This document provides information about an application security class being taught by Professors Justin Cappos and Dan Guido. It introduces the professors and their backgrounds in secure systems and security strategies. The class philosophy emphasizes hands-on learning through practical exercises where students will build, evaluate, and fix applications. Students can participate either in-person or online, and projects may involve partners from other class sections. The document outlines the course topics, assignments, resources, expectations, and grading. The first assignment involves building and evaluating sandboxes, while the main assignment is a collaborative group project to build a secure application.
2. About us
Prof. Justin Cappos
● 2008 PhD University of Arizona
● I build deployed secure systems
○ Stork, Seattle, TUF, upPIR, etc.
○ open source / participation
■ Seattle has patches from ~100 devels!
Prof. Dan Guido
● Co-Founder & CEO, Trail of Bits
○ Helps companies develop effective security strategies
● Hacker-in-Residence, NYU Poly
○ Helps maintain and grow security program at Poly
3. About this class
● Philosophy: learn by doing
○ hands-on (practical exercises)
■ You will build applications
■ You will find bugs in applications
■ You will fix bugs in applications
● Online / in-class interaction
○ Content is identical for on-line and in-class version
■ Videotaped lectures will be available online
○ You may have project partners in other 'classes'
■ This mimics real world projects
○ This class will heavily use the forum on Blackboard
4. About this class (cont.)
● Lecture-inversion
○ There will be videos to watch before most classes
○ In class time (normally) used for projects
■ Remote students can join in project classes
■ Google+ hangout or Skype session (details to
come)
○ Attendance is strongly recommended (but not required)
■ I will treat you like an adult
● Course textbook
○ The Art of Software Security Assessment
■ We will heavily use this book
○ Outside materials
○ Finish reading assignment before class
5. Academic Integrity
● Tests, etc.
○ Read the university guidelines
● Assignments
○ Collaboration is encouraged
○ Specific policy in assignment
■ Intro Project: on your own
■ Main Project: very collaborative
● Strongly dislike cheaters!
○ I caught 6 last year.
6. Important Resources
● Course Web Page on Blackboard
○ Discussion forum
○ Assignment information
○ Reading schedule / materials
● Instructor: Justin Cappos
○ Office hours: 2 MetroTech 10.026, TBD
○ Email: jcappos@poly.edu, Google / Skype: justincappos
● Instructor: Dan Guido
○ Office hours: ???
○ Email: ???
● TA: Ojas Gosar
○ Office hours: RH 219, M 4-5, Th, 3-4
○ Email:ogosar01@students.poly.edu,Google / Skype: ojas.
gosar
● TA: Jeffrey Dileo
○ Office hours: RH 219, TBD
○ Email:jtd@isis.poly.edu, Google / Skype: jtdileo
7. What will I learn?
●How to build secure applications
●Windows exploits, secure code lifecycle,
mobile app hacking, memory corruption,
sandboxing, SQL injection attacks, code
auditing, security for enterprises, security
for startups, application use of crypto, web
app security: XSS, XREF, etc., bug
bounties, ...
8. Other Security Classes
● Intro / Overlapping
○ CS 392 / 6813: Intro security
■ background
○ CS 6823: Network security
○ CS 6903: Modern Cryptography
○ CS 9163: Application security
■ Building secure applications (always with source)
○ CS 6573: Penetration Testing and Vulnerability Analysis
■ Exploiting flaws in applications (usually binaries)
● Advanced Security seminars
○ EL 9423: Special Topics in Computer Engineering: Introduction
to Secure and Trusted Hardware (Spring 2010)
○ CS 9413: Readings in Comp Sci: Secure Systems
○ ...
9. Expectations
● About your background
○ Strong programming skills (C, Ruby, Python, Java)
You'll need basic competency for the class to make sense!
● Consistent workload
○ Practical / exploration focused
○ Background reading (see webpage)
Be sure to keep up!
11. Course Outline
Sept 4 Intro / Development Practices (*) A1.1 asgn
Sept 11 Windows Internals (*)
Sept 18 Memory Corruption A1.1 due
Sept 25 Sandboxing A1.2 due
Oct 2 Mobile App Sec A1.3 due
Oct 9 Midterm Review A2.1 asgn
Oct 23 Midterm
Oct 30 Security for enterprise / startup (*) A2.X due
Nov 6 Code Auditing 1 A2.X due
Nov 13 Code Auditing 2 A2.X due
Nov 20 Web apps
Nov 27 Practical crypto
Dec 4 Project presentations A2.X due
Dec 11 Final
12. Assignment outline
Assignment 1 (Intro): Build a simple application (a Turing-
complete sandbox)
● Look for flaws in other sandboxes
● Fix minor code issues
● Re-architect code
● Individual
Assignment 2 (Main): Build a secure application
● Substantial application (>1 thousand LOC)
● Must have different trust domains
● Mix of code types: SQL or Android or JavaScript...
○ (More to come)
● Group project with a changing group
○ accept outside patches, bug reports, etc.
13. Assignment 1, part 1
See blackboard
Discuss general questions on the forums