Secure Programming Techniques Project
- Code: MTAT.07.016 (3 EAP)
- Meetings: Fri 14:15-16:00 - video; (only on pre-announced weeks - see below)
- Lecturers: Aivo Toots, Maria Pibilota Murumaa, Janno Jaal, Rico-Andreas Lepp
- Communication & Questions: secprog at cyber dot ee
- Goal: find and fix a new security problem in real software.
- Grading Grading information available in ÕIS
First meeting will take place on 01.03.2024 14:15-16:00 on Zoom, link will be provided.
Outline
- Ideas for projects
- Incomprehensive list of source code Scanners
- Find a opensource project for scanning
- Work projects are also acceptable, if we are able to access the source code
- Do active tests only against your own instance of the application. Only try attacks against the systems where you have agreement for security testing.
- Find suitable tools for first steps, use them
- Search for security holes manually
- Find another project if nothing has been found
- Get verification if the project & found bugs are acceptable
- Document the bug
- Fix the bug
- Fix all bugs of the same kind if possible
- Test and document the fixes
- Send a patch upstream, rewriting it if asked, until the patch is merged
- Write a report and give a presentation
Timeline
- 01.03.2024 - First meeting, intro (Zoom link will be provided) (online meeting) [ Slides ]
- 08.03.2024 - Code auditing demo with scanners (online meeting) [ Slides, Recording ]
- 12.04.2024 - Security bug found and reported (deadline)
- 19.04.2024 - Midterm meeting (online meeting, deadline)
- 24.05.2024 - Final presentation (online meeting, deadline)
- 31.05.2024 - Final presentation vol2 (if needed)