Flag Flag

GN3 project: security training for the developers

Logo Geant 3

23.06.2010. PSNC Security Team took a key part in preparing a complex, two-day training on secure programming that was organized in Pozna˝ for the participants of one of the largest European research projects: GN3. Pozna˝ Supercomputing and Networking Center, as the operator of Polish National Research and Education Network (PIONIER), is the only Polish research center participating in this project.

The training was prepared within the confines of G╔ANT Security Expertise Delivery (SED) that is run under Task 4 of SA2 activity (Multidomain Services - Security). The goal of the service is to ensure the provision of security expertise to G╔ANT multi-domain service development activities. A very significant effort for the organization of the training was also given by Peter Webster (DANTE) from the Project Office. The lectures were given by Milan Potocnik from Belgrade University Computing Center and Tomasz Nowak and Gerard Frankowski from PSNC Security Team.

The training was attended by 20 participants and additionally several dozens of online guests. A separate videoconference room was also prepared for PSNC developers.

The first day of the training started with the presentation describing loses and threats occurring from software bugs. Then a general review of good security practices was given (e.g. proper authentication, avoiding information disclosure, suitable error handling routines, impact of application environment on its security). In the afternoon lectures on Web Services security was scheduled, and then - among others - a talk on PKI usage together with a short introduction on identity management framework - eduGAIN.

The second day of the training was devoted to particular types of security vulnerabilities. The following threats were mentioned: using dangerous functions, handling sensitive data, buffer overflows, resource and memory leaks, race conditions, NULL pointer dereferences, format string errors, overflows and off-by-one errors. With a special respect to Java code the talks on exception handling, inefficient code patterns and inappropriate access to classes were mentioned. For a block devoted to Web applications - obviously XSS and SQL Injection attacks, as well as Command Injection, Information Disclosure or Path Traversal vulnerabilities.

The last (a shorter one) session consisted of several short presentations on source code automatic analysis with simple to use and free Java, C/C++ and PHP source code scanners. After a discussion on their usefulness for the developers, several tools were presented. Although the whole training was rather conducted as a lecture, it finished with a short practical contest on source code analysis.

The training was assumed for GN3 project participants, but - because the prepared presentations will be useful for all developers - we have been allowed to share them. They are available as PDF files and are partially aggregated.

Day 1:



Involving PSNC Security Team members as training experts is surely an appreciation of the matter of Pozna˝ Supercomputing and Networking Center for security issues in European research projects. We are also glad to announce that very positive assessments have been collected from training evaluation forms.

Main topics:

Security tests of Web browsers
PSNC Security Team conducted a set of comparative tests of Web browsers, addressing resilience to attacks on SSL/TLS
We encourage you to take a look on our detailed report (currently in Polish only).

More

GN3 project: security training for the developers
PSNC Security Team took a key part in preparing a complex, two-day training on secure programming that was organized in Pozna˝ for the participants of one of the largest European research projects: GN3.

We encourage you to download the prepared presentations.

More information

Related topics:

Security services
New PSNC Security Team Security Services catalogue is available in Services section
Catalogue (in Polish)

On-line shopping security
PSNC Security Team decided to take a closer look at electronic shopping service. The result of our work is a report (in Polish).

Internet Banking
Report about internet banking security status in Poland is available here and the reaction in media here