As per title and very sorry for that. See MatterMost for more details.
As per title.
I would like to invite you to join the talk of Stefano Calzavara, professor at University of Venice and WebSec researcher, who is visiting CISPA this week. The talk is on Thursday, May 19, 14:30, and you are invited to join and learn what our guest has... Read more
I would like to invite you to join the talk of Stefano Calzavara, professor at University of Venice and WebSec researcher, who is visiting CISPA this week. The talk is on Thursday, May 19, 14:30, and you are invited to join and learn what our guest has to tell us about the Science of Web Security.
When: Thursday, May 19, 14:30
Where: Hybrid, i.e., CISPA Lecture Hall and Zoom (https://cispa-de.zoom.us/j/94023681911?pwd=bUgrTlJaR0tFSDlnTi9IMDZzVXNWdz09)
Title: Towards Improving the Science of Web Security
Abstract: Though useful, many web security papers (including mine!) do not satisfy traditional criteria of the scientific method. In this talk, I will provide a personal perspective on how the science of web security could be improved, by discussing recent work which (partially) tackled this issue. The talk will focus in particular on reproducibility and the importance of definitions for web security research.
Short biography: Stefano Calzavara is an associate professor in Computer Science at Università Ca’ Foscari Venezia, Italy. Stefano’s research focuses on formal methods, computer security and their intersection, with a strong emphasis on web security. He has published ~50 papers on these topics at widely recognized international conferences and journals. He is pleased to regularly serve in the PC of a number of scientific events, including flagship conferences like ACM CCS, USENIX Security and TheWebConf (WWW). Stefano chaired the first three editions of the SecWeb workshop and is serving as the program chair of CSF 2022 and 2023.
SWD and the SWD competition were designed and structured to be best experienced with in-person sessions, Q&As, tech support, and open discussions. However, due to the exceptional circumstances we still live in, the 2022 edition will be held in a... Read more
SWD and the SWD competition were designed and structured to be best experienced with in-person sessions, Q&As, tech support, and open discussions. However, due to the exceptional circumstances we still live in, the 2022 edition will be held in a hybrid format.
Both lectures and tutorials will be in the CISPA Main Lecture Hall (room 0.05). We will stream all sessions over Zoom, and you can join remotely by following the instructions here.
See you on Wednesday!
Welcome to SWD! The first lecture will be on Wednesday 13.04 at 14.15 in the CISPA main lecture hall (room 0.05). During the kickoff, we will review the content, structure, and timeline of this lecture, go into the details of the SWD competition,... Read more
Welcome to SWD! The first lecture will be on Wednesday 13.04 at 14.15 in the CISPA main lecture hall (room 0.05). During the kickoff, we will review the content, structure, and timeline of this lecture, go into the details of the SWD competition, and leave ample room for Q&A.
Please note that, as opposed to UdS, CISPA mandates masks to be worn in our building at all times.
See you on Wednesday!
Secure Web Development
Lecture is full.
This lecture will teach you how to build secure web applications and do security assessments, covering both theory and with lots of hands-on practice. In addition, this lecture intends to cultivate a positive, ethical, and responsible mindset in vulnerability management, from hunting to reporting.
The theory of this lecture will cover in details the following topics:
- Secure software engineering, security assessment, and security testing
- Building blocks for secure modern web applications: web authentication, web authorization, handling inputs, application logic, and more.
- Plenty of non-trivial vulnerabilities and exploitations
Practice: the SWD Competition
Throughout the lecture, you will apply these concepts in the SWD Competition. Participation is mandatory.
The SWD Competition is a BIBIFI competition centered on web application security and vulnerability discovery and reporting. The competition is divided into three phases: the build-it, the break-it, and the fix-it phases.
Build-it Phase: During the build-it phase, teams will develop an entire web application following the docs and specs that we provide. Teams get scored based on the specs’ adherence.
Break-it Phase: During the break-it phase, teams will search for vulnerabilities in each other web applications. Teams will create working exploits and write high-quality vulnerability reports. Teams are scored based on the number of confirmed vulnerabilities.
Fix-it Phase: During the fix-it phase, teams will address reports submitted by other teams by patching their code. Scoring is based on the number of fixed vulnerabilities.
Apart from testing students’ technical skills, the SWD Competition fosters a positive, ethical, and responsible culture about vulnerability management. Teams will be rewarded for creating high-quality vulnerability reports and interacting with one another respectfully when disclosing vulnerabilities.
More details about rules, timeline, scoring, how-tos, and past editions, visit https://secwebdev.it.
Seats and Registration
Given our limited resources for this lecture, the max number of seats for this lecture is 40. Admission is on a first-come first-served basis. We strongly recommend students to have taken at least CySec1, CySec2 or Security.
- 11x Lecture on Wednesdays 14:15-16:00 + 1x Guest Lecture
- 1x Awards Ceremony + Exam Q&A
- The SWD Competition:
- Teams of 4 students (max 10 projects)
- 13 weeks of non-stop building, breaking, and fixing code
- 6x sessions on Tuesdays 12:00-14:00
- 3x tutorials, one for each competition phase
- 3x tutorials/tech support: content based on your technical/non-technical questions
- 6x sessions on Tuesdays 12:00-14:00
- Non-graded exercise sheets + corrections (offline)
Registration: 14.03.2022 - 20.04.2022
- Lecture on Wednesdays, at 14-16.
- Kickoff: 13.04.2022 at 14:15 sharp
- Location: CISPA, Main lecture hall (Room 0.05)
- Admission: competition participation + security assessment report
- Exam: 26.07.2022 from 14.00 - 17.00 - GHH
- Re-exam: 14.10.2022 from 09.00 - 12.00 - Lecture Hall 001 in E1 3
- Grading: 100% written exam
This is an advanced lecture about the security of modern web applications. This lecture will thoroughly test your hands-on skills, asking you to write lots of code, read someone else's source code, finding vulnerabilities, writing working web exploits, and patching code. It is recommended to have taken at least CySec1, CySec2 or Security. If you are looking for easy 6CPs, this lecture is not for you.