Who should attend: System managers and software engineers who are developing client-server applications that will be used over the Internet.

A strong background in UNIX and UNIX programming is recommended. Many exam ples will refer to C programming constructs. Familiarity with C is not a prerequisite, but familiarity with programming under UNIX is strongly recommended for attendees.

What you will learn: How to write security-critical networking software.

Increasingly, client-server software is being deployed in hostile environments that it may not have been designed to withstand. You will learn how to spot and avoid making typical flaws in security programming, using examples and case studies from existing applications.

Topics include:

- Basics

• Taxonomies of software and system flaws
• The importance of security
• Putting security at the right layer
• Orange book (C2, B1, B2 systems)
• Authentication versus authorization

• How protocols are secure or insecure
• Designing a protocol for security
• Typical weaknesses of protocols

• Basics: public key, secret key, certificates
• Randomness
• Algorithms
• Synchronizing protocols
• What cryptography can and cannot do

• What to authenticate
• Challenge/response
• Authenticating packet streams
• Publicly-available authentication systems

• Chroot
• Setuid
• Minimizing code
• How to avoid doing everything as "root"

• A simple file transfer daemon
• Using file system permissions
• Locking up a process

Marcus J. Ranum is CEO of Network Flight Recorder, Inc. He is the principal author of several major Internet firewall products, including the DEC SEAL, the TIS Gauntlet, and the TIS Internet Firewall Toolkit. Marcus has been managing UNIX systems and network security for over 13 years, including configuring and managing whitehouse.gov. He is a co-author of the Web Security Sourcebook.

Tutorials at-a-Glance     Tutorial Instructors