| ||
 |
||
|
|
|
|
Home | |
|
Certificate Program | |
|
Course Descriptions | |
|
Schedule | |
|
Instructors | |
|
Printable Flyer | |
|
Registration & Pricing | |
|
FAQs | |
|
News & Publications | |
|
Related Offerings | |
|
Other Programs | |
|
Contact Us | |
|
||
CORE COURSES
ELECTIVES
- Computer Security Management – Recent Threats, Trends & the Law
- Emerging Threats and Defenses
- Securing Web Applications
- Web Security 2.0: AJAX, mashups, and social networking
CORE COURSES
Using Cryptography Correctly (core course)
Case Study:
Lab - 15 minutes discussion followed by 1 hour of computer work
2L-2: Authenticating users and objects Writing Secure Code (core course)
Case Study:
Lab - 15 minutes discussion followed by 1 hour of computer work
Security Protocols (core course) This course presents case studies of the design of various security protocols including SSL, WEP / WPA, IPSec, and Kerberos. We focus on discussing the pros and cons of various security trade-offs involved in the design of such protocols, and we describe vulnerabilities that some of these protocols are susceptible to due to design flaws. It is recommended that students take Using Cryptography Correctly as a prerequisite for this course, as a working knowledge of cryptographic primitives will be assumed.
Hands-on, 1/2 day lab: ELECTIVE COURSES
Computer Security Management – Recent Threats, Trends and the Law (elective course) Case Study:
Emerging Threats & Defenses (elective course) The first half of this course focuses on describing and providing a technical walk-through of several emerging threats including next-generation phishing, drive-by-pharming, online extortion, multi-application botnets, crimeware, mobile worms, and VoIP security. In the second half of the course, we focus on emerging defenses that are just on the horizon such as mechanisms included in Windows Vista. We discuss how some of these next generation defenses may mitigate growing threats, and where they fall short. This course is updated every year and may be repeated once every two years for additional credit towards the advanced certification.
Securing Web Applications (elective course) Web applications are vulnerable to many types of attacks to which traditional client-server applications are not as susceptible. These vulnerabilities, over the past several years, have resulted in attacks that have exposed companies to monetary losses and reputation damage. This course covers these vulnerabilities, how attacks are constructed based on them, and techniques that can be used to mitigate such vulnerabilities. Example web vulnerabilities covered in this course include client-state manipulation, cookie-based attacks, SQL injection, cross domain attacks (XSS / XSRF / XSSI), and HTTP header injection.
Case Study:
Hands-on, 1 day lab:
Web Security 2.0: AJAX, mashups, and social networking – New for July 2008!
Special Elective Course
Software Security Foundations Certificate (formerly Computer Security Foundations) (special elective course)
Computer Security Principals covers security objectives such as authentication, authorization, access control, confidentiality, data integrity, and non-repudiation. The module also covers software design principles including the principles of least privilege, fail-safe stance, and defense-in-depth.
Introduction to Cryptography covers both symmetric encryption and public-key cryptography, discussing how they are used to achieve security goals and build PKI (Public-Key Infrastructure) systems. The module also covers DES, 3DES, AES, RC4, RSA, ECC, MD5, SHA-1, X.509, digital signatures, and all cryptographic primitives necessary to understand PKI. Diffie-Hellman key exchange and man-in-the-middle attacks will also be discussed.
Secure Programming Techniques discusses the threats that worms and hackers present to software and the programming techniques that developers can use to defend against software vulnerabilities such as buffer overflows, SQL injection, and off-line dictionary attacks. The module also covers common mistakes made in using cryptographic libraries and how they can be avoided.
Cryptographic primitives are effective tools that can help achieve various security goals.
However, programs that use cryptography can often be fragile, and simple programming errors
can result in large security “holes.” Even worse, a company can come away with a false sense
of security if their applications use cryptography— due to simple programming errors in how the
cryptography is used, their applications could be just as or more vulnerable to attack, but the
company may think that it is secure due to the use of cryptography. This course covers how to
use cryptography correctly, and teaches programmers how to avoid many common mistakes that result in gaping security holes.
2L-1: Setting up secure sessions and using them properly.
Secure random bit generation
Topics covered: password management, and authenticating objects such as software updates.
Learn and experience intermediate and advanced techniques that systems and applications programmers
can use to write new code securely, as well as to find and mitigate vulnerabilities in existing code.
A company may have millions of lines of existing code, and tens of millions of dollars of investment in their business based on those lines of code. It is not reasonable to expect that the applications that those millions of lines of code support can be redesigned securely from scratch in a cost-effective fashion. In this course, in addition to covering threats to legacy code, we focus on discussing tools and techniques that can be used to secure large amounts of legacy code. Our case study will demonstrate how to use off-the-shelf tools to secure an existing, large enterprise application.
3L-1: Experiment with a buffer overflow attack.
Mounting attacks against code to concretely understand what code is up against when targeted by attackers.
* pre-requisite: Using Cryptography Correctly
* Conduct a man-in-the-middle (MitM) attack against SSL.
Computer science graduates are typically taught object-oriented design principles to focus on performance, correctness, scalability, and maintainability when building large systems. However, an additional set of design principles are required to achieve security. In this course, we discuss security design principles, and illustrate how to employ them through a running example of how to secure a web server. We also discuss new, emerging threats, and laws and regulations that require security measures in corporate and medical sector.
In this first course, the case study presents vulnerabilities in the implementation a small web server. We identify each of the vulnerabilities, and illustrate how to employ each of the security design principles we discuss to eliminate vulnerabilities in the server. We also discuss how the web might have been designed differently if security was 'baked-in' from the beginning.
We use a running example of a web-based, person-to-person payment service to illustrate the attacks discussed in this course, and we demonstrate how to fix the vulnerabilities upon which the attacks are based.
(Description Coming Soon!)
Meet the Instructor: A conversation with Dr. Neil Daswani.*
* Dr. Neil Daswani has moved to Google since this interview session took place.
