Applied Information Security

Schedule

#	Topic	Details
	Preliminaries	program, process, shell, shell script, command-line environment, internet, TCP/IP, DNS, netcat
1	Hacking: Application-Level	security (CIA), attacker mindset & tools, web recap, code injection on web (eval, deserialization, XSS)
2	Hacking: Systems-Level	systems recap (hw, os, db), code injection on systems (command- & SQL-injection, buffer overflows)
	Hacking	packet sniffing (Wireshark), port scanning (nmap), base64, SQL injection, XSS, deserialization
3	Hacking: Non-Software	microarchitectural attacks, traffic analysis, airgap attacks, social engineering (weapons of influence)
4	Hardening	vulnerability scanning, intrusion detection, logging, malware removal, isolation, firewalls
	Hardening	isolation (NAT Network in VirtualBox), vulnerability scanning (gvm), exploitation (metasploit)
5	Security Engineering	security principles, security mechanisms (e.g. testing: SAST), security requirements, security evaluation
6	Authentication*	factors (know, have, are), passwords, tokens, single sign-on (SSO), multi-factor authentication (MFA)
	Engineering	security requirements, online dictionary attack (patator), logging (slf4j), MFA, SAST, Man in the Middle
7	Cryptography: Confidentiality	history (OTP), key generation, block cipher (AES, CBC), stream cipher (Salsa20), key exchange (DH)
8	Cryptography: Integrity*	hashing (SHA), authentication (HMAC, OCB, RSA), cryptosystems (TLS, PGP, OTR), password storage
	Cryptography	gpg, openssl, testssl, tokens (HMAC), offline dictionary attack (john), passwords (PBKDF2, passay)
9	Access Control	models (DAC, MAC, RBAC, ABAC), access control lists (ACL), capabilities, confused deputy, trojan horse
10	Microservice Security	decentralized access control, DAC (JWT, OAuth, proof of possession, OIDC), MAC (API gateway, OPA)
	Authorization	centralized: (ACL; setfacl, getfacl), decentralized: DAC (OAuth, OIDC, MFA), MAC (ABAC, OPA)
11	Trustworthy Software	language-based security, information-flow control (static analysis, runtime monitor), bases of trust
12	Human Factors*	developers (mistakes they make), end-users (enabling tasks, nudges), employees (insider defenses)
	Trustworthiness	bases of trust, information-flow control: static analysis, runtime monitor, dynamic policies (paragon)

Topic

Details

Preliminaries

program, process, shell, shell script, command-line environment, internet, TCP/IP, DNS, netcat

Hacking: Application-Level

security (CIA), attacker mindset & tools, web recap, code injection on web (eval, deserialization, XSS)

Hacking: Systems-Level

systems recap (hw, os, db), code injection on systems (command- & SQL-injection, buffer overflows)

Hacking

packet sniffing (Wireshark), port scanning (nmap), base64, SQL injection, XSS, deserialization

Hacking: Non-Software

microarchitectural attacks, traffic analysis, airgap attacks, social engineering (weapons of influence)

Hardening

vulnerability scanning, intrusion detection, logging, malware removal, isolation, firewalls

Hardening

isolation (NAT Network in VirtualBox), vulnerability scanning (gvm), exploitation (metasploit)

Security Engineering

security principles, security mechanisms (e.g. testing: SAST), security requirements, security evaluation

Authentication*

factors (know, have, are), passwords, tokens, single sign-on (SSO), multi-factor authentication (MFA)

Engineering

security requirements, online dictionary attack (patator), logging (slf4j), MFA, SAST, Man in the Middle

Cryptography: Confidentiality

history (OTP), key generation, block cipher (AES, CBC), stream cipher (Salsa20), key exchange (DH)

Cryptography: Integrity*

hashing (SHA), authentication (HMAC, OCB, RSA), cryptosystems (TLS, PGP, OTR), password storage

Cryptography

gpg, openssl, testssl, tokens (HMAC), offline dictionary attack (john), passwords (PBKDF2, passay)

Access Control

models (DAC, MAC, RBAC, ABAC), access control lists (ACL), capabilities, confused deputy, trojan horse

Microservice Security

decentralized access control, DAC (JWT, OAuth, proof of possession, OIDC), MAC (API gateway, OPA)

Authorization

centralized: (ACL; setfacl, getfacl), decentralized: DAC (OAuth, OIDC, MFA), MAC (ABAC, OPA)

Trustworthy Software

language-based security, information-flow control (static analysis, runtime monitor), bases of trust

Human Factors*

developers (mistakes they make), end-users (enabling tasks, nudges), employees (insider defenses)

Trustworthiness

bases of trust, information-flow control: static analysis, runtime monitor, dynamic policies (paragon)

*: work in progress.

Numbered rows are lectures. Un-numbered rows are assignments and labs.

Course Description

Here.

Examination

Exam briefing.

Review questions.