Secure Coding in C and C++
Instructor:
Robert C. Seacord
Dates:
12-15 June 2017
Capacity:
20 Seats
Price:
4200$ CAD before May 1,
5000$ CAD after.
Secure Coding Training in C and C++ is a four-day course that provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation. This course concentrates on security issues intrinsic to the C and C++ programming languages and associated libraries.
This course teaches developers to identify common security flaws including:
- Buffer overflows
- Integer overflow
- Dangerous compiler optimizations
- Race conditions
- Memory management errors
- Logical errors
- Invalid assumptions
For each of these security flaws, we demonstrate specific remediation techniques as well as general secure coding practices that help prevent the introduction of vulnerabilities.
This course will be useful to anyone involved in developing secure C and C++ programs regardless of the specific application.
Learning Objectives
Participants should come away from the course with a working knowledge of common programming errors that lead to software vulnerabilities, how these errors can be exploited, and effective mitigation strategies for preventing the introduction of these errors.
In particular, participants will learn how to:
- Improve the overall security of any C or C++ application
- Thwart buffer overflows and stack-smashing attacks that exploit insecure string manipulation logic
- Dangerous compiler optimizations and how to avoid and detect them
- Avoid vulnerabilities and security flaws resulting from the incorrect use of dynamic memory management functions
- Eliminate integer-related problems: integer overflows, sign errors, and truncation errors
- Correctly use formatted output functions without introducing format-string vulnerabilities
- Avoid I/O vulnerabilities, including race conditions
Moreover, the course encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow’s attacks, not just today’s.
Prerequisites
The course assumes basic C and C++ programming skills, but does not assume an in-depth knowledge of software security. The ideas presented apply to various development environments, but the examples are specific to Microsoft Visual Studio and Linux/GCC and the 32-bit Intel Architecture. Material in this presentation was derived from the Addison-Wesley books Secure Coding in C and C++ and The CERT C Secure Coding Standard.
Required Equipment
Students must bring a personal computer equipped with the following:
- 4GB or greater of free hard disk space
- USB port
- Adobe Reader
- Oracle VM VirtualBox
- A Zip decompression utility, such as WinZip or 7-zip
Students are also encouraged to bring their own C and C++ programming language development environments (compiler, editor, etc.), such as Microsoft Visual Studio, Xcode, GCC, or Clang.
Trainer
Robert C. Seacord is a Principal Security Consultant with NCC Group where he works with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. Previously, Robert led the secure coding initiative in the CERT Division of Carnegie Mellon University’s Software Engineering Institute (SEI). Robert is also an adjunct professor in the School of Computer Science and the Information Networking Institute at Carnegie Mellon University. Robert is the author of six books, including The CERT C Coding Standard, Second Edition (Addison-Wesley, 2014) Secure Coding in C and C++, Second Edition (Addison-Wesley, 2013), and Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs (Addison-Wesley, 2014). Robert is on the Advisory Board for the Linux Foundation and an expert on the ISO/IEC JTC1/SC22/WG14 international standardization working group for the C programming language.
TO REGISTER
Click here to register.