C/C++ Secure Coding
C/C++ Secure Coding
C++ is a powerful programming language which gives intimate access to a machine's inner workings. However, this level of access and performance comes at a price, as these features can be manipulated to exploit a program as a security flaw. This course will cover topics and techniques for development of secure C++ programs. Topics will range the gamut from high level security and risk concepts and design strategies to low level memory access exploitation and injection attacks. General secure development approaches applicable to any language will be discussed, but the course will also focus on C++-specific techniques and pitfalls to avoid.
The course will be offered in a hands-on style with the opportunity and expectation for application of each topic in a variety of lab exercises once it is introduced.
This course is only available on-site at your location.
- Introductory Topics and Principles
- Memory Access Errors,
- Integer Overflows
- Input Validation and Injection Attacks
- Secure File Handling
- Cryptography in C/C++
- Authentication & Authorization
- Socket Security
- Logging & Error Handling
- Miscellaneous Advice , - TLS certificate pinning, Reducing attack surface: Restricting what interfaces you bind to, Avoiding server socket hijacking, UDP vs. TCP security implications, Tips: Writing firewall-friendly applications
- Logging & Error Handling, Log integration with exception handling: benefits an dangers, Beware propagating exceptions, Prevent sensitive information disclosure via errors, Consider dedicated exception classes for security, Consider the security of your logs / error reporting
- Miscellaneous Advice, Avoid hard-coded secrets, Ensure data types permit only semantically valid values, Timing attacks, Beware of C macros, Avoid use of NULL entirely, but always check if used, Beware of paging sensitive data to disk
The materials within this course focus on the Knowledge Skills and Abilities (KSAs) identified within the Specialty Areas listed below. Click to view Specialty Area details within the interactive National Cybersecurity Workforce Framework.
If you would like to provide feedback for this course, please e-mail the NICCS SO at NICCS@hq.dhs.gov.