252-0463-00L  Security Engineering

SemesterHerbstsemester 2020
DozierendeD. Basin, S. Krstic
Periodizitätjährlich wiederkehrende Veranstaltung
LehrspracheEnglisch



Lehrveranstaltungen

NummerTitelUmfangDozierende
252-0463-00 VSecurity Engineering2 Std.
Mi10:15-12:00CAB G 61 »
D. Basin, S. Krstic
252-0463-00 USecurity Engineering
Lab sessions every Friday in CAB H 52 from 10-12!
2 Std.
Mi16:15-18:00HG D 7.1 »
Fr10:15-12:00CAB H 52 »
D. Basin, S. Krstic
252-0463-00 ASecurity Engineering2 Std.D. Basin, S. Krstic

Katalogdaten

KurzbeschreibungSubject of the class are engineering techniques for developing secure systems. We examine concepts, methods and tools, applied within the different activities of the SW development process to improve security of the system. Topics: security requirements&risk analysis, system modeling&model-based development methods, implementation-level security, and evaluation criteria for secure systems
LernzielSecurity engineering is an evolving discipline that unifies two important areas: software engineering and security. Software Engineering addresses the development and application of methods for systematically developing, operating, and maintaining, complex, high-quality software.
Security, on the other hand, is concerned with assuring and verifying properties of a system that relate to confidentiality, integrity, and availability of data.

The goal of this class is to survey engineering techniques for developing secure systems. We will examine concepts, methods, and tools that can be applied within the different activities of the software development process, in order to improve the security of the resulting systems.

Topics covered include

* security requirements & risk analysis,
* system modeling and model-based development methods,
* implementation-level security, and
* evaluation criteria for the development of secure systems
InhaltSecurity engineering is an evolving discipline that unifies two important areas: software engineering and security. Software Engineering addresses the development and application of methods for systematically developing, operating, and maintaining, complex, high-quality software.
Security, on the other hand, is concerned with assuring and verifying properties of a system that relate to confidentiality, integrity, and availability of data.

The goal of this class is to survey engineering techniques for developing secure systems. We will examine concepts, methods, and tools that can be applied within the different activities of the software development process, in order to improve the security of the resulting systems.

Topics covered include

* security requirements & risk analysis,
* system modeling and model-based development methods,
* implementation-level security, and
* evaluation criteria for the development of secure systems

Modules taught:

1. Introduction
- Introduction of Infsec group and speakers
- Security meets SW engineering: an introduction
- The activities of SW engineering, and where security fits in
- Overview of this class
2. Requirements Engineering: Security Requirements and some Analysis
- overview: functional and non-functional requirements
- use cases, misuse cases, sequence diagrams
- safety and security
- FMEA, FTA, attack trees
3. Modeling in the design activities
- structure, behavior, and data flow
- class diagrams, statecharts
4. Model-driven security for access control (design)
- SecureUML as a language for access control
- Combining Design Modeling Languages with SecureUML
- Semantics, i.e., what does it all mean,
- Generation
- Examples and experience
5. Model-driven security (Part II)
- Continuation of above topics
6. Security patterns (design and implementation)
7. Implementation-level security
- Buffer overflows
- Input checking
- Injection attacks
8. Testing
- overview
- model-based testing
- testing security properties
9. Risk analysis and management 1 (project management)
- "risk": assets, threats, vulnerabilities, risk
- risk assessment: quantitative and qualitative
- safeguards
- generic risk analysis procedure
- The OCTAVE approach
10. Risk analysis: IT baseline protection
- Overview
- Example
11. Evaluation criteria
- CMMI
- systems security engineering CMM
- common criteria
12. Guest lecture
- TBA
Literatur- Ross Anderson: Security Engineering, Wiley, 2001.
- Matt Bishop: Computer Security, Pearson Education, 2003.
- Ian Sommerville: Software Engineering, 6th ed., Addison-Wesley, 2001.
- John Viega, Gary McGraw: Building Secure Software, Addison-Wesley, 2002.
- Further relevant books and journal/conference articles will be announced in the lecture.
Voraussetzungen / BesonderesPrerequisite: Class on Information Security

Leistungskontrolle

Information zur Leistungskontrolle (gültig bis die Lerneinheit neu gelesen wird)
Leistungskontrolle als Semesterkurs
ECTS Kreditpunkte7 KP
PrüfendeD. Basin, S. Krstic
FormSemesterendprüfung
PrüfungsspracheEnglisch
RepetitionEs wird ein Repetitionstermin in den ersten zwei Wochen des unmittelbar nachfolgenden Semesters angeboten.
Prüfungsmodusschriftlich 120 Minuten
Zusatzinformation zum Prüfungsmodus20% of your grade is determined by mandatory project work and 80% is determined by a written end-of-semester exam (120 min).
Not participating in the project work incurs grade 1 for the project work.
Hilfsmittel schriftlichKeine

Lernmaterialien

 
HauptlinkInformation
Es werden nur die öffentlichen Lernmaterialien aufgeführt.

Gruppen

Keine Informationen zu Gruppen vorhanden.

Einschränkungen

Keine zusätzlichen Belegungseinschränkungen vorhanden.

Angeboten in

StudiengangBereichTyp
CAS in InformatikFokusfächer und WahlfächerWInformation
Cyber Security MasterKernfächerWInformation
DAS in Cyber SecurityWahlfächerWInformation
Informatik MasterKernfächer der Vertiefung General StudiesWInformation
Informatik MasterKernfächerWInformation
Informatik MasterKernfächer der Vertiefung in Information SecurityWInformation
Informatik MasterErgänzung in Information SecurityWInformation