companies and organizations around the world are today, much more than ever before, recognizing the value of security in software. Furthermore, vendors heavily invest in security processes that will enable them to produce software that will meet high security standards. This course describes the fundamental principles behind software security and explains the value of secure software in dependable ICT infrastructures. It also describes in detail the basic types of software vulnerabilities and shows how these can be rated and managed according to their respective risk.
Through lectures, assignments and workshops students will find out how to identify security bugs both in software for which the source code has been made available (code review) but also in software where source code is not available (black box review). The vulnerabilities studied throughout this course come from a wide area of applications including: operating system software, embedded systems software, Internet services, desktop software, web applications and mobile applications.
Scope of the course: The primary goal of this course is the development of the following skills: the application of security best practices to software under development, the identification of security issues in open source and closed source software, the demonstration of a vulnerability, the rating of a vulnerability and the management of vulnerabilities throughout the design, implementation and maintenance phases of software projects. Students will also be introduced to state-of-the-art methods for the identification of vulnerabilities and recent techniques for the proactive mitigation of risks.
Labs: Various tools for static and dynamic code analysis (like nm, file, objdump, strace, ltrace), debugging tools (gdb), protocol fuzzing (peach), file fuzzing (jonggfuzz) and web app security (bwapp).
Course Coordinator: Prof. Panayiotis Kotzanikolaou