1 / 18

Building Security In: January 2009 Workshop

Building Security In: January 2009 Workshop. Harry Hochheiser Towson University Department of Computer and Information Sciences 410 704 3090 http://triton.towson.edu/~hhochhei/. Today's Goals. Review Project Discuss specifics: CS0, CS1, CS2, CIS0

emery
Télécharger la présentation

Building Security In: January 2009 Workshop

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building Security In: January 2009 Workshop Harry Hochheiser Towson University Department of Computer and Information Sciences 410 704 3090 http://triton.towson.edu/~hhochhei/

  2. Today's Goals • Review Project • Discuss specifics: CS0, CS1, CS2, CIS0 • How to use materials, how to assess, etc.. • Plan, revise, brainstorm, etc...

  3. Project Goals and Motivations • Students need better background in computer security • Or, any background? • Can't just add required classes • “too little, too late” • Security track and classes limited in impact • Too few students • How to add security earlier without detracting from other material?

  4. Approach: Security Injections • Self-contained modules • Based on labs from traditional sciences • “Drop-in” to existing classes • Minmally-invasive: no class time necessary.

  5. Past and Future Work • Past: successful deployment in CS 0 and CS1 at Towson • Taylor & Azadegan, SIGCSE 2008 • Future: Expand • Depth: add numerous new classes • CS2, CIS0, Web, DB, networks. • Others? • Breadth: Deploy to • Anne Arundel, Baltimore County, Harford, Bowie State • Others?

  6. Process • Towson, Bowie State develop materials, pilot and train • Community colleges deploy and assist with assessment • TU and BSU assess and revise • MAISA recreates

  7. Current Status • Draft materials for CS0, CS1, CS2 available on Wiki • Integer Overflow, Buffer Overflow, Input Validation • Modules • Learning objectives (with mappings to assignments) • Sample Assessment exercises • CIS0 under development • phishing

  8. Timeline: Short term • January 2009 Training • Spring 2009 • CS0, CS1 deployed at TU, pilot at BSU, partners? • CS2 Pilot at TU • CIS0 Pilot @ BSU • Develop Materials for Database • Summer 2009 • Train BSU and partners on CS2 • Train TU,BSU on CIS0 and DB • Analyze Data

  9. Assessment • Success: • Lots of students learn more about security • Many institutions adopt our materials • How do we document pedagogical success? • Awareness and interest surveys • Faculty responses • Specific exercises on quizzes/exams for content.

  10. Security Injections: Contents • Background • Description • Risk – how can it happen? • Example of occurrence • Example in Code • How can I avoid? • lab/homework assignment • security checklist • discussion questions • security scorecard – use checklist to grade any code.

  11. Security Awareness Survey • “ What are the possible consequences of insufficient computer security?” • “Integer overflow occurs...” • Which programming mistake is one of the major vulnerabilities in today's applications” • “Which of the following should your well-designed program do before processing user input?” • 7 demographic questions • Nothing asking about previous exposure to security concerns in courses – should we add it? • Online – through studentvoice.com

  12. The Process • Start of semester – give awareness survey • Online, via link to be provided • Assign modules when appropriate – it's up to you • Use checklists as grading scorecards • Possibly retain some for our research • Assess student learning • Example exercises for quizzes/exams given in assessment docs • Repeat awareness survey at end of semester.

  13. Questions • What will it take to make this work well? • How can we get colleagues to adopt? • What project support is needed? • What institutional support is needed? • Are there issues specific to your context that we should know about?

  14. The wiki • http://triton.towson.edu/~cssecinj/dokuwiki • http://www.dokuwiki.org/manual • Demonstration...

  15. CS0, CS1, CS2 • Integer Overflow • Input Validation • Buffer Overflow • Other topics? • General introduction to vulnerabilities? • C++ and Java versions

  16. Objectives

  17. Example: Buffer Overflow for CS2 • Example in Code public class BufferOverflow { public static void main(String[] args) { int[] vals = new int[10]; for (int i = 0; i <20; i++) { vals[i] = i; } } } • Tips for avoiding: validate indices, don't allocate storage until needs are known, etc.. • Assignment: Write a procedure that will copy an arbitrary subrange of one array of integers into an other array.

  18. Thoughts, reactions? • Breakout into groups by topic or class • Discuss in details • What works, what doesn't • Download from wiki, revise • upload

More Related