IT-Security

• Technical basics of identity management, conceptual differences between centralized and decentralized systems (e.g. permissionless blockchains, such as Bitcoin and Etherum)
• Single sign-on systems, Shibboleth, Kerberos
• OAuth, OpenID Connect, SAML; FIDO, U2F
• Secure management of user data, passwords, fingerprints, payment information in multi-user and distributed systems (including mobile operating systems).
• Practical implementation in small groups or individually (e.g. setting up a U2F system, integrating a product into LDAP/AD, ... )

Lecture, practical exercises in small groups, distance learning

Final exam: Final inspection, presentations, standard

* Network Security

• Firewalls, IDS, IPS, eMail, DNS
• 802.1x
• Dealing with Wireshark, possibly scripting Wireshark (e.g. creating a dissector)
• Large Scale Firewalls (exercise with thousands of IP ranges) and other difficulties of scaling security measures to large systems.
• SIEM (exercise with Splunk, etc.)
• VPN basics
• VLAN, segmentation of networks
• Monitoring & testing, IMS
• Security perimeter
• Attack classification according to Cyber Killchain and MITRE AT&ACK, APTs

* Wireless networks

Comparison and deepening of security mechanisms and problems of managed and unmanaged computer networks.

• WiFi, WEP, WPA, Enterprise WPA
• LTE/5G
• Bluetooth

Differentiation: IoT networks such as LoraWan, Zigbee, Matter are taught in the IoT modules if required.

Lecture, guest lectures, practical exercises

Final exam: Final examination, exercises, standard

Symmetric cryptography (minimal, only the correct types)

• AES (no DES, etc.); Block vs Streamcipher
• Pseudorandom permutations (PRP)
  • Authenticated Encryption (AEAD concepts)
• AES-GCM, possibly ChaCha20-Poly1305
• Why Encrypt-than-MAC was historically important
• Operating modes: conceptual only; ECB as a negative example
  • (Why AEAD is standard today - not how to implement each mode)

Hash functions & passwords

In addition to cryptographic hash functions (SHA-256/512) and their properties (preimage, collision, avalanche), the curriculum here extends well beyond the TLS focus in the direction of password storage:

• why SHA-* is unsuitable
• bcrypt/scrypt/argon2
• salt, pepper, work factors

Asymmetric cryptography

• Diffie-Hellman (classic as a concept, ECDHE in practice)
• RSA (only for signatures & legacy; typical errors e.g. padding)
• Elliptic curves (not necessarily computation, but model, security assumptions, design philosophy, security, performance; specifically compare 2 curves e.g. SECp256r1, Curve25519)

Protocol & system level

• Certificates, PKI (X.509 structure, trust anchors, CA model: strengths & weaknesses)
• Certificate Pinning (short), Certificate Transparency
• Comparison between TLS 1.2 and TLS 1.3; history and design flaws

Assembling a complete TLS handshake

• Message by message
• Who knows what and when?
• Which element is responsible for which security properties?
• How and where are keys created
• then practically in Wireshark and own program code

Outlook

• Post-quantum cryptography
• Possible basic idea (Shor, Grover)
• Hybrid key exchange (TLS1.3 PQ)

Lecture, practical exercises

Final exam

This course deals with the management and process aspects of secure software development and shows how security activities can be organizationally and strategically integrated into software projects. Students learn about established reference models and maturity level approaches for secure software development and examine how security-relevant activities can be systematically anchored throughout the entire development process.

Another focus is on risk and compliance management in software projects. Students deal with the identification, evaluation and prioritization of security risks as well as the consideration of relevant norms, standards and legal requirements. They learn how to design development processes and project documentation in such a way that security and compliance requirements are met in a comprehensible manner.

The course also covers organizational aspects of secure software engineering. Students deal with role models, team organization and communication structures and learn about measures to promote a sustainable security culture. Finally, current requirements and developments in the professional environment are reflected upon in order to be able to classify the acquired skills in a professional context.

Lecture, discussion and group discussions, analysis of case studies (e.g. known software security projects and security incidents from a management perspective), practical exercises (creation of security concepts, project plans, risk analyses in groups)

Final exam

This course teaches the basics of secure software engineering and deals with the systematic integration of security aspects throughout the entire software development process. Students acquire knowledge of the Secure Software Development Lifecycle (SSDLC) and learn how security requirements are identified, specified and taken into account during requirements engineering using suitable methods such as misuse cases.

Building on this, concepts of secure software architectures and security-oriented design approaches are taught. Students deal with secure design principles, security design patterns and methods of threat modeling and architecture risk analysis (e.g. STRIDE) in order to identify and evaluate potential attack surfaces at an early stage.

Another focus is on secure implementation in practical programming languages and development environments. Using typical vulnerabilities, in particular the OWASP Top 10, the causes of security gaps and suitable countermeasures are discussed. Secure programming practices, the use of suitable frameworks and libraries as well as security mechanisms of modern application protocols for distributed applications are discussed.

