ls
ls

About this course

Learning Outcomes

This mini-course gives an overview on the concepts of confidentiality, integrity, and authentication; along with a short introduction to cryptography (both symmetric and asymmetric), hashing, and encoding. Those concepts will then be implemented to guarantee the security of data (at-rest and in-transit) of an ad-hoc web application. Finally, we will study and implement state-of-the-art password policies.

Agenda

  1. An introduction to Cybersecurity [theory]
    • #whoami
    • weakness (CWE), vulnerability (CVE), and Attacks
    • CIA-triad and authentication
    • information security, at-rest and in-transit
    • challenge C1: authentication and trust
  2. Secure Design 1 [lab]
    • challenge C2: which property (confidentiality, integrity, authentication) and requirement shall hold in which part of your app?
    • focus first on user registration and login
    • testing/showing the obvious insecurities
  3. Security Procedures [theory]
    • ~Steganography and~ Encoding
    • Cryptographic Hash Functions
    • challenge C3: how do we use hash functions?
    • Symmetric and Asymmetric Encryption (and Signing)
  4. Secure Design 2 [lab]
    • challenge C4: propose techniques to preserve security properties
  5. Security Algorithms [theory]
    • openssl_encrypt
    • openssl_public_encrypt (RSA)
  6. Secure Coding [lab]
    • challenge C5: implement security requirements
  7. Security Testing [theory]
    • is there a flaw in the logic of your authentication process?
      • CIA information at-rest (db)
      • CIA information in transit (client <-> server)
    • is there a flaw in the implementation (code review)?
      • hashing passwords without salting?
      • is there a known vulnerability in the algorithm you chose? (cve.mitre.org)
      • no password policies?
      • decrypt with lookup tables & brute force passwords after a db leak (e.g. john the ripper)
      • best practices (see Resources)
  8. Security Mitigations [theory]
    • salting, peppering, and password policies
  9. After-school
    • use an external identity service provider (Google/Facebook)
    • Use strong authentication (2FA, telegram bot)
    • Availability & Denial of Service
    • implement a “I’m not a bot”
    • Accountability & OCSP (Online Certificate Status Protocol)

Resources