Jae-Hwon, Jonathan, Vincent and Meghan work as a team assessing the security of an e-commerce system
If you are feeling confident about the security measures you are taking in the digital world you might need to sit in on one of Prof. Benznosov’s lectures. In his Introduction to Computer Security class, students assess the security risks of software that members of the public are using every day, and they find vulnerabilities, lots of them.
Each student team in the class developed a security assessment project. The subjects for these projects ranged from a popular new messaging app, to a common anti-virus software or e-commerce website. At a mini-conference, students in the course presented their findings to each other and a panel of expert judges. Students and judges agreed that it’s important for software engineers to learn about security no matter what they go on to do in their careers. Security will be an issue in any system.
| In this course students learn by doing original work on a problem of interest in computer security. Students are motivated to choose a real security risk that is affecting individuals or companies. Each group chose a security system that has the potential to affect many people’s online vulnerability and/or expose a company to potential loss of revenue or data.Projects varied widely because the risks and potential solutions varied. In many cases the students focused on improving the social engineering of the software. By changing the interface engineers can change the way people use the software, with substantial security improvements. | .jpg) “We choose our project base on its relevance to the public, the increase in the app’s popularity and its novelty, Not many professionals have had the opportunity to test it yet.” Sukhi, Mohamed, Gursimran and Donald on their security assessment of a new e-messaging app. |
.jpg) Crystal, Byron, Hardy and David said: “It is important to make people aware of how easily and cheaply hackers can access their system and access information through a third-party wireless device.” | Students grapple with important ethical questions for software engineers in this course. Like any field related to potential risk, there are a number of competing opinions about how to ethically share knowledge of a threat. Judges at the mini-conference, Alex Loffler, Dmitry Samosseiko, Devin Kinch, Luca Filipozzi shared their advice for students. Some professionals in the field would like to see any threat published immediately. Immediate publication helps protect the public and compels companies to fix the situation quickly. Other professionals feel that a company should be given six months or two design cycles to fix the problem before the threat is published. |
| In the case of the threat found by this class, Prof. Benosnov will review the students work and notify the companies about the results. I one case students found a serious and easily accessible vulnerability in an e-commerce site. Companies may not relish the news of a security risk, but they will be receiving a service that is normally quite costly. In some cases the risks identified by the students could be very damaging and the companies are likely to be very grateful for their reports. | .jpg) Gautam, Emilio, Kevin and Shawn discovered the vulnerability in a widely used system at UBC. “It is closely related to many students at UBC, everyone would certainly like to have a more secured system to protect themselves from any potential fraud”, said the team. |
The judges
 | Alex Loffler is a certified ethical hacker & penetration tester working in the telco/security field for over 17 years. Undergrad in cognitive science, post-grad research in telecommunications and contextual computing. He has a keen interest in AI and machine learning and their applications in the security field. |
 | Dmitry Samosseiko is the Director of Threat Research of SophosLabs Canada. Today, Dmitry leads a group of computer security researchers and system developers in Vancouver, focusing on malware, e-mail and web based threats. Before getting into anti-malware scene, Dmitry was responsible for Sophos’ anti-spam initiatives. He was one of the first developers for Sophos PureMessage product and is credited for developing the first version of its anti-spam filter. Dmitry’s current interests are in developing new strategies for computer and network security, improving malware analysis automation, applying big data analytics to security data and on cloud-based reputation services. Dmitry is an industry expert on computer security and has spoken at numerous security forums and events. |
 | Devin Kinch is a Senior Systems Engineer with Fortinet. Positioned on the front lines where he designs network security solutions, implements proof of concept designs, and supports product evaluations etc., Devin performs a critical role for Fortinet aligning the customer’s business and technical requirements with meaningful solutions while sharing critical customer feedback with Fortinet’s OS and hardware development teams for continuous product improvement. Prior to Fortinet, Devin held Sr. Network Engineering positions with IBM and Bank of America where he gained considerable experience designing and deploying enterprise class network infrastructures. Devin caries a Cisco CCIE designation and is a highly experienced Cisco engineer. |
| Luca Filipozzi is an Enterprise Architect at the University of British Columbia. He received a BASc in Engineering Physics in 1995 and an MEng in Electrical Engineering in 2004, both from UBC. During his varied career, he has developed control systems for semi-autonomous submersibles and robotics, developed Linux device drivers, implemented haptic interfaces, authored card access control systems, and developed identity and access management strategies & solutions. When he’s not moving bits for UBC, he’s moving bits for Debian where he’s a member of the six-person Debian System Administration team. |