Secure software design

MTAT.03.246 Secure software design

MTAT.03.247 Secure software design: Project work

Lectures: Fridays 16:15, J. Liivi 2 - 404

Contact: margus at cyber.ee

Lecture slides

• Introductory lecture
  • Multilevel security
  • Multilateral security
• Security analysis
• Human factors and security
• Authenticating people and computers
• Strategies for secure software development
• Internet voting in Estonia
• Strategies for secure software development; developing security protocols
• PKI and digital signatures
• PKI and digital signatures, part 2
• Case study: Estonian x-road
• Security of online games
• Economics of Software Security
• Development Process for Secure Software

Projects

Requirements for the project

Due dates

• May 27th -- project presentation (10-15 minutes)
• June 20th -- written report

Exam

The exam is a written exam. Use of written materials is allowed. The exam questions are based on lectures and mandatory reading material. The exam tries to measure knowledge about main principles/technologies/classes of attack and ability to apply these principles for specific examples.

Exam dates:

• May 30th 10:00, J. Liivi 2, room 122
• June 10th 10:00, J. Liivi 2, room 206

Mandatory (examinable) reading

• Ross Anderson, "Programming Satan's Computer"
• Ken Thompson, "Reflections on Trusting Trust"
• Peter Gutmann, "Lessons Learned in Implementing and Deploying Crypto Software"
• Ross Anderson, "The Eternity Service" -- a good example of security analysis of a system
• Chapter 10 from "Security Engineering"
• Chapter 11 from "Security Engineering"
• K. Tsipenyuk, B. Chess, G. McGraw, Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors

Recommended reading

• Lifestyle Hackers
• Alma Whitten, J.D. Tygar, "Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0"
• Kevin Mitnick, "The Art of Deception: Controlling the Human Element of Security"
• David Maurer, "The Big Con: The Story of the Confidence Man"
• Frank Stajano, Paul Wilson, "Understanding scam victims: seven principles for systems security"
• Richards J. Heuer, Jr., "Psychology of Intelligence Analysis"
• Rachna Dhamija, Doug Tygar, Marti Hearst. "Why Phishing Works"
• Peter Gutmann, "Security Usability"
• Peter Gutmann, "The Design of a Cryptographic Security Architecture"
• RFC 2119: Key words for use in RFCs to Indicate Requirement Levels
• Peter Gutmann, "X.509 Style Guide"
• Ahto Buldas, Märt Saarepera. "Electronic Signature System with Small Number of Private Keys"
• Arne Ansper, "e-Riigist andmeturbe seisukohalt"
• Arne Ansper, Ahto Buldas, Margus Freudenthal, Jan Willemson "Scalable and Efficient PKI for Inter-Organizational Communication"
• Fraud. The Unmanaged Risk, 8th Global Survey
• Cormac Herley, "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users"
• Rick Wash, Folk Models of Home Computer Security