NordU2002 - The 4th NordU/USENIX Conference
February 18-22, 2002 in Helsinki, Finland

M1

 

Building Secure Software
Why the standard approach to security doesn't work

The instructor: Gary McGraw

Computer security takes on more importance as commerce becomes e-commerce and business embraces the Net. However, little progress has been made in the security field, especially when vendor technology is considered. Popular press coverage of computer security orbits around basic technology issues such as what firewalls are, when to use the DES encryption algorithm, which anti-virus product is best, or how the latest email-based attack works. The problem is, many security practitioners don't know what the problem is. It's the software! Internet-enabled software applications, especially custom applications, present the most common security risk encountered today, and are the target of choice for real hackers. This tutorial is all about software security risk and how to manage it. The trick is to begin early, know your threats (including language-based flaws and pitfalls), design for security, and subject your design to thorough objective risk analyses and testing. This tutorial covers material that software practitioners, including architects and languages researchers, can use to avoid security problems and produce more secure Internet-based code.

Prerequisites: Some software development experience, C and C++ a plus, basic security knowledge.

Basic outline

 

 

Gary McGraw, Cigital, Inc.'s CTO, researches software security and sets technical vision in the area of Software Risk Management. A noted authority on mobile code security, Dr. McGraw chaired the National Infosec Research Council's Malicious Code Infosec Science and Technology Study Group. In addition to consulting with major e-commerce vendors, including Visa, MasterCard, and the Federal Reserve, he has written over sixty peer-reviewed technical publications. Dr. McGraw also functions as principal investigator on grants from Air Force Research Labs, DARPA, National Science Foundation, and NIST's Advanced Technology Program. He serves on the Boards of Counterpane, Finjan, NetCertainty, and Tovaris as well as advising the CS Department at UC Davis. Dr. McGraw is co-author of both Java Security (Wiley, 1996) and Securing Java (Wiley, 1999) with Prof. Ed Felten of Princeton, and Software Fault Injection (Wiley 1998) with Jeffrey Voas. Dr. McGraw holds a dual PhD in Cognitive Science and Computer Science from Indiana University and a BA in Philosophy from UVa. He regularly contributes to popular trade publications and is often quoted in national press articles.

 


2001-11-19