About usProf. Justin Cappos● 2008 PhD University of Arizona● I build deployed secure systems○ Stork, Seattle, TUF, upPIR, etc.○ open source / participation■ Seattle has patches from ~100 devels!Prof. Dan Guido● Co-Founder & CEO, Trail of Bits○ Helps companies develop effective security strategies● Hacker-in-Residence, NYU Poly○ Helps maintain and grow security program at Poly
About this class● Philosophy: learn by doing○ hands-on (practical exercises)■ You will build applications■ You will find bugs in applications■ You will fix bugs in applications● Online / in-class interaction○ Content is identical for on-line and in-class version■ Videotaped lectures will be available online○ You may have project partners in other classes■ This mimics real world projects○ This class will heavily use the forum on Blackboard
About this class (cont.)● Lecture-inversion○ There will be videos to watch before most classes○ In class time (normally) used for projects■ Remote students can join in project classes■ Google+ hangout or Skype session (details tocome)○ Attendance is strongly recommended (but not required)■ I will treat you like an adult● Course textbook○ The Art of Software Security Assessment■ We will heavily use this book○ Outside materials○ Finish reading assignment before class
Academic Integrity● Tests, etc.○ Read the university guidelines● Assignments○ Collaboration is encouraged○ Specific policy in assignment■ Intro Project: on your own■ Main Project: very collaborative● Strongly dislike cheaters!○ I caught 6 last year.
Important Resources● Course Web Page on Blackboard○ Discussion forum○ Assignment information○ Reading schedule / materials● Instructor: Justin Cappos○ Office hours: 2 MetroTech 10.026, TBD○ Email: firstname.lastname@example.org, Google / Skype: justincappos● Instructor: Dan Guido○ Office hours: ???○ Email: ???● TA: Ojas Gosar○ Office hours: RH 219, M 4-5, Th, 3-4○ Email:email@example.com,Google / Skype: ojas.gosar● TA: Jeffrey Dileo○ Office hours: RH 219, TBD○ Email:firstname.lastname@example.org, Google / Skype: jtdileo
What will I learn?●How to build secure applications●Windows exploits, secure code lifecycle,mobile app hacking, memory corruption,sandboxing, SQL injection attacks, codeauditing, security for enterprises, securityfor startups, application use of crypto, webapp security: XSS, XREF, etc., bugbounties, ...
Other Security Classes● Intro / Overlapping○ CS 392 / 6813: Intro security■ background○ CS 6823: Network security○ CS 6903: Modern Cryptography○ CS 9163: Application security■ Building secure applications (always with source)○ CS 6573: Penetration Testing and Vulnerability Analysis■ Exploiting flaws in applications (usually binaries)● Advanced Security seminars○ EL 9423: Special Topics in Computer Engineering: Introductionto Secure and Trusted Hardware (Spring 2010)○ CS 9413: Readings in Comp Sci: Secure Systems○ ...
Expectations● About your background○ Strong programming skills (C, Ruby, Python, Java)Youll need basic competency for the class to make sense!● Consistent workload○ Practical / exploration focused○ Background reading (see webpage)Be sure to keep up!
Grading● Midterm: 15%● Final: 25%● Projects: 50%○ Projects are very, very important!● In-Class Labs: 10%
Assignment 1, part 1See blackboardDiscuss general questions on the forums