1.1. course introduction
1 like1,148 views
This document provides information about an application security class being taught by Professors Justin Cappos and Dan Guido. It introduces the professors and their backgrounds in secure systems and security strategies. The class philosophy emphasizes hands-on learning through practical exercises where students will build, evaluate, and fix applications. Students can participate either in-person or online, and projects may involve partners from other class sections. The document outlines the course topics, assignments, resources, expectations, and grading. The first assignment involves building and evaluating sandboxes, while the main assignment is a collaborative group project to build a secure application.
1.1. course introduction
- 1. Introduction Justin Cappos Dan Guido CS9163: Application Security
- 2. About us Prof. Justin Cappos ● 2008 PhD University of Arizona ● I build deployed secure systems ○ Stork, Seattle, TUF, upPIR, etc. ○ open source / participation ■ Seattle has patches from ~100 devels! Prof. Dan Guido ● Co-Founder & CEO, Trail of Bits ○ Helps companies develop effective security strategies ● Hacker-in-Residence, NYU Poly ○ Helps maintain and grow security program at Poly
- 3. About this class ● Philosophy: learn by doing ○ hands-on (practical exercises) ■ You will build applications ■ You will find bugs in applications ■ You will fix bugs in applications ● Online / in-class interaction ○ Content is identical for on-line and in-class version ■ Videotaped lectures will be available online ○ You may have project partners in other 'classes' ■ This mimics real world projects ○ This class will heavily use the forum on Blackboard
- 4. About this class (cont.) ● Lecture-inversion ○ There will be videos to watch before most classes ○ In class time (normally) used for projects ■ Remote students can join in project classes ■ Google+ hangout or Skype session (details to come) ○ Attendance is strongly recommended (but not required) ■ I will treat you like an adult ● Course textbook ○ The Art of Software Security Assessment ■ We will heavily use this book ○ Outside materials ○ Finish reading assignment before class
- 5. Academic Integrity ● Tests, etc. ○ Read the university guidelines ● Assignments ○ Collaboration is encouraged ○ Specific policy in assignment ■ Intro Project: on your own ■ Main Project: very collaborative ● Strongly dislike cheaters! ○ I caught 6 last year.
- 6. Important Resources ● Course Web Page on Blackboard ○ Discussion forum ○ Assignment information ○ Reading schedule / materials ● Instructor: Justin Cappos ○ Office hours: 2 MetroTech 10.026, TBD ○ Email: jcappos@poly.edu, Google / Skype: justincappos ● Instructor: Dan Guido ○ Office hours: ??? ○ Email: ??? ● TA: Ojas Gosar ○ Office hours: RH 219, M 4-5, Th, 3-4 ○ Email:ogosar01@students.poly.edu,Google / Skype: ojas. gosar ● TA: Jeffrey Dileo ○ Office hours: RH 219, TBD ○ Email:jtd@isis.poly.edu, Google / Skype: jtdileo
- 7. What will I learn? ●How to build secure applications ●Windows exploits, secure code lifecycle, mobile app hacking, memory corruption, sandboxing, SQL injection attacks, code auditing, security for enterprises, security for startups, application use of crypto, web app security: XSS, XREF, etc., bug bounties, ...
- 8. Other Security Classes ● Intro / Overlapping ○ CS 392 / 6813: Intro security ■ background ○ CS 6823: Network security ○ CS 6903: Modern Cryptography ○ CS 9163: Application security ■ Building secure applications (always with source) ○ CS 6573: Penetration Testing and Vulnerability Analysis ■ Exploiting flaws in applications (usually binaries) ● Advanced Security seminars ○ EL 9423: Special Topics in Computer Engineering: Introduction to Secure and Trusted Hardware (Spring 2010) ○ CS 9413: Readings in Comp Sci: Secure Systems ○ ...
- 9. Expectations ● About your background ○ Strong programming skills (C, Ruby, Python, Java) You'll need basic competency for the class to make sense! ● Consistent workload ○ Practical / exploration focused ○ Background reading (see webpage) Be sure to keep up!
- 10. Grading ● Midterm: 15% ● Final: 25% ● Projects: 50% ○ Projects are very, very important! ● In-Class Labs: 10%
- 11. Course Outline Sept 4 Intro / Development Practices (*) A1.1 asgn Sept 11 Windows Internals (*) Sept 18 Memory Corruption A1.1 due Sept 25 Sandboxing A1.2 due Oct 2 Mobile App Sec A1.3 due Oct 9 Midterm Review A2.1 asgn Oct 23 Midterm Oct 30 Security for enterprise / startup (*) A2.X due Nov 6 Code Auditing 1 A2.X due Nov 13 Code Auditing 2 A2.X due Nov 20 Web apps Nov 27 Practical crypto Dec 4 Project presentations A2.X due Dec 11 Final
- 12. Assignment outline Assignment 1 (Intro): Build a simple application (a Turing- complete sandbox) ● Look for flaws in other sandboxes ● Fix minor code issues ● Re-architect code ● Individual Assignment 2 (Main): Build a secure application ● Substantial application (>1 thousand LOC) ● Must have different trust domains ● Mix of code types: SQL or Android or JavaScript... ○ (More to come) ● Group project with a changing group ○ accept outside patches, bug reports, etc.
- 13. Assignment 1, part 1 See blackboard Discuss general questions on the forums
- 14. Reading Next Week See blackboard