A short description of what we do with respect to security at HDM

Fundamentals

There is no understanding of security without a good grasp of cryptography. My colleague Roland Schmitz runs a security class which explains all the fundamental technologies and the mathematics behind. He also covers security protocols for electronic buying etc. After this class we expect students to have a clear understanding of the crypto fundamentals. Roland can be reached over the HDM contact page

If you need to stock up on crypto, I found Bruce Schneiers book "applied cryptography" surprisingly easy to read even for non-math people.

Applied Internet Security

Thanks to Jochen Bauer, CEO of Inside Security in Stuttgart we are able to offer a first class hands-on training in security. Jochen Bauer and our assistant Christoph Alscher have built an excellent security lab with 12 seats max. and Jochen Bauer covers most aspects of internet security in 4 hours per week over a whole term.

The (incomplete list) comprises:

Sniffing and scanning
Virtual private networks (VPN)
Firewalls
Securing mail
Viruses and Trojans
Using SSL to protect systems
Web Server security
and so on

We are extending the class to cover mobile security.

Advanced Internet Security: Security as a System

My lecture Internet Security covers the system aspect of security. We are developing a framework (policies, guidelines etc.) for security. After that we cover firewall technology in detail because it is ideally suited to explaiin many different security problems within the internet. Firewall types and architectures are discussed, services (middleware etc.) and after that we move to web application security. We use portals like Deutsche Bahn Ag to investigate online services and the necessary security. We discuss the necessary security infrastructure (canonical architecture, load balancing, reverse proxies, user registries etc.) and then move on to secure software development. Here we look at typical web application problems (cross site scripting etc.) and then cover security frameworks (JAAS, GSS-API, EJB). A session on trusted computing bases covers operating-system security, sandboxes and in general ACL based security. Another session on capabilities demonstrates advanced concepts of authority reduction. The term finishes with lectures on XML and web services security - going from a channel based security model to a message based. SSL/SAML/Single-sign-on are covered as well.

Talks on special aspects of security

Security and Software-Quality are tightly related. Many security problems really are general software quality problems. The talk shows trends, root-causes and concepts for authority reduction. Usability is also touched. see BWCon Talk on Security and Quality at eXept AG

Jürgen Butz wrote an excellent thesis on mobile security, associated risk analysis and mitigating factors. A small excerpt of his thesis can be found in his talk at the Security Day at HDM. The full thesis with a complete risk analysis and coverage of almost every mobile device can be found here. I can only recommend reading it in case you worry about the use of mobile applications and devices in your company.

Seminar: Selected security problems and architectures

Our students usually do exercises in software development - some of them tackling advanced security problems like Capabilities, "E", Single-Sign-On, grid computing with delegation problems of certificates, from descriptive security to real infrastructure: How to create a user registry and map it to application servers using JAAS etc. etc. Roland and myself are planning a special seminar on those topics for the next term.

Note

Before I forget: if you have a security related topic which you would like to present, don't hesitate and get in touch with me .

Security in distributed systems

Distributed systems have special security needs due to the fact that central authorities are scarce and trust must be established differently. Two sessions in my lecture on distributed systems cover security from a business point of view (how to secure distributed e-business etc.) but also from an end-user point of view: how to protect out privacy (cookie tracking, central registries) or how to establish a repudiation (e-bay) anonymity (onion routing) and how to avoid cencorship. Recent developments in USA and Europe after September 11 warrant a close look on privacy violoations - a topic I'd like to investigate further in the future.