The final grade includes the assessment of the course outcomes through the examination, as well as the assessment of the practical work, for which participation is compulsory.
The marks are weighted in the following proportions: 60% for the examination, 40% for the assignments. However, failure in the examination automatically results in failure of the course.
In the first session, the exam is written; it consists of short questions covering the whole subject, and a case study in which you have to carry out a risk analysis based on a case and propose a complete and detailed action plan. This is a similar exercise to the one carried out together in the chapter on risk analysis. The aim is to test your knowledge and skills as well as your reasoning ability.
In the second session, the exam is oral; it also includes a case study, as well as one or more supplementary questions targeting a more precise point of the subject. Time is allowed for preparation to solve the case to be analysed. The grade of the assignment is automatically carried over if it is higher than 10. If not, a specific question is added to the oral exam.
In general, what is expected of you at the end of the course is to be able to mobilise the tools and approaches seen in the course to respond to a concrete situation. You can therefore expect to perform a summary risk analysis on the basis of a case, and to propose appropriate solutions, these solutions potentially falling under the different chapters of the course.
Detailed expectations chapter by chapter
-
Methodology:
-
To know the security criteria, the concepts and process of a risk analysis, the means to measure the risk and its components, the risk treatment options, the lines of defence (prevention, detection, recovery)
-
Be able to carry out a summary risk analysis and propose a concrete, appropriate and realistic action plan based on the analysis carried out. This action plan must be broken down according to the different lines of defence
-
Be able to produce a credible attack tree
-
Cryptography
-
Know the different cryptographic primitives: encryption, digital fingerprinting, digital signature and digital certificate, the related security objectives, the implementation constraints, etc.
-
Be able to orchestrate them in a simple scenario
-
Authentication
-
Know the different authentication methods, their strengths and weaknesses, and be able to motivate the use of one or the other
-
Understand the different ways of managing digital identity data and identify their components and functions
-
Authorisation
-
Know the different access control models, their strengths and weaknesses, and be able to justify the use of one or the other
-
Understand the value of a decentralised approach to authorisation and identify its components and function
-
Security of the infrastructure
-
Be aware of the challenges to infrastructure security and possible solutions
-
Be able to propose a gradual solution to a risk of unavailability, taking care to articulate the different lines of defence (prevention, detection, recovery) and the types of countermeasures (technical, organisational, legal)
-
System security
-
Know the challenges for the security of the system software and the possible solutions
-
Be able to propose a complete solution to these challenges, taking care to articulate the different lines of defence (prevention, detection, recovery) and the types of countermeasures (technical, organisational, legal)
-
Software security
-
Know the different stages of the software development life cycle and the measures applicable to each of them
-
Be able to complete a use case with malicious behaviour and remediation according to the misuse case approach
-
Know the main types of software vulnerabilities and the remediation options
-
Be able to identify and describe in technical detail the software vulnerabilities that have been presented and the appropriate countermeasures