In addition, security-oriented quality assurance measures are taught. These include secure code reviews and the use of tools for static and dynamic security analysis, software composition analysis and advanced methods such as fuzzing and basic methods of penetration testing. Through practical exercises, students apply the content taught and deepen their understanding. The course enables students to systematically design and implement software securely and to recognize and resolve security problems at an early stage

Lecture, practical programming exercises (hands-on labs), discussion of case studies (e.g. analysis of real security incidents caused by insecure software) and supervised group work (e.g. joint threat modeling or code review session)

Final exam

1. Introduction to practice-oriented security projects
2. Setting up and using secure test environments
3. Attack & defense techniques (hands-on)
4. Capture-the-flag (CTF) scenarios
5. Project work:

Working on a structured mini-security project in teams
Analysis of a given infrastructure
Identification, exploitation and protection of selected vulnerabilities
Preparation of a technical project report

Lecture, discussion and group discussions, analysis of case studies (e.g. known software security projects and security incidents from a management perspective), practical exercises (creation of security concepts, project plans, risk analyses in groups)

Final exam: Project submission

This course deals with the integration of software development, IT operations and security in terms of the DevSecOps paradigm. Students gain an understanding of the basic concepts of DevOps and DevSecOps as well as principles such as automation, continuous integration and delivery, infrastructure as code and the systematic embedding of security measures along the entire software delivery process. Both shift-left approaches for early integration of security and shift-right approaches for monitoring and reacting during operation are covered.

A central focus is on the development and operation of security-oriented CI/CD pipelines. Students learn how automated security checks can be integrated into all phases of the pipeline in order to continuously identify vulnerabilities and systematically secure releases. In addition, security aspects of modern operating environments are discussed, especially in the context of containerization, cloud deployment, configuration and secret management as well as monitoring and incident response.

In addition, the course deals with current threats and protective measures in the DevSecOps environment, for example in the area of software supply chain security and modern cloud-native architectures. Practice-oriented exercises deepen the content and enable students to implement DevSecOps concepts, tools and processes in an exemplary manner. The course thus promotes a holistic understanding of the organizational, technical and cultural implementation of security in modern software delivery processes.

Lecture, lab-like exercises (hands-on in virtual CI/CD environments), team project work (configuration of a sample DevSecOps pipeline in small groups), live demonstrations of attack and defense techniques in a pipeline context as well as exchange of experiences/workshops.

Final exam

1. Advanced attack scenarios
2. Advanced red/blue team exercises
3. Incident Response & Forensics (Introduction)
4. Security architecture & resilience
5. Project work (capstone character)

Implementation of a comprehensive team project:

• Planning
• Attack simulation
• Defense & analysis
• Final report with catalog of risks and measures
• Presentation to an expert audience (technical management perspective).

Lecture, lab-like exercises (hands-on in virtual CI/CD environments), team project work (configuration of a sample DevSecOps pipeline in small groups), live demonstrations of attack and defense techniques in a pipeline context as well as exchange of experiences/workshops.

Final exam: Project submission

The course provides a comprehensive understanding of security in the Internet of Things and introduces basic concepts, principles and technologies of IoT and OT systems, including hardware, software and communication aspects as well as their energy consumption. Particular attention is paid to the specific threat situations in the embedded area, which result from long life cycles, physical access to devices or limited computing resources, for example. Students deal with typical attacks on IoT and OT systems, including firmware extraction, side-channel attacks and manipulation of the boot process, ICS/SCADA threats, lateral movement between IT/OT, safety-security trade-offs and at the same time learn about suitable countermeasures at hardware, firmware and software level. The aim is to understand the particular security challenges of networked devices and to develop robust protection mechanisms for practical use.

Lecture, practical exercises

Final exam: Group work, final exam

Basic concepts and architecture of modern operating systems (Windows, Linux, macOS, Android, iOS)

• Goals such as isolation, least privilege, mediation, trust boundaries
• Securing processes vs threads,
• User roles and authorization concepts
• Access control and security features of file systems
• Storage protection, containers and virtualization

Operating system-specific features

• Mandatory access control systems (e.g. SELinux, AppArmor)
• Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) / NX-Bit
• Linux ACLs and extended file system mechanisms
• Windows NTFS-specific security features (e.g. Alternate Data Streams), UAC and Integrity Levels
• Namespaces and control groups
• Code signing and secure boot
• Sandbox concepts on desktop and mobile platforms

Hardware-supported security

• Threat models and their limits
• Trusted Platform Module (TPM), Secure Enclave and coprocessors.
• Modern CPU-based measures such as Memory Protection Keys (MPK on Intel), Pointer Authentication (PAC on ARM)

Virtualization and cloud

• Containers, VM
• Isolation, key management and trust anchors, e.g. with key vaults, HSM

Security for shared resources

• Side channels and covert channels
• RAM attacks, cache-based side channel attacks
• Countermeasures at operating system and platform level (effectiveness, side effects)

The exercise deals with selected chapters in the form of hardening or implementation tasks.

