C and C++ Secure Coding 4-day course. Syllabus

Similar documents
Embedded/Connected Device Secure Coding. 4-Day Course Syllabus

.NET Secure Coding for Client-Server Applications 4-Day hands on Course. Course Syllabus

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Implementing Cisco Network Security (IINS) 3.0

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Secure Coding in C and C++

COMPUTER NETWORK SECURITY

Hunting Security Bugs

CSWAE Certified Secure Web Application Engineer

Buffer Overflow Defenses

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

Certified Secure Web Application Engineer

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Buffer overflow background

Verification & Validation of Open Source

19.1. Security must consider external environment of the system, and protect it from:

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

A (sample) computerized system for publishing the daily currency exchange rates

Computer Security Course. Midterm Review

RiskSense Attack Surface Validation for Web Applications

Bank Infrastructure - Video - 1

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Software Security and Exploitation

18-642: Security Mitigation & Validation

CIS 21 Final Study Guide. Final covers ch. 1-20, except for 17. Need to know:

IT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Ethical Hacking and Prevention

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Engineering Your Software For Attack

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Black Hat Webcast Series. C/C++ AppSec in 2014

Securing Applications in C/C++

20486-Developing ASP.NET MVC 4 Web Applications

Endpoint Security - what-if analysis 1

CS 356 Operating System Security. Fall 2013

Curso: Ethical Hacking and Countermeasures

Instructions 1 Elevation of Privilege Instructions

Training Program Catalog SECURITY INNOVATION

COURSE 20486B: DEVELOPING ASP.NET MVC 4 WEB APPLICATIONS

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

The Android security jungle: pitfalls, threats and survival tips. Scott

Textbook Charles Petzold, Programming Windows, 5th edition, Microsoft Press. References - other textbooks or materials none

Understanding Cisco Cybersecurity Fundamentals

Developing ASP.NET MVC 4 Web Applications

Developing ASP.NET MVC 4 Web Applications

Certified Ethical Hacker (CEH)

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria

20486C: Developing ASP.NET MVC 5 Web Applications

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

Secure Programming Techniques

Foreword by Katie Moussouris... Acknowledgments... xvii. Introduction...xix. Chapter 1: The Basics of Networking... 1

C1: Define Security Requirements

Information Security: Principles and Practice Second Edition. Mark Stamp

20486: Developing ASP.NET MVC 4 Web Applications (5 Days)

Developing ASP.NET MVC 5 Web Applications

Microsoft Developing ASP.NET MVC 4 Web Applications

MBFuzzer - MITM Fuzzing for Mobile Applications

Stack Overflow. Faculty Workshop on Cyber Security May 23, 2012

Ethical Hacker Foundation and Security Analysts Course Semester 2

EasyCrypt passes an independent security audit

COURSE OUTCOMES OF M.Sc(IT)

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Addressing Future Challenges in the Development of Safe and Secure Software Components The MathWorks, Inc. 1

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Brave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7

Having learned basics of computer security and data security, in this section, you will learn how to develop secure systems.

20486: Developing ASP.NET MVC 4 Web Applications

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

90% of data breaches are caused by software vulnerabilities.

(CNS-301) Citrix NetScaler 11 Advance Implementation

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

Copyright

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

Application. Security. on line training. Academy. by Appsec Labs

CNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated

CS 356 Software Security. Fall 2013

Web Security. Outline

Configuring BIG-IP ASM v12.1 Application Security Manager

Software Security II: Memory Errors - Attacks & Defenses

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

The Security Problem


Secure coding practices

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Transcription:

