Escuela de Verano Internacional

"Deploying applications in the cloud has become commonplace in the last few years. Organizations view cloud computing, namely Infrastructure as a Service (IaaS), as a way to achieve their objectives without in-house expertise, allowing them to reduce cost of ownership, increase scalability, increase availability, and focus on areas of core competence.

It is becoming more apparent, however, that this isn't always the case. Organizations that have blindly adopted such approaches have experienced performance issues, service outages, security issues, and in some cases have permanently lost proprietary data.This course provides the knowledge needed to fully understand the implications of particular design and deployment decisions in order to determine if a given solution is appropriate for the needs of an organization."

Sobre los profesores:

Len Bass

Carnegie Melon University, Pittsburgh, USA

Len Bass Len Bass is a faculty member at Carnegie-Mellon University. Len has written two award-winning books in software architecture as well as several other books and numerous papers in a wide variety of areas of computer science and software engineering. He has been a keynote speaker or a distinguished lecturer on six continents. He is currently working on techniques for the methodical design of software architectures, to understand how to support usability through software architecture, and to understand the relationship between software architecture and global software development practices. He has been involved in the development of numerous different production or research software systems ranging from operating systems to database management systems to automotive systems.

Matthew Bass

Carnegie Melon University, Pittsburgh, USA

Matthew Bass Matthew is a faculty member at Carnegie-Mellon University. Software architect and software engineer for past 15+ years. Matthew was the first external person to become authorized by Carnegie Mellon's Software Engineering Institute to deliver ""Software Architecture: Principles and Practices"". He is co-author of the ""Global Software Development Handbook"". Author and co-author of numerous peer-reviewed technical papers on software architecture and global software development."

 

In this course we focus on basic tools and guidelines for the development of  secure software. The course will cover two main types of software: Web  services and native applications. For these two categories, we will  briefly recall the most exploited vulnerabilities and we will  concentrate on  best-practices to avoid them, as well as on tools that help developers to  build security into their software. Learning goals: The students should become aware of common programming  mistakes and acquire tools to avoid them. They should learn best practices for  the most popular programming languages for web and binary development (PHP, JavaScript, Java, C/C++). Students will  acquire basic knowledge on secure  development tools and code-analysis including static and dynamic analysis  and rudiments of security assessments.

Pre-requisites: A programming course in C/C++, Java, rudiments of web-programming Description: Most of today's IT security problems are caused by software vulnerabilities. Security vulnerabilities are a type of faults/bugs in software that can be exploited by malicious users, such that software behaves in a way that was not originally intended by its developers. Although the most exploited  vulnerabilities like buffer-overflows and SQL-injections are well understood by people with security training, most developers do not have such training  and are not aware of what could go wrong in their code. 

Sobre el profesor:

Dr. Martín Ochoa

Technische Universität München, Munich, Alemania

Martin Ochoa studied Systems Engineering in San José, CR (Universidad Latina, B.Sc.) and Mathematics in Rome (La Sapienza, B.Sc.). He continued his math studies in Munich (LMU, M.Sc.) and Sophia-Antipolis (INRIA). Afterwards he completed a PhD in Computer Science (TU Dortmund) under the supervision of Jan Jürjens and Jorge Cúellar. Before joining the TUM, he has worked as a consultant in IT security for Siemens Corporate Technology in Munich. He is interested in applied formal methods for software security.

Bibliografía:

Intro: Motivation, principles of secure development

Web-app. security

• Intro to Web security, OWASP Top 10, browser security, mash-ups 
• PHP: XSS, CSRF, SQL Injections in PHP (and what to do about them)
• PHP: DoS, Information disclosure, Path traversal, OS injection (")
• Javascript security, browser security, HTML5 sec.
• Pen-testing for developers, source-code analysis tools

Native-app. security

• C/C++: String manipulation (common errors and best practices), Dynamic memory management
• C/C++: Integer security and formatted output , Concurrency and I/O 
• Java Security
• Vulnerability testing for C/C++, Static and dynamic analysis tools
• Reverse engineering C/C++ binaries on Linux
• Reverse engineering C/C++ binaries on Windows
• Obfuscation techniques

General and recap

• General: Using crypto the right way (crypto-libraries for C/C++ and PHP)
• Conclusions, recap.