Skip to content

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.

C++ Secure Coding

Course Summary

The C++ Secure Coding training course is designed to introduce programmers to the vulnerabilities that creep into these applications and how to defend against them.

The course will start by exploring how security relates to applications and then jumps right into imagining what can go wrong at any point during the program execution. These issues are addressed by exploring common coding vulnerabilities that occur during software development, that the programmer may or may not be aware of. Next, the course explores the results of vulnerabilities, and protecting against them is reinforced by the hands-on labs. Specific issues surrounding cryptography, client authentication, and overflow conditions will be addressed. The course concludes with a lesson on how the application of object-oriented design principles, the CERT, and security design principles are addressed, as well as how the computer architecture and operating system architecture help and sometimes fail to protect applications.

Purpose
 Learn how to develop secure code, adapt existing code to be more secure, and address CERT coding standards in C++ where required.
Audience
 Experienced C++ programmers looking to learn how to write secure code.
Role
Software Developer
Skill Level
Intermediate
Style
Targeted Topic - Workshops
Duration
2 Days
Related Technologies
C++ | Cybersecurity

 

Productivity Objectives
  • Describe the design and coding of secure applications using C++
  • Address the common coding vulnerabilities in the C++ environment
  • Imagine what can go wrong and know how to mitigate the issues

What You'll Learn:

In the C++ Secure Coding training course, you'll learn:
  • Security
    • Types of attacks: denial of service and data mining
    • Vectors of attack: network, libraries, malware
    • Defense in depth
    • Classification of security flaws
  • What Could Possibly Go Wrong?
    • Always ask: what happens if this fails?
    • What happens if the application crashes?
    • What happens if an exception is thrown?
    • Network problems?
    • Operating system crashes?
    • Protections failure (firewall, physical security, etc)
    • What about programs launched from the application?
    • Where does the application fail to?
    • Fail securely
  • Coding Vulnerabilities
    • Input validation: XML injection, SQL injection, path traversal, log forging
    • Race Conditions: time-of-check to time-of-use. memory corruption
    • Time and state
    • Variable parameters
    • Error and exception handling
    • Automatic and controlled data conversions
    • Memory locking, threads, and semaphores
    • File Handling
  • Cryptography
    • Symmetric-key
    • Asymmetric-key
    • Hashing
    • The dependency of randomization
    • Password and key management
    • Passwords and keys in memory
  • Client Authentication
    • Web - basic
    • Web - digest
    • Biometrics
    • Cryptographic
    • Two-factor authentication
  • Data Overflow
    • Buffer overflow
    • Array indexing
    • Stack overflow & Stack smashing
    • Overflow and index on the heap and the stack
  • Security Design Principles
    • Fail-safes
    • Mediation: did the data change since last checked?
    • Separation of privileges
    • Least privilege
    • Psychological Acceptability
  • CERT and Design Principles
    • CERT C++ coding standards
    • Addressing CERT requirements
    • Object-oriented design principles and design patterns
    • Testing, unit testing, and test-driven-development
  • Intel Architecture
    • Processors, registers, memory
    • Function calling conventions
    • Stack frame & non-executable (NX) memory areas
    • Recursion
    • Address space layout randomization
  • Third-Party Code
    • Any code that is not your own, including other internal groups
    • Package management
    • Vetting third-party code: source, reverse compilers
    • Monitoring network connections
real world content

Real-World Content

Project-focused demos and labs using your tool stack and environment, not some canned "training room" lab.
expert practitioners

Expert Practitioners

Industry experts that bring their battle scars into the classroom.
experiential learning

Experiential Learning

More coding than lecture, coupled with architectural and design discussions.
tailored outlines

Tailored Outlines

One-size-fits-all doesn't apply to training teams. That's where we come in!
“I appreciated the instructor's technique of writing live code examples rather than using fixed slide decks to present the material.”

VMware

Dive in and learn more

When transforming your workforce, it's important to have expert advice and tailored solutions. We can help. Tell us your unique needs and we'll explore ways to address them.

Let's chat

By filling out this form and clicking submit, you acknowledge our privacy policy.