Secure Web Development Giancarlo Pellegrino, Cristian-Alexandru Staicu

News

16.05.2022

⚠️ No tutorial on May 17 ⚠️

As per title.

16.05.2022

Talk by Stefano Calzavara from University of Venice on Web Security

Dear all,

I would like to invite you to join the talk of Stefano Calzavara, professor at University of Venice and WebSec researcher, who is visiting CISPA this week. The talk is on Thursday, May 19, 14:30, and you are invited to join and learn what our guest has... Read more

Dear all,

I would like to invite you to join the talk of Stefano Calzavara, professor at University of Venice and WebSec researcher, who is visiting CISPA this week. The talk is on Thursday, May 19, 14:30, and you are invited to join and learn what our guest has to tell us about the Science of Web Security

More details:

When: Thursday, May 19, 14:30

Where: Hybrid, i.e., CISPA Lecture Hall and Zoom (https://cispa-de.zoom.us/j/94023681911?pwd=bUgrTlJaR0tFSDlnTi9IMDZzVXNWdz09)

Title: Towards Improving the Science of Web Security

Abstract: Though useful, many web security papers (including mine!) do not satisfy traditional criteria of the scientific method. In this talk, I will provide a personal perspective on how the science of web security could be improved, by discussing recent work which (partially) tackled this issue. The talk will focus in particular on reproducibility and the importance of definitions for web security research.

Short biography: Stefano Calzavara is an associate professor in Computer Science at Università Ca’ Foscari Venezia, Italy. Stefano’s research focuses on formal methods, computer security and their intersection, with a strong emphasis on web security. He has published ~50 papers on these topics at widely recognized international conferences and journals. He is pleased to regularly serve in the PC of a number of scientific events, including flagship conferences like ACM CCS, USENIX Security and TheWebConf (WWW). Stefano chaired the first three editions of the SecWeb workshop and is serving as the program chair of CSF 2022 and 2023.

 

 

11.04.2022

Lecture format

Dear students,

SWD and the SWD competition were designed and structured to be best experienced with in-person sessions, Q&As, tech support, and open discussions. However, due to the exceptional circumstances we still live in, the 2022 edition will be held in a... Read more

Dear students,

SWD and the SWD competition were designed and structured to be best experienced with in-person sessions, Q&As, tech support, and open discussions. However, due to the exceptional circumstances we still live in, the 2022 edition will be held in a hybrid format.

Both lectures and tutorials will be in the CISPA Main Lecture Hall (room 0.05). We will stream all sessions over Zoom, and you can join remotely by following the instructions here.

See you on Wednesday!

08.04.2022

Kickoff Lecture on Wed, 13.04 at 14:15 (sharp), CISPA Main lecture hall (room 0.05)

Dear students,

Welcome to SWD! The first lecture will be on Wednesday 13.04 at 14.15 in the CISPA main lecture hall (room 0.05). During the kickoff, we will review the content, structure, and timeline of this lecture, go into the details of the SWD competition,... Read more

Dear students,

Welcome to SWD! The first lecture will be on Wednesday 13.04 at 14.15 in the CISPA main lecture hall (room 0.05). During the kickoff, we will review the content, structure, and timeline of this lecture, go into the details of the SWD competition, and leave ample room for Q&A.

Please note that, as opposed to UdS, CISPA mandates masks to be worn in our building at all times

See you on Wednesday!

 

 Secure Web Development

 

Lecture is full. 

 

Overview

This lecture will teach you how to build secure web applications and do security assessments, covering both theory and with lots of hands-on practice. In addition, this lecture intends to cultivate a positive, ethical, and responsible mindset in vulnerability management, from hunting to reporting.

Theory

The theory of this lecture will cover in details the following topics:

  • Secure software engineering, security assessment, and security testing
  • Building blocks for secure modern web applications: web authentication, web authorization, handling inputs, application logic, and more.
  • Plenty of non-trivial vulnerabilities and exploitations

Practice: the SWD Competition

Throughout the lecture, you will apply these concepts in the SWD Competition. Participation is mandatory.

The SWD Competition is a BIBIFI competition centered on web application security and vulnerability discovery and reporting. The competition is divided into three phases: the build-it, the break-it, and the fix-it phases.

  1. Build-it Phase: During the build-it phase, teams will develop an entire web application following the docs and specs that we provide. Teams get scored based on the specs’ adherence.

  2. Break-it Phase: During the break-it phase, teams will search for vulnerabilities in each other web applications. Teams will create working exploits and write high-quality vulnerability reports. Teams are scored based on the number of confirmed vulnerabilities.

  3. Fix-it Phase: During the fix-it phase, teams will address reports submitted by other teams by patching their code. Scoring is based on the number of fixed vulnerabilities.

Apart from testing students’ technical skills, the SWD Competition fosters a positive, ethical, and responsible culture about vulnerability management. Teams will be rewarded for creating high-quality vulnerability reports and interacting with one another respectfully when disclosing vulnerabilities.

More details about rules, timeline, scoring, how-tos, and past editions, visit https://secwebdev.it.

Seats and Registration

Given our limited resources for this lecture, the max number of seats for this lecture is 40. Admission is on a first-come first-served basis. We strongly recommend students to have taken at least CySec1, CySec2 or Security. 

Course Structure

Lectures:

  • 11x Lecture on Wednesdays 14:15-16:00  + 1x Guest Lecture
  • 1x Awards Ceremony + Exam Q&A

Practice:

  • The SWD Competition:
    • Teams of 4 students (max 10 projects)
    • 13 weeks of non-stop building, breaking, and fixing code
  • Tutorials:
    • 6x sessions on Tuesdays 12:00-14:00
      • 3x tutorials, one for each competition phase 
      • 3x tutorials/tech support: content based on your technical/non-technical questions 
  • Exercises
    • Non-graded exercise sheets + corrections (offline)

Important Dates

  • Registration: 14.03.2022 - 20.04.2022
  • Lecture on Wednesdays, at 14-16.
    • Kickoff: 13.04.2022 at 14:15 sharp
    • Location: CISPA, Main lecture hall (Room 0.05)
  • Exams:
    • Admission: competition participation + security assessment report
    • Exam: 26.07.2022 from 14.00 - 17.00 - GHH
    • Re-exam: 14.10.2022 from 09.00 - 12.00 - Lecture Hall 001 in E1 3
  • Grading: 100% written exam

Disclaimer

This is an advanced lecture about the security of modern web applications. This lecture will thoroughly test your hands-on skills, asking you to write lots of code, read someone else's source code, finding vulnerabilities, writing working web exploits, and patching code. It is recommended to have taken at least CySec1, CySec2 or Security. If you are looking for easy 6CPs, this lecture is not for you.

 



Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators