Secure software design

Allikas: Lambda

MTAT.03.246 Secure software design

MTAT.03.247 Secure software design: Project work

Lectures: Fridays 16:15, J. Liivi 2 - 404

Contact: margus at cyber.ee

Sisukord

1 Lecture slides 2 Projects 2.1 Due dates 3 Exam 4 Mandatory (examinable) reading 5 Recommended reading

Lecture slides

• Introductory lecture
  • Multilevel security
  • Multilateral security
• Security analysis
• Human factors and security
• Authenticating people and computers (http://keeks.cyber.ee/~margus/04-authentication.pdf)
• Strategies for secure software development
• Internet voting in Estonia
• Strategies for secure software development; developing security protocols
• PKI and digital signatures
• PKI and digital signatures, part 2
• Case study: Estonian x-road
• Security of online games
• Economics of Software Security
• Development Process for Secure Software

Projects

Requirements for the project

Due dates

• May 27th -- project presentation (10-15 minutes)
• June 20th -- written report

Exam

The exam is a written exam. Use of written materials is allowed. The exam questions are based on lectures and mandatory reading material. The exam tries to measure knowledge about main principles/technologies/classes of attack and ability to apply these principles for specific examples.

Exam dates:

• May 30th 10:00, J. Liivi 2, room 122
• June 10th 10:00, J. Liivi 2, room 206

Mandatory (examinable) reading

• Ross Anderson, "Programming Satan's Computer" (http://www.cl.cam.ac.uk/~rja14/Papers/satan.pdf)
• Ken Thompson, "Reflections on Trusting Trust" (http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf)
• Peter Gutmann, "Lessons Learned in Implementing and Deploying Crypto Software" (http://www.cs.auckland.ac.nz/~pgut001/pubs/usenix02.pdf)
• Ross Anderson, "The Eternity Service" (http://www.cl.cam.ac.uk/~rja14/Papers/eternity.pdf) -- a good example of security analysis of a system
• Chapter 10 from "Security Engineering" (http://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c10.pdf)
• Chapter 11 from "Security Engineering" (http://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c11.pdf)
• K. Tsipenyuk, B. Chess, G. McGraw, Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors (http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.106.6376&rep=rep1&type=pdf)

Recommended reading

• Lifestyle Hackers (http://www.csoonline.com/article/506309/lifestyle-hackers)
• Alma Whitten, J.D. Tygar, "Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0" (http://gaudior.net/alma/johnny.pdf)
• Kevin Mitnick, "The Art of Deception: Controlling the Human Element of Security"
• David Maurer, "The Big Con: The Story of the Confidence Man"
• Frank Stajano, Paul Wilson, "Understanding scam victims: seven principles for systems security" (http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-754.html)
• Richards J. Heuer, Jr., "Psychology of Intelligence Analysis" (https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/psychology-of-intelligence-analysis/index.html)
• Rachna Dhamija, Doug Tygar, Marti Hearst. "Why Phishing Works" (http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf)
• Peter Gutmann, "Security Usability" (http://www.cs.auckland.ac.nz/~pgut001/pubs/usability.pdf)
• Peter Gutmann, "The Design of a Cryptographic Security Architecture" (http://www.cs.auckland.ac.nz/~pgut001/pubs/usenix99.pdf)
• RFC 2119: Key words for use in RFCs to Indicate Requirement Levels (http://www.ietf.org/rfc/rfc2119.txt)
• Peter Gutmann, "X.509 Style Guide" (http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt)
• Ahto Buldas, Märt Saarepera. "Electronic Signature System with Small Number of Private Keys" (http://middleware.internet2.edu/pki03/presentations/08.pdf)
• Arne Ansper, "e-Riigist andmeturbe seisukohalt" (http://www.cyber.ee/cms-et/firmainfo/infomaterjalid/failid-1/arne-msc.pdf)
• Arne Ansper, Ahto Buldas, Margus Freudenthal, Jan Willemson "Scalable and Efficient PKI for Inter-Organizational Communication" (http://www.acsac.org/2003/papers/36.pdf)
• Fraud. The Unmanaged Risk, 8th Global Survey (http://www.your-call.com.au/information/documents/EY8thGlobalSurvey2003.pdf)
• Cormac Herley, "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users" (http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf)
• Rick Wash, Folk Models of Home Computer Security (http://www.rickwash.com/papers/rwash-homesec-soups10-final.pdf)