Creating Secure Code

View our "Creating Secure Code" Webcast

COURSE OVERVIEW

Everyone, whether they write protocols or internal processes is responsible for using secure coding techniques to minimize the adverse effects of attacks, whether those attacks are intentional or accidental. If a process deep in the bowels of a product crashes because it receives bad data or because a resource that should have been there was not, it is still a crash and reduces the availability of the product.

Secure coding is the process of reducing the susceptibility of code to vulnerabilities either unintentional or intentional. It includes items that are classed as defensive in nature (e.g. checking error return codes before using handles and other data structures that should have been created, or protecting against using a pointer after it has been released). It also includes items that may be more normally associated with cryptographic procedures (e,g. random number generation, encryption algorithms, etc.). Each section will have an in depth hands on lab

COURSE OUTLINE

I. Introduction to Software Security

II. Common Coding and Design Errors

Students will learn about the range of software development errors that create application security, reliability, availability and confidentiality failures. Specifically in this section we will deal with those vulnerabilities that are common across language implementations (C, C++ and Java). For each vulnerability type, the course will cover real-world examples – illustrated in code - of failures along with methods to find, fix and prevent each type of flaw.

	a. System-Level Accepting Arbitrary Files as Parameters; Default or Weak Passwords; Permitting Relative and Default Paths Offering Administrative, Software and Service Back Doors; Dynamic Linking and Loading; Shells, Scripts and Macros
	b. Data Issues Parsing Problems Integer Overflows
	c. Information Disclosure Storing Passwords in Plain Text The Swap File and Incomplete Deletes Creating Temporary Files Leaving Things in Memory Weakly-Seeded Keys Random Number Generation
	d. On the Wire Trusting the Identity of a Remote Host (Spoofing) Volunteering Too Much Information Proprietary Protocols Loops, Self References and Race Conditions
	e. Tools

III. Web Vulnerabilities
	The web is different. We will address common web vulnerabilities, how to find them, how to prevent them.
	Web sites Cross Site Scripting Forceful Browsing Parameter Tampering Cookie Poisoning Trusting SSL Hidden Field Manipulation SQL Injection Security on the Client Trusting the Domain Security Model
IV. Defensive Coding Principles This section is designed to educate developers and testers on the general principles of secure coding:

	Historical perspective on software failure When good design goes bad 18 defensive coding principles to live by
V. Security Testing and Quality Assurance

	The difference between functional and security testing Understanding an application's entry points Spotting three classes of security bugs: dangerous inputs, rigged environment and logic vulnerabilities

For more information, please contact Sales at +1.978.694.1008 x24 or email