Lecture, practical exercises

Final exam: Exercises, final exam

The course deals with the fundamental relationships between artificial intelligence and security and provides an understanding of how modern AI systems can contribute to both strengthening and jeopardizing digital protection mechanisms. The most important threats to machine learning, including adversarial attacks, data poisoning, model inversion and other forms of manipulation, as well as the resulting requirements for robust, transparent and trustworthy AI models are discussed. In addition, established principles of cybersecurity are applied to AI systems, in particular risk analysis, system reliability, integrity and secure design of AI lifecycles. Students will explore methods to increase the resilience of AI, secure data collection and processing, monitoring and auditing of models, and governance and compliance aspects. Using current research and real-world case studies, they will learn to identify security vulnerabilities, anticipate threats and develop concepts for security-aware AI systems that meet the requirements of modern industrial and academic standards.

Lecture, practical exercises

Final exam

In the Complex Problem Solving course, methods of the Theory of Constraints are applied to solve complex problems with a focus on software engineering and security. Starting from a structured and prioritized goal definition, the existing situation is analyzed and problems on the way to the desired situation are systematically analyzed and solved. Finally, the change management methods for implementing the desired situation are explained.
The following content is covered in particular:

• Introduction to the Theory of Constraints
• Categories of the Legitimate Reservation
• Intermediate Objectives Map
• Current Reality Tree
• Evaporating Cloud

Case studies, lecture, practical exercises in groups.

Final exam

• IT Security Management and Risk Assessment
• IT-Security Controls, Plans, and Procedures
• Physical and Human Resources Security
• Access Control Management
• Security Compliance / Audit

Security Management & IT Governance, ISO 27001:2013, Internal Control System for IT, ISMS Set-up, Risk Management & Business Continuity Management, Policy and Guideline Design, System Development Life Cycle, Access Control, Physical and environmental security, COBIT, Basic Protection Manual

Lecture, individual work on a case study, group work incl. presentation of the results

Final exam

Students work individually or in small groups on projects related to IT security technologies and applications in the context of university R&D activities or as part of their individual professional activities. These projects subsequently form the practice-relevant basis for the Master's theses.

Project support

Continuous assessment: Project progress, proof of function, project presentation

Independent work on a technically relevant topic based on the technical topics of the compulsory elective modules in the third semester at a scientific level under the guidance of a supervisor

Completion of the Master's thesis

Independent work supported by coaching

Final exam: Approval of the master thesis

The process of innovation is a combination of creativity on the one hand and precise analysis and evaluation on the other. Methods and tools for the development of new ideas, their positioning and, above all, the recognition of critical success factors are essential. The team aspect is of great importance here. The lecture also refers to psychological criteria.
Entrepreneurial thinking is a constant sequence of evaluation, decision-making and corrections. The course primarily deals with techniques that support decision-making, enable evaluation and support key performance indicator-based management.
The course also refers to start-ups, in particular the phases of founding a new company, financing options, critical aspects of growth and managing business success.

This course includes in particular

• Methods for the development and evaluation of innovation
• Blue Ocean Method
• The vision-mission-value pyramid
• Rainmaking method
• Basics of the Hammings Principle
• Application forms of agile project management incl. Scrum
• Leading and lagging indicators for the application of decision-making techniques
• Team aspects in the innovation cycle
• Evaluation options for innovations, e.g. Gartner Hypecycle, Magic quadrant
• Dynamics of growth, cash flow and scalability
• Starting a start-up, business mechanics
• Financing options, angels vs. ventures and exit strategies

Case studies, lecture

Final exam: Elaboration of case studies, final examination

The course teaches the basic structures of the Austrian and European legal system as well as their constitutional embedding, particularly with regard to fundamental rights.

One focus is on data protection law with special consideration of the General Data Protection Regulation and national data protection law. Cybersecurity regulation, in particular the NIS-2 Directive, also plays a central role.

In addition, current developments in EU law such as the AI Act, the Data Governance Act and the Digital Services Act are covered. The basics of intellectual property law, general contract law and IT criminal law are also covered.

Lecture, practical application, discussion

Final exam: Elaboration of case studies, final examination

• Presentation and discussion of the final thesis
• Specialist discussion

Independent development

Final exam: Commissioned examination (Master's examination)

• Consolidation of the basic principles of scientific work
• Reading, understanding and interpreting relevant scientific texts
• literature research
• Formal methods of scientific work
• Students present the current development of their Master's thesis at regular intervals and put it up for discussion in the plenum

Lecture, Case Studies

Continuous assessment: Presentations, homework