Applied Security Laboratory

Overview

Organizers: Prof. Dr. David Basin, Dr. Christoph Sprenger, and Dr. Dennis Jackson. This is an application course.

Lab hours: Thursday, 10-13, LEE D 101 and Zoom

Credits: 8 ECTS

Language: English

Announcements

• Starting Oct 29, we the Applied Security Lab will be held on Zoom only (see link on course material page).
  
• The introductory lecture takes place on Thu Sep 17, 2020, ​10-11, LEE D 101. It will also be transmitted via Zoom and recorded. The number of places in the room is limited. We will send an email with more details.
  

Description

This course emphasizes applied aspects of Information Security and consists of two parts.

Independent study

In this part, the students will study a number of topics in a hands-on fashion and carry out experiments in order to better understand the need for secure implementation and configuration of IT systems and to assess the effectivity and impact of security measures. This part is based on a book and virtual machines that include example applications, questions, and answers. Each student will prepare a lab journal documenting their work with the book. 

Project work

In the second part, the students will also perform a team project: based on a set of functional and security requirements, they will design and implement a prototypical IT system. In addition, they will conduct a thorough security analysis and devise appropriate security measures for their systems. Finally, they will carry out a technical and conceptual review of another team's system. All project work will be performed in teams and must be properly documented in project reports. At the end of the semester, the teams summarize their work in a short presentation.

Topics covered

The Applied Security Laboratory covers four major topics:

• Operating system security (hardening, vulnerability scanning, access control, logging);
• Application security with an emphasis on web applications (web server setup, common web exploits, authentication, session handling, code security);
• Risk analysis and risk management;
• Computer Forensics.

Grading

The individual lab journal will contribute 20% and the project reports and presentation 80% towards the overall grade.

Schedule

• Mandatory introduction lecture: Thursday, Sep 17, 10-11, LEE D 101. There will be no other lectures during the semester.
• Assisted lab hours: Thursdays, 10–13.
• The introduction lecture and the assisted lab hours are also accessible via Zoom (see link on protected pagecourse material pagelock)
  

Individual work

• Dec 17, 10:00: each student hands in an individual lab journal documenting each student’s work with the book

Project schedule

• Sep 24: Register project groups (e-​mail).
• Oct 19, 12:00: Hand in system description and risk analysis overview / concept (e-​mail), not expected to be complete.
• Oct 23: Feedback to your overview / concept.
• Nov 26: Hand in final system description and risk analysis, max 30 pages (e-​mail); also hand in your VMs and exchange report and VMs with other group for reviewing (see course material page), please come to the lab for this (only 1-2 group members).
• Dec 17, 10:00: Hand in final system reviews, max 18 pages (e-​mail); presentation of main results (room TBA, 10-​13).

Requirements

• The lab covers a variety of different techniques. Thus, participating students should have a solid foundation in the following areas: information security, operating system administration (especially Unix/Linux), and networking. Students are also expected to have a basic understanding of HTML, PHP, JavaScript, and MySQL because several examples are implemented in these languages;
• Students must be prepared to spend more than three hours per week to complete the lab assignments and the project. This applies particularly to students who do not meet the recommended requirements given above. Successful participants of the course receive 8 credits as compensation for their effort;
• All participants must agree and sign the lab's charter and usage policy during the introduction lecture.