Software Security Lecture 0 Fang Yu Dept. of MIS National Chengchi University Spring 2011.

Slides:



Advertisements
Similar presentations
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Advertisements

Slide 01-1COMP 7370, Auburn University COMP 7370 Advanced Computer and Network Security Dr. Xiao Qin Auburn University
Software Security Lecture 4 Fang Yu Dept. of MIS, National Chengchi University Spring 2011.
Software Security Lecture 11 Fang Yu Dept. of MIS, National Chengchi University Spring 2011.
Software Security Lecture 9 Fang Yu Dept. of MIS, National Chengchi University Spring 2011.
Data Structures Lecture 0 Fang Yu Department of Management Information Systems National Chengchi University Fall 2011.
Software Security Lecture 12 Fang Yu Dept. of MIS, National Chengchi University Spring 2011.
Software Security Lecture 8 Fang Yu Dept. of MIS, National Chengchi University Spring 2011.
Software Security Lecture 10 Fang Yu Dept. of MIS, National Chengchi University Spring 2011.
Software Security Lecture 6 Fang Yu Dept. of MIS, National Chengchi University Spring 2011.
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
Software Security Lecture 5 Fang Yu Dept. of MIS, National Chengchi University Spring 2011.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
21-Jun-15Advanced Programming Spring 2002 Advanced Programming Henning Schulzrinne Dept. of Computer Science Columbia University.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: Office.
Computer Security and Penetration Testing
1 Loop-Extended Symbolic Execution on Binary Programs Pongsin Poosankam ‡* Prateek Saxena * Stephen McCamant * Dawn Song * ‡ Carnegie Mellon University.
CSCD 330 Network Programming Winter 2012 Lecture 1 - Course Details.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
CS 101 Introduction to Programming Dr. Basit Qureshi Assistant Professor College of Computer and Information Sciences Prince Sultan University.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
HTTP and Server Security James Walden Northern Kentucky University.
NDSS 2007 Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna.
A Framework for Automated Web Application Security Evaluation
Application Security
Computer Security and Penetration Testing
CSCD 434 Network Security Spring 2014 Lecture 1 Course Overview.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
CSCD 330 Network Programming Fall/Winter/Spring 2014 Lecture 1 - Course Details.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.
Engineering Secure Software. Vulnerability of the Day  Each day, we will cover a different type of code-level vulnerability Usually a demo How to avoid,
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
Problem of the Day  Why are manhole covers round?
CSCE 522 Secure Software Development Best Practices.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Static Analysis James Walden Northern Kentucky University.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
1 ISEC0511 Programming for Information System Security Lecture Notes #1 Introduction.
Code Reviews James Walden Northern Kentucky University.
By Davide Balzarotti Marco Cova Viktoria V. FelmetsgerGiovanni Vigna Presented by: Mostafa Saad.
FIN 235 SPRING All Rights ReservedIntro & Chapter 1 Page 2 before A. A. Skim read the assignments before class * Reading the material the night.
Soroush Dalili 9 Dec Computer Security MSc. of Birmingham University.
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic,
Exploitation Development and Implementation PRESENTER: BRADLEY GREEN.
Course Overview Stephen M. Thebaut, Ph.D. University of Florida Software Engineering.
@Yuan Xue CS 285 Network Security Fall 2013 Yuan Xue.
@Yuan Xue CS 285 Network Security Fall 2012 Yuan Xue.
Threat Modeling: Employing the 5 Ws Security Series, December 13, 2013 Jeff Minelli Penn State ITS
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Web Application Bug Hunting
CSCE 548 Secure Software Development Risk-Based Security Testing
TriggerScope: Towards Detecting Logic Bombs in Android Applications
Security Is a Game Tiffany Bao
Static Detection of Cross-Site Scripting Vulnerabilities
CSC 591/791 Reliable Software Systems
Henning Schulzrinne Dept. of Computer Science Columbia University
Secure Software Development: Theory and Practice
CSCD 434 Network Security Spring 2012 Lecture 1 Course Overview.
CSCD 330 Network Programming Spring
Engineering Secure Software
CSCD 330 Network Programming Spring
Computer Programming 1 introduction to JAVA Lecture 1 Instructor: Ruba A. Salamah Islamic University of Gaza.
CSCD 330 Network Programming Spring
CSC-682 Advanced Computer Security
CSCD 434 Network Security Spring 2019 Lecture 1 Course Overview.
Exploring DOM-Based Cross Site Attacks
Presentation transcript:

Software Security Lecture 0 Fang Yu Dept. of MIS National Chengchi University Spring 2011

Software Security  Instructor: Fang Yu  Office:  Weekly Meeting on Tuesday 9:00-12:00

Errors and Failures  Software is developed by humans, and hence it is not perfect  A human error may introduce a bug in the system  When a bug get triggered, it may generate a failure

Security Bugs and Failures  A security bug is also called a vulnerability  When a vulnerability get triggered (exploited), it may generate a security failure (against the security policy) and compromise the system

Security Analysis  Security analysis is the process to determine the security posture of a system  It answers the question: is the system vulnerable with respect to the known vulnerabilities?

About this course  We will focus on Web application security and static analysis techniques  You will  Learn how to identify and detect vulnerabilities in web applications  Learn how to exploit vulnerabilities in web applications  Learn how to remove vulnerabilities and how to prevent exploits of vulnerabilities in web applications

Main topics  Web Application Security (8-10 weeks)  What are the most common vulnerabilities in web applications?  Common Vulnerability and Exposure  OWASP  Static Analysis Techniques (2-4 weeks)  (Automatic) Code Review  Taint analysis  String analysis  Advance Issues/Techniques/Tools (3-5 weeks)  Selected Papers/Tools

Text books  The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws.  By Dafydd Stuttard and Marcus Pinto, Wiley Publishing, Inc, 2007  全華圖書  Secure Programming with Static Analysis.  By Brain Chess and Jacob West, Addison- Wesley Professional, 2007

Selected Papers  Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, Dawn Song. “A Symbolic Execution Framework for JavaScript.” In Proc. of the 31st IEEE Symposium on Security & Privacy (Oakland 2010)  Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code M. Cova, C. Kruegel, and G. Vigna Proceedings of the World Wide Web Conference (WWW 2010)  Prateek Saxena, Steve Hanna, Pongsin Poosankam, Dawn Song. “FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications.“ In Proc. of the 17th Network and Distributed System Security Symposium (NDSS 2010)  Toward Automated Detection of Logic Vulnerabilities in Web Applications V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna Proceedings of the USENIX Security Symposium Washington, 2010  Gary Wassermann and Zhendong Su. “Static Detection of Cross-site Scripting Vulnerabilities.” In Proc. of the 30th International Conference on Software Engineering (ICSE 2008)  Yichen Xie and Alex Aiken. “Static Detection of Security Vulnerabilities in Scripting Languages.” In Proc. of the 15th USENIX Security Symposium (USENIX 2006)

Some Related Tools  Stranger  a string analysis tool for PHP   we are working on a web-based version  Java String Analyzer  a string analysis tool for Java 

Course Requirement  Select a chapter* of the Hacker’s hand book to present  Select a paper* to present  Select a tool and find an application to analyze *Send me your topics as soon as you decide (first come first get)

Grade Policy  None of you will be failed  Participation 10%  Chapter and Paper Presentations 40%  Term paper 50%

Beyond the technical issues…  A comfortable environment for you to practice English  Don’t hesitate to ask questions  Feel free to drop by my office

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.