From £3,905 + VAT
- SFIA
Skills Framework for the Information Age (SFIA) identifies and describes over 100 skills and 7 levels of job roles. To find out more, read What is SFIA?
Book online today or, if you need help choosing the right course or would like to discuss business discounts, call us on 0113 220 7150.
Sorry, there are currently no dates available to book. Submit an enquiry to hear from one of our team about when dates might become available.
Overview
This three-day course provides a deep dive into secure coding practices for C and C++ applications, following the SEI CERT Secure Coding Standards. Participants will start by understanding fundamental IT security principles and the architecture of ARM processors, including memory layout and stack operations.
The course progresses to analysing how vulnerabilities such as buffer overflows and denial-of-service attacks are exploited and mitigated. It also covers common coding mistakes, XML security, and advanced protection techniques like Address Space Layout Randomization (ASLR) and stack smashing protection. With hands-on exercises using exploitable applications and debugging tools, attendees will learn to identify and prevent security flaws effectively.
Prerequisites
- Basic programming experience with C and/or C++.
- Familiarity with core programming concepts such as memory allocation and function calls.
Target Audience
- C and C++ developers working on application development.
- Software engineers seeking to integrate secure coding practices.
- IT professionals responsible for securing native code applications.
Learning Outcomes
By the end of this course, participants will be able to:
- Write secure code adhering to SEI CERT Coding Standards.
- Understand and mitigate buffer overflow attacks using development and runtime protection techniques.
- Identify and address vulnerabilities such as XML injection and denial of service.
- Apply compiler options and runtime protections like ASLR and stack smashing protection.
- Evaluate and resolve common coding errors, including memory management issues and improper exception handling.
- Leverage tools like debuggers for vulnerability identification and analysis.
Course Outline
Day 1: Introduction to IT security and secure coding
- Fundamentals of IT security and risk.
- Classification of security flaws, including Landwehr's taxonomy and The Seven Pernicious Kingdoms.
- Overview of SEI CERT Coding Standards.
- ARM architecture basics:
- Memory layout, stack operations, and function calls.
- Stack frames for recursive and nested functions.
- Buffer overflow introduction:
- Stack overflow attacks and return address overwriting.
- Hands-on exercise: Exploiting a stack overflow using gdb.
- Fortify compiler options (FORTIFY_SOURCE).
- ASLR and its limitations.
- Non-executable memory areas (NX bit).
- Compiler and runtime protection techniques:
Day 2: Advanced vulnerabilities and mitigations
- Return-Oriented Programming (ROP):
- ROP gadgets, return-to-libc attacks, and mitigation techniques.
- Heap overflow:
- Memory allocation vulnerabilities and case studies like Heartbleed.
- XML injection and XXE attacks.
- Preventing entity-related attacks with sanitisation and validation.
- Exercise: Identifying and fixing XML injection vulnerabilities.
- Input validation issues, including integer overflow and truncation.
- Best practices for memory allocation and avoiding dangling pointers.
- Exercise: Using smart pointers for safe memory handling.
- XML security:
- Common coding errors:
Day 3: Mitigating security risks in C and C++
- Denial of Service (DoS):
- Regular expression DoS (ReDoS) and hashtable collisions.
- Exercise: Identifying and resolving DoS vulnerabilities in C code.
- Improper error handling:
- Common issues with catch blocks and their security implications.
- Exercise: Best practices for error and exception handling.
- Implementing stack smashing protection and enabling ASLR.
- Exercise: Securing applications with compiler protections.
- Applying Matt Bishop’s and Saltzer and Schroeder’s principles.
- Resources and further readings on secure coding practices.
- Advanced buffer overflow protection:
- Principles of secure coding:
Exam and Assessments
- The are no formal exams for this course.
- Hands-on lab exercises to reinforce key concepts and techniques.
QA is an approved training provider for ELCAS, proud to support service leavers in their transition into the tech industry. Learn more about Elcas approved training here.
NCSC Assured Training
Continuous Professional Development (CPD)
CPD points can be claimed for NCSC assured training courses at the rate of 1 point per hour of training for NCSC assured training courses (up to a maximum of 15 points).
Why choose QA
- Award-winning training, top NPS scores
- Nearly 300,000 learners in 2020
- Our training experts are industry leaders
- Read more about QA
Related courses
Cyber Security learning paths
Want to boost your career in cyber security? Click on the roles below to see QA's learning pathways, specially designed to give you the skills to succeed.