The course, taught in English in the first semester of the second year of the Master of Science in Computer Engineering, is one of the characterizing courses of the Cybersecurity track. It aims at presenting the main techniques for assessing the cyber security of IT systems, with particular emphasis on distributed systems. The students are expected to gain the knowledge of such techniques, as well as the ability to apply them by using some of the available tools for verification and testing.

- Knowledge of the general concepts, practice, and standards for security assessment - Knowledge of the main techniques for security verification - Knowledge of the main techniques for vulnerability assessment and penetration testing - Skill to apply the learned techniques with some of the commonly available tools.

Knowledge of procedural and object oriented programming languages, and corresponding programming skills. Basic knowledge of computer network architectures, TCP/IP, HTTP. Basic knowledge of web applications and web programming languages. It is assumed, also, that the students have taken the Information System Security course. The following learning outcomes coming from that course will be exploited: - Knowledge of the main categories of attack against IT systems. - Knowledge of the main concepts (encryption and digest) and technologies (PKI, firewall, VPN, TLS, S/MIME, e-documents) for IT security. - Knowledge of the security architectures for authentication and access control. - Ability to analyze the risks of a network application.

General concepts and practice for security assessment (1CFU) - Definition and classification of security assessment techniques (static vs dynamic, white box vs black box, vulnerability assessment, penetration testing, formal verification, ethical hacking, etc) - Security assessment and certification standards Security Verification (3CFU) - formal verification techniques and tools (dataflow and controlflow static code analysis, model checking, theorem proving) - formal verification of security protocols and security-aware applications - static code analysis for security verification and vulnerability assessment (taint analysis, symbolic and concolic execution) Vulnerability Assessment and Penetration Testing (VAPT) (2CFU) - information gathering and scanning techniques and tools with various scopes (host, net DB, service) - penetration testing techniques: attack techniques, exploit

The course is structured into lectures in classroom (4.5 credits), and laboratories (1.5 credits) consisting of exercises on the experimentation of the techniques and tools presented in the lectures. During the labs the students will discuss with the teachers on their solutions to the assigned exercises.

The teachers will provide the material (copy of slides and links to on-line resources) on the website of the course.

Modalitą di esame: Test informatizzato in laboratorio; Prova scritta (in aula); Prova orale facoltativa;

Exam: Computer lab-based test; Written test; Optional oral exam;

... The exam consists of verifying the expected knowledge and skills acquired by the student (see expected learning outcomes). The exam consists in a written test that may include open-answer and closed-answer questions aiming at checking that the student has acquired the expected knowledge and skills. For the part about skills, the questions may also be simple exercises or use cases related to the tools experimented in the laboratories. For each question, the maximum grade that can be obtained is specified. The final grade will be the sum of the grades assigned to the answers given to the questions. The written test will be taken by means of the Exams platform, in a laboratory. In case of technical problems, the students may be asked to write their test with pencil and paper. The total duration of the test, as measured by the exams platform, which includes the setup time, is 1 hour and 10 minutes. The test is closed-book, i.e. the student cannot consult any material during the test and cannot use any electronic device, with the exception of the Lab PC used for the test. An oral exam will be requested by the teachers only in case of doubts about the evaluation of the written test. The oral exam will consist of extra questions aiming at resolving the doubts the teachers had in the evaluation.

Gli studenti e le studentesse con disabilitą o con Disturbi Specifici di Apprendimento (DSA), oltre alla segnalazione tramite procedura informatizzata, sono invitati a comunicare anche direttamente al/la docente titolare dell'insegnamento, con un preavviso non inferiore ad una settimana dall'avvio della sessione d'esame, gli strumenti compensativi concordati con l'Unitą Special Needs, al fine di permettere al/la docente la declinazione pił idonea in riferimento alla specifica tipologia di esame.

Modalitą di esame: Prova orale facoltativa; Prova scritta tramite PC con l'utilizzo della piattaforma di ateneo;

The exam consists of verifying the expected knowledge and skills acquired by the student (see expected learning outcomes). The exam consists in a written test including open-answer or closed-answer questions aiming at checking that the student has acquired the expected knowledge and skills. The questions may also be simple exercises or use cases related to the tools experimented in the laboratories. The test is closed-book, i.e. the student cannot consult any material during the test and cannot use any electronic device, with the exception of the PC used for the online test. An oral exam will be requested only in case of doubts about the evaluation of the test.

Modalitą di esame: Prova scritta (in aula); Prova orale facoltativa; Prova scritta tramite PC con l'utilizzo della piattaforma di ateneo;

The students can choose to take the exam in one of the two forms: online and onsite. The onsite and online tests are the same (see previous exam mode)