Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

1.1. course introduction


Published on

  • Be the first to comment

  • Be the first to like this

1.1. course introduction

  1. 1. IntroductionJustin CapposDan GuidoCS9163: Application Security
  2. 2. About usProf. Justin Cappos● 2008 PhD University of Arizona● I build deployed secure systems○ Stork, Seattle, TUF, upPIR, etc.○ open source / participation■ Seattle has patches from ~100 devels!Prof. Dan Guido● Co-Founder & CEO, Trail of Bits○ Helps companies develop effective security strategies● Hacker-in-Residence, NYU Poly○ Helps maintain and grow security program at Poly
  3. 3. About this class● Philosophy: learn by doing○ hands-on (practical exercises)■ You will build applications■ You will find bugs in applications■ You will fix bugs in applications● Online / in-class interaction○ Content is identical for on-line and in-class version■ Videotaped lectures will be available online○ You may have project partners in other classes■ This mimics real world projects○ This class will heavily use the forum on Blackboard
  4. 4. About this class (cont.)● Lecture-inversion○ There will be videos to watch before most classes○ In class time (normally) used for projects■ Remote students can join in project classes■ Google+ hangout or Skype session (details tocome)○ Attendance is strongly recommended (but not required)■ I will treat you like an adult● Course textbook○ The Art of Software Security Assessment■ We will heavily use this book○ Outside materials○ Finish reading assignment before class
  5. 5. Academic Integrity● Tests, etc.○ Read the university guidelines● Assignments○ Collaboration is encouraged○ Specific policy in assignment■ Intro Project: on your own■ Main Project: very collaborative● Strongly dislike cheaters!○ I caught 6 last year.
  6. 6. Important Resources● Course Web Page on Blackboard○ Discussion forum○ Assignment information○ Reading schedule / materials● Instructor: Justin Cappos○ Office hours: 2 MetroTech 10.026, TBD○ Email:, Google / Skype: justincappos● Instructor: Dan Guido○ Office hours: ???○ Email: ???● TA: Ojas Gosar○ Office hours: RH 219, M 4-5, Th, 3-4○,Google / Skype: ojas.gosar● TA: Jeffrey Dileo○ Office hours: RH 219, TBD○, Google / Skype: jtdileo
  7. 7. What will I learn?●How to build secure applications●Windows exploits, secure code lifecycle,mobile app hacking, memory corruption,sandboxing, SQL injection attacks, codeauditing, security for enterprises, securityfor startups, application use of crypto, webapp security: XSS, XREF, etc., bugbounties, ...
  8. 8. Other Security Classes● Intro / Overlapping○ CS 392 / 6813: Intro security■ background○ CS 6823: Network security○ CS 6903: Modern Cryptography○ CS 9163: Application security■ Building secure applications (always with source)○ CS 6573: Penetration Testing and Vulnerability Analysis■ Exploiting flaws in applications (usually binaries)● Advanced Security seminars○ EL 9423: Special Topics in Computer Engineering: Introductionto Secure and Trusted Hardware (Spring 2010)○ CS 9413: Readings in Comp Sci: Secure Systems○ ...
  9. 9. Expectations● About your background○ Strong programming skills (C, Ruby, Python, Java)Youll need basic competency for the class to make sense!● Consistent workload○ Practical / exploration focused○ Background reading (see webpage)Be sure to keep up!
  10. 10. Grading● Midterm: 15%● Final: 25%● Projects: 50%○ Projects are very, very important!● In-Class Labs: 10%
  11. 11. Course OutlineSept 4 Intro / Development Practices (*) A1.1 asgnSept 11 Windows Internals (*)Sept 18 Memory Corruption A1.1 dueSept 25 Sandboxing A1.2 dueOct 2 Mobile App Sec A1.3 dueOct 9 Midterm Review A2.1 asgnOct 23 MidtermOct 30 Security for enterprise / startup (*) A2.X dueNov 6 Code Auditing 1 A2.X dueNov 13 Code Auditing 2 A2.X dueNov 20 Web appsNov 27 Practical cryptoDec 4 Project presentations A2.X dueDec 11 Final
  12. 12. Assignment outlineAssignment 1 (Intro): Build a simple application (a Turing-complete sandbox)● Look for flaws in other sandboxes● Fix minor code issues● Re-architect code● IndividualAssignment 2 (Main): Build a secure application● Substantial application (>1 thousand LOC)● Must have different trust domains● Mix of code types: SQL or Android or JavaScript...○ (More to come)● Group project with a changing group○ accept outside patches, bug reports, etc.
  13. 13. Assignment 1, part 1See blackboardDiscuss general questions on the forums
  14. 14. Reading Next WeekSee blackboard