C and C++ Secure Coding 4-day course Syllabus

C and C++ Secure Coding 4-Day Course Course description Secure Programming is the last line of defense against attacks targeted toward our systems. This course shows you how to identify security flaws & implement security countermeasures in different areas of the software development lifecycle and apply these skills to improve the overall quality of the products and applications. Using sound programming techniques and best practices shown in this course, you can produce high-quality code that stands up to attack. The course covers major security principles in C/C++ and software vulnerabilities caused be unsecure coding. The objectives of the course are to acquaint students with security concepts and terminology, and to provide them with a solid foundation for developing software using the best practices in C/C++. By course completion, students should be proficient in secure programming and have learnt the basics of security analysis and design. Students should then be able to develop, design and maintain applications using security methods and techniques for the C/C++ language. Target audience Members of the software development team: C / C++ Developers Designers & Architects Prerequisites Before attending this course, students should be familiar with: C/C++ language Background in memory management Background in OS mechanisms 1 P a g e

Course topics Day 1 Buffer Overflows and Code Injections Stack Overflows attacks Heap overflows attacks Array indexing attacks Format strings attacks Unsafe API s Safer API s Stack guards Compiler checks Better ways to manipulate strings and buffers. Integer Overflows Int / Double overflows Integer conversion rules Signed and unsigned problems Safe integer usage Enforcing limits on integer values Preventing lost or misinterpreted data due to conversion Using secure integer libraries Safe API Dangerous and banned APIs Real-World Risks Using safe API s The n Functions Detecting Dangerous APIs Alternatives StrSafe 2 P a g e

Secure Memory Usage Secure memory handling Erasing Data Secure pointer usage Memory Dumps Use smart pointers for resource management Ensure pointer arithmetic Avoid null pointer dereferencing Ensure sensitive data is not paged to disk Hands on lab #1 Day 2 Input Validation What is considered Input? Common Errors - Unbounded string copies, Null-termination errors, Truncation, Write outside array bounds, Off-by-one errors, Improper data sanitization Black List VS. White List Validation ATTACK SCENARIO: Canonicalization String Manipulation and Comparison Data Type Conversion Regular Expressions Validation practices - Validating format strings, Validating buffer input, Validating filenames & URLs, Validating emails Secure File Handling Directory Traversal attacks File canonicalization attacks Creating files with correct ACLs Ensure files are closed when no longer needed Insecure usage of shared directories 3 P a g e

Application Denial of Service vulnerabilities Application / OS crash CPU starvation Memory starvation File system starvation Resource starvation Triggering high network bandwidth User level DOS Exploiting a specific vulnerability to cause DoS Hands on lab #2 Day 3 Network Security Introduction to Networking Network attacks Insecure Services Application Layer Threats and attacks Traffic Sniffing Traffic Manipulation Man-in-the-Middle Avoiding Server Socket Hijacking Firewall Friendly Application Encryption in C/C++ Introduction to cryptography ATTACK SCENARIO: Weak Encryption Symmetric encryption Asymmetric encryption Transport Level Encryption Storage Level Encryption Cryptographic API's CryptoApi, DPAPI, Crypro++ 4 P a g e

Authentication & Authorization Authentication scenarios Common mistakes Attack scenario: brute force Authentication protocols Attack scenario: weak passwords Authorization models Access Control List (ACL) Role Based Access Control (RBAC) Attack scenario: exposed functionality via anonymous authentication Hands on lab #3 Day 4 Thread safety Concurrency & Race conditions Mutual Exclusion Deadlock Time of Check/Time of Use (TOCTOU) Files as Locks Symbolic link attacks Temporary files Handling the race window controlling race objects using atomic operations Logging & Error handling How to use exceptions properly Process uncaught and unexpected exceptions Prevent sensitive information disclosure via errors Declare new exception classes for security Events you should log Events you should not log Log integration with exception management 5 P a g e

Secure Coding Tips Prefer Streams to C-Style Input and Output Do not replace secure functions with less secure functions Avoid defining macros Do not ignore values returned by functions or methods Secure defaults and initializations The least privilege principle The defense in depth principle The segmentation principle Avoiding hard coded secrets Use Static Code Tools Integrating security into the development lifecycle Anti-reversing Eliminate symbolic info Obfuscate the program Code Encryption Use anti-debugger tricks Code Checksums Confusing a Disassembler Inlining and Outlining sensitive code Interleaving Code Existing tools Hands on lab #4 6 P a g e

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback