Advanced Technology Group

• Home
• Lecturers
• Consultancy
• Contact

Seminars in 2012

 

Information Security
and Cryptography

 

Building Secure
Software Systems

 

Wireless and Mobile
Network Security

 

Applied Information Security, Hands-on!

 

Venue

 

Seminar Enrollment

 

Seminar 2

Building Secure Software Systems

Thursday, June 14 (09:00h) – Friday, June 15, 2012 (17:00h)
Lecturers: David Basin and Torsten Lodderstedt

 

This seminar presents sound methods that can be used to build and evaluate security-critical software systems. The focus is on the interplay between two areas: Software Engineering and Information Security. The role of security in all phases of the software-development process is examined, including requirements analysis, risk analysis, design, implementation, and testing, as well as verification and certification. In each phase, relevant concepts, methods, and tools are covered. The material is presented in a self-contained way. However, a basic knowledge of both Information Security (e.g., from Seminar 1) and Software Engineering are assumed.

 

Introduction

• Overview of Security Engineering and its Principle Challenges
• Software Engineering Activities and Where Security Fits In

 

Modeling Foundations

• Role of Models in System Development
• Unified Modeling Language (UML)
• Modeling in Requirements Engineering
• Modeling in Security Design and Risk Analysis

 

Requirements Engineering for Security-critical Systems

• Functional and Non-functional Requirements
• Safety and Security
• Use and Misuse Cases
• Authorization Policies based on Use Case Models
• Information Security Policies based on Domain Models
• Documenting Requirements

 

Threat Modeling and Risk Analysis

• Systematic Threat Analysis using Data Pathways
• UML-based Attack Trees
• Threat and Standard Vulnerabilities Catalogs
• Ingredients of Risk Analysis: Assets, Threats, and Vulnerabilities
• Quantitative and Qualitative Approaches

 

Security in the Design Process

• General Security Design Options
• Pattern Catalogs and Standard Counter-measures
• Modeling and Automatically Generating Security Infrastructures
• Security Design as an Iterative Process with Risk Re-evaluation

 

Implementation-level Security

• Security Design Patterns for Vulnerabilities
• Typical Vulnerabilities and their Countermeasures: Buffer Overflows, Format String Attacks, Injection Attacks, Cross Site Scripting Timing Vulnerabilities, Session Handling Problems

 

Testing

• Objectives and Limitations of Testing
• Model-based Testing
• Code-based Testing
• Vulnerability Testing and other Security-specific Testing Methods

 

Evaluation Criteria

• Role of Standards in Evaluation
• NIST, Common Criteria, and ISO/IEC 27000-Series
• IT Baseline Protection

 

 

Download PDFs here:

• Course description
• Seminar enrollment

 

Here you will find more information about the venue.

 

Seminar's format

The seminar takes place at the Courtyard Zurich North and begins on Thursday at 9 AM. The sessions are interactive, with the possibility to decide, on demand, which topics should be treated in more depth. There are coffee breaks in the morning and afternoon. The lecturers will also be available for discussions on all related topics. The lectures and all course material are in English.

 

The seminar is in collaboration with the Department of Computer Science, ETH Zurich

 

Advanced Technology Group GmbH © 2011