Coursera - University of Maryland - Software Security
English | Size: 1.09 GB (1,168,251,657 Bytes)
Category: Misc Learning
This course we will explore the foundations of software security. We will consider important software vulnerabilities and attacks that exploit them -- such as buffer overflows, SQL injection, and session hijacking -- and we will consider defenses that prevent or mitigate these attacks, including advanced testing and program analysis techniques. Importantly, we take a build security in mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems.
Software is everywhere: in laptops and desktops, mobile phones, the power grid ... even our cars and thermostats. Software is increasingly the vehicle that drives our economy and our personal lives. But software's pervasiveness, and its importance, make it a target: at the root of many security compromises is vulnerable software.
In this course we will look at how to build software that is secure.
To start, we must know what we are up against. As such, we will examine the most prevalent software design and implementation defects.
We will examine vulnerabilities like buffer overruns and use-after-frees that are present in programs written in low-level programming languages like C and C++, and see how these vulnerabilities can be exploited by a clever attacker. We will also look attacks on applications that are part of the worldwide web -- attacks with names like SQL injection, cross-site scripting, and session hijacking. We will also mention side-channel attacks (such as those based on the size of messages or the time taken to process a request), attacks on the human user (like phishing), and failures of design (like the use of insecure defaults). Examples of these attacks will be taken from the headlines.
Having examined these defects and their role in security compromises, we will look at how to prevent them entirely, or mitigate their effects, by improving the software's design and implementation. We will see that security must appear at all phases in the development lifecycle, including requirements development, system design, implementation, and testing/validation.
Finally, we will look at state-of-the-art tools and techniques for testing and otherwise verifying that software is secure. We will consider how security testing differs from functional testing (it's harder!). We will look at the art of penetration testing, which is the activity of trying to find and exploit weaknesses in a system prior to its deployment. We will also look at an emerging class of program analysis tools that can automatically identify flaws in programs by analyzing their code.
At the conclusion of the course, the student will know how to "build security in" rather than consider it as an afterthought, and will have a plethora of skills, applicable at each phase of the development cycle, that can be used to strengthen the security of software systems.