Schedule

# Topic Details

Preliminaries

program, process, shell, shell script, command-line environment, internet, TCP/IP, DNS, netcat

1

Hacking: Application-Level

security (CIA), attacker mindset & tools, web recap, code injection on web (eval, deserialization, XSS)

2

Hacking: Systems-Level

systems recap (hw, os, db), code injection on systems (command- & SQL-injection, buffer overflows)

Hacking

packet sniffing (Wireshark), port scanning (nmap), base64, SQL injection, XSS, deserialization

3

Hacking: Non-Software

microarchitectural attacks, traffic analysis, airgap attacks, social engineering (weapons of influence)

4

Hardening

vulnerability scanning, intrusion detection, logging, malware removal, isolation, firewalls

Hardening

isolation (NAT Network in VirtualBox), vulnerability scanning (gvm), exploitation (metasploit)

5

Security Engineering

security principles, security mechanisms (e.g. testing: SAST), security requirements, security evaluation

6

Authentication*

factors (know, have, are), passwords, tokens, single sign-on (SSO), multi-factor authentication (MFA)

Engineering

security requirements, online dictionary attack (patator), logging (slf4j), MFA, SAST, Man in the Middle

7

Cryptography: Confidentiality

history (OTP), key generation, block cipher (AES, CBC), stream cipher (Salsa20), key exchange (DH)

8

Cryptography: Integrity*

hashing (SHA), authentication (HMAC, OCB, RSA), cryptosystems (TLS, PGP, OTR), password storage

Cryptography

gpg, openssl, testssl, tokens (HMAC), offline dictionary attack (john), passwords (PBKDF2, passay)

9

Access Control

models (DAC, MAC, RBAC, ABAC), access control lists (ACL), capabilities, confused deputy, trojan horse

10

Microservice Security

decentralized access control, DAC (JWT, OAuth, proof of possession, OIDC), MAC (API gateway, OPA)

Authorization

centralized: (ACL; setfacl, getfacl), decentralized: DAC (OAuth, OIDC, MFA), MAC (ABAC, OPA)

11

Trustworthy Software

language-based security, information-flow control (static analysis, runtime monitor), bases of trust

12

Human Factors*

developers (mistakes they make), end-users (enabling tasks, nudges), employees (insider defenses)

Trustworthiness

bases of trust, information-flow control: static analysis, runtime monitor, dynamic policies (paragon)

*: work in progress.

Numbered rows are lectures. Un-numbered rows are assignments and labs.

Course Description

Here.

Examination