Secure Product Lifecycle (WS 2024/25)

Course Number 705070 | Wintersemester 2024/25

Content

Developing a secure product in a secure way touches every aspect of IT Security. This starts with defining security requirements and ends with a secure decommissioning of the product. In this course we will provide an overview of all elements of a secure product life cycle and dive deeper in selected topics. In particular we will discuss • Secure development process • Security requirements management • Risk analysis and threat modelling • Security Architecture and System Design • Security Mechanisms design • Security Testing & Vulnerability Assessment • Security Evaluation & Certification • Secure Market Surveillance • Secure Guidance and Release • Secure Updates in the Field • EOL: Secure Decommissioning A secure product lifecycle is a key factor in designing, developing and maintaining a secure product. How can we make sure that nothing goes wrong during the development process? How can we make sure that the product stays secure once used in the field? Before we even begin with the development of a product, we must have a clear view on the security requirements to make sure that we address them accordingly during later phases. Once we know what we need to protect, we need to understand against what we must protect. Analyzing security risks and modelling threats is the basis for choosing the right security features and their implementations. Now that we have done our homework, we can start designing and implementing the product. How can we be sure that security requirements have been fulfilled, that threats have been addressed accordingly and that the implementation is bullet proof? By making sure that security testing and vulnerability assessment is an integral part of the lifecycle. Once the product is ready for release and we are sure that it is secure, how can we proof it to others? By asking someone else to evaluate our what we did. There are several international standards how to perform evaluations which lead to an official certificate that an independent third party is attesting your product is secure (to a certain level). How can customers and the certification body be sure that what is sold is the same what was tested. There is a need for surveilling the market. Finally, the product is ready and gets released and sold to thousands of customers. Have we methods in place to check whether what we build, what was tested, what was certified and what was released and sold is all the same? Do we provide to customers everything they need to install and use the device in a secure way, without requiring a PhD? Although, we considered all the above, there is nothing you can do to make a product 100% secure, but we can make sure that we address discovered issues and vulnerabilities quickly. We can make sure that updates are delivered in a secure way and that customers are aware of it. Sadly, nothing is used forever, not even secure products. There comes the time where its life ends. When this time comes, we need to make sure that it is properly decommissioned. Making sure all secrets are erased, all customer data is removed so that it can rest in peace… …and we can start developing a new product where a secure lifecycle is a key factor in…

Material

Here you can find the slide deck presented this semester. Exercise related Information:

Administrative Information

Previous Knowledge

Prerequisites Curriculum

See position in the curriculum

Objective

After successful completion of the course, the students will • understand the concept of a secure product life cycle • understand the concept of each aspect of a secure product life cycle • understand the importance of a secure product life cycle

Language

English

Teaching Method

How to get a grade

Registration

https://online.tugraz.at/tug_online/ee/rest/pages/slc.tm.cp/course-registration/531329

Lecture Dates

Date Begin End Location Event Type Comment
2024/11/27 12:15 13:45 HS i9 Abhaltung VO fix/
2024/12/02 13:00 14:00 HS i9 Abhaltung KU fix/
2024/12/04 12:15 13:45 HS i9 Abhaltung VO fix/
2024/12/04 12:15 13:45 HS i9 Abhaltung VO fix/
2024/12/09 13:00 14:00 HS i9 Abhaltung KU fix/
2024/12/11 12:15 13:45 HS i9 Abhaltung VO fix/
2024/12/16 13:00 14:00 HS i9 Abhaltung KU fix/
2025/01/08 12:15 13:45 HS i9 Abhaltung VO fix/
2025/01/15 12:15 13:45 HS i9 Abhaltung VO fix/
2025/01/22 12:00 16:00 Seminarraum Abhaltung KU fix/ABGABEGESPRÄCHE
2025/01/29 12:00 16:00 Seminarraum CGV Abhaltung KU fix/ABGABEGESPRÄCHE
2025/01/29 12:00 16:00 Seminarraum CGV Abhaltung KU fix/ABGABEGESPRÄCHE

Lecturers

Christoph Herbst
Christoph
Herbst

External-Lecturer

View more
Tomislav Nad
Tomislav
Nad

External-Lecturer

View more