PROGRAM

TOPICS and SPEAKERS

  • WEB APPLICATION SECURITY

  • Davide Balzarotti (Eurecom, France)

  • STATIC ANALYSIS - THE WORKHORSE OF A END-TO-END SECURITY TESTING STRATEGY

  • Achim Brucker (SAP SE, Karlsruhe, Germany)

  • APPSEC INDUSTRY DIRECTIONS: OPPORTUNITIES AND HURDLES. AN OVERVIEW OVER TIME AND SPACE FROM AN INSIGHT ANGLE

  • Stefano Di Paola (Application Security Consultant & Founder and CTO of MindedSecurity)

  • CYBER ATTACKS AND CYBER DEFENSES

  • Sandro Etalle (Technical University of Eindhoven, The Netherlands)

  • END-TO-END SECURE DEVELOPMENT IN PRACTICE

  • Cédric Hebert (SAP, Sophia Antipolis, France)

  • DATA PRIVACY IN THE 21st CENTURY

  • Günter Karjoth (Lucerne University of Applied Sciences)

  • STATIC PROGRAM ANALYSIS

  • Anders Møller (Aarhus University, Denmark)

Sessions will be organized for participants who intend to take advantage of the audience for presenting their current research/tool in the area.

SOCIAL EVENTS

  • Welcome aperitif on Monday, February 8th, after the lessons.

  • Social Dinner on Wednesday, Fe bruary 10th, at 8.00 pm in the city center at the Forst restaurant.

SCHEDULE

A detailed description of the courses is below.

WEB APPLICATION SECURITY

The World Wide Web was initially proposed in 1990 by Tim Berners-Lee and Robert Cailliau as a distributed "web" of interconnected hypertext documents. In few years, this initially simple idea evolved far beyond imagination. In particular, the majority of web sites are nowadays complex distributed applications, with part of their code running on the server side (to dynamically construct the pages content, typically based on information stored in a backend database) and part running in the user browser (to implement the user interface and fetch content on demand from the server). As a result, according to HttpArchive, today almost 50% of the web pages require more than 30 separate connections to fetch all the required elements.

This complex architecture is advertised as a platform for the masses -- that even people with little to no experience in software design can use to quickly develop new web sites and applications with advanced and customizable user interfaces. The result was a large number of web sites created by web designers, experts in customizing the visual look-and-feel of an application, but often unaware of the complexity and risks of the technology they were using.

In this lecture we will study the security of web applications, starting from the point of view of the attackers (how they locate their targets, how they run the attacks, and what they are after) and moving then to the analysis of server-side code - discussing both known and less known classes of vulnerabilities.

STATIC ANALYSIS - THE WORKHORSE OF A END-TO-END SECURITY TESTING STRATEGY

Security testing is an important part of any security development lifecycle (SDL) and, thus, should be a part of any software (development) lifecycle. Still, security testing is often understood as an activity done by security testers in the time between "end of development" and "offering the product to customers."

Learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, security testing should be integrated, as early as possible, into the daily development activities. The fact that static analysis can be deployed as soon as the first line of code is written, makes static analysis the right workhorse to start security testing activities.

In this lecture, I will present a risk-based security testing strategy that is used at a large European software vendor. While this security testing strategy combines static and dynamic security testing techniques, I will focus on static analysis. This lecture provides a introduction to the foundations of static analysis as well as insights into the challenges and solutions of rolling out static analysis to more than 20000 developers, distributed across the whole world.

APPSEC INDUSTRY DIRECTIONS: OPPORTUNITIES AND HURDLES. AN OVERVIEW OVER TIME AND SPACE FROM AN INSIGHT ANGLE

The talk will bring some insight about how the appsec industry works, going through some of the personal experiences acquired during the work as CTO of Minded Security, side by side with large enterprises, big and medium companies, dealing with problems and challenges.

CYBER ATTACKS AND CYBER DEFENSES

Computer-based attacks have become a standard weapon in the arsenal of criminals, but also of business organizations and government agencies. In this course we are fisrt going to illustrate how cyber attacks work. Then, we are going to discuss what are the technologies for defending from them. The focus will be on network-based monitoring.

END-TO-END SECURE DEVELOPMENT IN PRACTICE

In this course, we shall visit the concepts of the secure development life-cycle and how they can be applied in practice. We shall apply threat modeling, code scanning and penetration testing on a realistic application example, as well as address real-life concerns of architects and developers in applying security when working under heavy workload and short deadlines.

DATA PRIVACY IN THE 21st CENTURY

Nowadays online interactions permeate almost every layer of our society, changing the way that people communicate, buy, sell, and search. The amount of personal data collected from sensors, intelligent devices, and powerful software applications is growing exponentially. In daily life we leave digital traces that are stored and analyzed at both individual and population levels. Businesses use the data to improve products and services, governments for policy-making and national security, and scientists to advance the frontiers of human knowledge. However, the explosion of interest in big data has also brought concerns about data security and privacy (back) into the spotlight of public attention. Whereas 20 years ago people were mainly concerned about the use of cookies to track their Web browsing behavior, today there is a plethora of different techniques to track people. Privacy laws still originate from the last century and a major overhaul is not yet completed.

After a brief introduction to the concepts of privacy, we will cover some laws and regulations that (should) limit the collection and use of personal data. Next we focus on Web tracking and first privacy-enhancing techniques (PETs). Then we will evaluate approaches such as the privacy impact analysis (PIA) and the privacy by design (PbD). We will continue to recent advances in tracking technology implemented in mobile phones, wearables, and cameras. Finally, we will look at personal data increasingly published as micro data, which contains a set of attributes relating to individuals within a population. However, the data should only be disclosed when the confidentiality of the information collected about the individuals is preserved. Anonymization techniques based on aggregation and suppression are of special interest as they do not falsify the data and keep the utility of the anonymized data high.

STATIC PROGRAM ANALYSIS

Static program analysis is the art of reasoning about the behavior of computer programs without actually running them. This is useful not only in optimizing compilers for producing efficient code but also for automatic error detection and other tools that can help programmers.

This lecture will present essential principles and algorithms for static program analysis. We take a constraint-based approach where suitable constraint systems conceptually divide analysis into a front-end that generates constraints from program code and a back-end that solves the constraints to produce the analysis results. The lecture will be accompanied by theoretical exercises and by practical exercises based on a Scala implementation of the algorithms. The participants are assumed to be familiar with advanced programming language concepts and the basics of compiler construction.

The last part of the lecture will present an overview of recent results towards obtaining sound and effective static analysis techniques for JavaScript web applications. JavaScript supports a powerful mix of object-oriented and functional programming, which provides flexibility for the programmers but also causes complications for static analysis. Among the challenges is how to handle the dynamic language features, such as 'eval', and the complex programming patterns that are found in widely used libraries, such as jQuery, without losing critical precision.