Die Arbeitsgruppe Secure Systems Engineering an der Freien Universität Berlin beschäftigt sich mit dem Schutz softwarebasierter Systeme gegen Angriffe.
Datum: 22.6.2018 12:15 - 13:45
Modern IT-systems can be open to various security risks. Potential security weaknesses can be identified
by applying in-depth security evaluations for an IT-system (e.g. Embedded Systems, Mobile Apps or
Enterprise IT) and countered before an attacker can exploit these weaknesses in the field and cause real
financial or even safety damage. That is when practical security testing comes into play. However, it has
to be noted that practical security testing techniques, especially fuzzing and penetration testing, cannot
give any assertion on completeness or might be applied "too tale" in the SDLC (Software Development
Life Cycle). The biggest challenge of practical security testing is that depending on the time and
resources used, it is possible to miss larger systematic flaws. This risk is even more increased if the testing
is done ad hoc by following “random” ideas. Therefore, it is important to conduct the security testing in
a systematic way and find a balanced approach that provides the best fit to the target and the current
This talk aims to give an overview over the above-mentioned approaches while it will be made more
concrete by applying some explained methods to the field of Mobile App security testing.
Mr. Carlos Perez Holguera is a security engineer employed at ESCRYPT with many years of hands-on
experiences in the field of security testing for mobile apps and embedded systems like automotive
electronic control units. ESCRYPT is a wholly owned subsidiary of ETAS GmbH and member of the Bosch
Group and offers highly secure IT security solutions for embedded systems, as well as consulting and
services for enterprise security and IT-secured manufacturing.
Datum: 23.6.2018 13:00 - 14:00
Secure Code Review is a critical phase in a system development lifecycle. Inspection of source code in a security-focused environment and intimate collaboration with developers can yield high results of uncovering security vulnerabilities.
In this lecture we will go over a few example of security vulnerabilities and how to spot them in code, as well as methodologies and guidelines for conducting high quality and hermetic secure code review.
We will approach the task of reviewing code for security issues in the eyes of an attacker – we will attempt to break the code by any means necessary, looking for the same breaches attackers look for.