Chat with us, powered by LiveChat

COURSES

Secure Coding using C and C++

Secure Coding using C and C++ Bootcamp Training


Course Description

SecureNinja’s (5) five-day Secure Coding using C and C++ course is for security professionals with intermediate programming experience.

If you’ve ever struggled in a programming class because you wanted the instructor to put programming concepts in plain and simple English and if you’ve ever wanted a programming course to be about stuff you could actually use at work – this class is for you.

This is a functional programming course focused on programming concepts that can be used to accomplish common security tasks such as log parsing, password cracking, port scanning, vulnerability testing, web application security testing, malware analysis, and exploit development.

Each day the students will learn programming concepts, and then use some code to perform security tasks. The students will keep the skeleton scripts so that when they get back to work, they’ll have something that they can use a crib sheet to do other security tasks.

Who Would Benefit

  • IT System Managers
  • System Engineers and other IT professionals

Pre-Requisites

There are no prerequisites for this course

Course Length

5 Days

Follow-on Courses

  • Advanced Cyber War

Course Details

Day 1:

  1. Buffer Overflows and Code Injections
  • Stack Overflows attacks
  • Heap overflows attacks
  • Array indexing attacks
  • Format strings attacks
  • Unsafe API’s
  • Safer API’s
  • Stack guards
  • Compiler checks
  • Better ways to manipulate strings and buffers.

 

  1. Integer Overflows
  • Int / Double overflows
  • Integer conversion rules
  • Signed and unsigned problems
  • Safe integer usage
  • Enforcing limits on integer values
  • Preventing lost or misinterpreted data due to conversion
  • Using secure integer libraries

 

  1. Safe API
  • Dangerous and banned APIs
  • Real-World Risks
  • Using safe API’s
  • The ‘n’ Functions
  • Detecting Dangerous APIs
  • Alternatives
  • StrSafe

 

Day 2:

  1. Secure Memory Usage
  • Secure memory handling
  • Erasing Data
  • Secure pointer usage
  • Memory Dumps
  • Use smart pointers for resource management
  • Ensure pointer arithmetic
  • Avoid null pointer dereferencing
  • Ensure sensitive data is not paged to disk

Hands-On Lab.

 

  1. Input Validation
  • What is Input?
  • Common Errors - Unbounded string copies, Null-termination errors, Truncation, Write outside array bounds, Off-by-one errors,

Improper data sanitization

  • Black List VS. White List Validation
  • ATTACK SCENARIO: Canonicalization
  • String Manipulation and Comparison
  • Data Type Conversion
  • Regular Expressions
  • Validation practices - Validating format strings, Validating buffer input, Validating filenames & URLs, Validating emails

 

  1. Secure File Handling
  • Directory Traversal attacks
  • File canonicalization attacks
  • Creating files with correct ACLs
  • Ensure files are closed when no longer needed
  • Insecure usage of shared directories

Day 3:

 

  1. Application Denial of Service vulnerabilities
  • Application / OS crash
  • CPU starvation Memory starvation
  • File system starvation
  • Resource starvation
  • Triggering high network bandwidth
  • User-level DOS
  • Exploiting a specific vulnerability to cause DoS

Hands-on lab

 

  1. Network Security
  • Introduction to Networking
  • Network attacks
  • Insecure Services
  • Application Layer Threats and attacks
  • Traffic Sniffing
  • Traffic Manipulation
  • Man-in-the-Middle
  • Avoiding Server Socket Hijacking
  • Firewall Friendly Application

 

  1. Encryption in C/C++
  • Introduction to cryptography
  • ATTACK SCENARIO: Weak Encryption
  • Symmetric encryption
  • Asymmetric encryption
  • Transport Level Encryption
  • Storage Level Encryption
  • Cryptographic API's – CryptoApi, DPAPI, Crypro++

Day 4:

 

  1. Authentication & Authorization
  • Authentication scenarios
  • Common mistakes
  • Attack scenario: brute force
  • Authentication protocols
  • Attack scenario: weak passwords
  • Authorization models
  • Access Control List (ACL)
  • Role-Based Access Control (RBAC)
  • Attack scenario: exposed functionality via anonymous authentication

Hands-on lab

 

  1. Thread safety
  • Concurrency & Race conditions
  • Mutual Exclusion
  • Deadlock
  • Time of Check/Time of Use (TOCTOU)
  • Files as Locks
  • Symbolic link attacks
  • Temporary files
  • Handling the race window
  • Controlling race objects
  • Using atomic operations

 

Day 5:

 

  1. Logging & Error handling
  • How to use exceptions properly
  • Process uncaught and unexpected exceptions
  • Prevent sensitive information disclosure via errors
  • Declare new exception classes for security
  • Events you should log
  • Events you should not log
  • Log Integration with exception management
  • Secure Coding Tips
  • Prefer Streams to C-Style Input and Output
  • Do not replace secure functions with less secure functions
  • Avoid defining macros
  • Do not ignore values returned by functions or methods
  • Secure defaults and initializations
  • The least privilege principle
  • The defense-in-depth principle
  • The segmentation principle
  • Avoiding hard-coded secrets
  • Use Static Code Tools
  • Integrating security into the development lifecycle

 

  1. Anti-reversing
  • Eliminate “symbolic info”
  • Obfuscate the program
  • Code Encryption
  • Use anti-debugger tricks
  • Code Checksums
  • Confusing a Disassembler
  • Inlining and Outlining sensitive code
  • Interleaving Code
  • Existing tools

Hands-On Labs

 

These training courses are only delivered as an onsite format for groups of 5 or more. Our world-class instructors will bring our on-demand turn-key solution directly to you. Contact us now for more details and pricing